New article
Recently updated
Creating user accounts and groups in bulk using Active Directory
Who is this article for?Administrators responsible for user management.
Administration module access is required.
You can create multiple user accounts with ease by importing them from an existing Active Directory in the Windows Client. This import is a one off action and does not allow for a regular sync with the chosen Active Directory.
This article walks you through the process of importing user accounts using this method.
1. Considerations
Users can be imported into Ideagen Quality Management from Microsoft's Active Directory (AD) service, using the standardised Lightweight Directory Access Protocol (LDAP) URLs and search filters. You may need assistance from your IT department to follow steps in this article.
Once imported, AD users become Ideagen Quality Management users and AD security groups become Ideagen Quality Management static security groups.
Before performing an import, we recommend reviewing the considerations below:
| Consideration | Details |
|---|---|
| Populated AD Fields | To be imported all users must have populated First Name (givenName) and Last Name (sn) attributes in AD. If present, middle names are imported and are taken from the initials attribute in AD. |
| Simultaneous Group and User Import | If both users and groups are imported at the same time, the import tool will set a user's Group Membership in the Administration module to match the user's group membership in AD. |
| Departments | Departments are imported as Ideagen Quality Management account properties taken from a user's Department attribute in AD. Departments are optional and aren't required for importing users. If departments are imported, they are added to the top-level of the Department managed list within Ideagen Quality Management. |
| AD Username Maps to Ideagen Quality Management Username | If the Enable Login option is used when importing users, a user's AD username (if present) will become their Ideagen Quality Management username and they will be assigned a Primary licence. |
| Existing Users | Users will not be imported if the username generated during the import already exists within Ideagen Quality Management. |
| Existing Email Addresses | If users have an email address associated with their AD account, this email address will be imported from the E-mail (mail) AD attribute as part of the user's Ideagen Quality Management account in the People and Administration modules. |
| Organisational Units | Only AD security groups can be imported. Organizational Units (OUs) can't be imported. |
|
Access to AD
|
The Ideagen Quality Management client PC where the import is being performed must have both network connectivity and security clearance to reach and access AD. If there is no connectivity or if security systems in place restrict access, it will not be possible to import. In most cases, this will not be a problem if the PC is a member of the domain where users/groups will be imported from.
It may not be possible to import from AD if there are security systems in place such as LDAP over SSL (LDAPS) running on port 636. Further investigation may be required to allow such imports.
|
| Version of AD | Ideagen Quality Management can import from full-blown Windows Server AD and the free (but limited) ADAM/AD LDS. |
|
Multiple AD Sources
|
Users and groups can be imported from all AD sources that Ideagen Quality Management can reach and access.
It may also be possible to import from non-AD and non-Windows LDAP sources. For example, importing from a Linux based LDAP directory.
|
| Import Limit | There is a limitation that restricts a maximum of 1,000 users to be imported in a single import. For example, if you attempt to import from an OU containing over 1,000 users, some users may not show in the list of users available to be imported as the extra users have been 'cut off' due to the limit. We recommend performing a number of smaller more specific imports to import more than 1,000 users. |
| Apostrophe | You may encounter an error when attempting to import AD users that have an apostrophe (') in AD attributes such as logon name (sAMAccountName). We recommend omitting such users from imports and manually creating them instead. |
| Filter Out Inactive AD users | By default, both enabled (active) and disabled (inactive) AD accounts are imported. However, you can filter to import only active or inactive accounts by using search filters as outlined in the Advanced Import Options section of this article. |
2. Importing users and groups
2.1. Importing users
To import users:
- Access the Administration module.
- Select People (under Security).
- Click Import.
- Select the From Active Directory... option.
- Configure import options.
- Click OK.
2.2. Importing groups
To import users:
- Access the Administration module.
- Select Groups (under Security).
- Click Import.
- Select the From Active Directory... option.
- Configure import options.
- Click OK.
3. Configuring import options
To configure import options:
- Enter the LDAP URL into Active Directory Node Path.
Global Catalog (GC) node paths can also be entered into this field to automatically generate LDAP URLs when clicking the Dots icon to the right of the field.
- Click Advanced>> to configure further options.
- Click OK.
Need more help with LDAP queries?
We aren't able to provide support with writing queries, but you can find additional information about search filters in the LDAP Query Basics article published by Microsoft.