Importing users and roles from Active Directory

This topic describes the steps of the Kentico Active Import Utility wizard for importing users and roles from Active Directory.

Launching the AD Import Utility

You can launch this utility:

  • From the Windows Start menu -> All programs -> Kentico <version number> -> Utilities.
  • By executing the ADImport.exe file located in <Kentico installation folder>\Bin (typically c:\Program Files (x86)\Kentico\<version number>\Bin).

Step 1 – Import profile settings

Choose if you want to create a new import profile or use an existing XML profile. If you select an existing profile, values will be pre-filled in the following steps based on the profile settings.

Step 2 – Kentico DB Setup

Specify the target Kentico database, where the users and roles will be imported:

  • SQL Server name or IP address - name or IP address of the server where the target database is stored.
  • Database name - name of the target database.
  • Use integrated Windows authentication - choose this option if you want to log on to the server using Windows authentication.
  • Use SQL Server account - choose this option if you want to log on to the server using credentials filled in the fields below.

It is a good idea to test the specified connection using the Test connection button before proceeding to the next step.

Step 3 – Active directory connection

Specify the source AD‘s domain controller:

  • Use current user account - uses the domain where the current user belongs.
  • Specify domain controller and logon credentials - if you choose this option, you can enter the logon details manually into the fields below.

Here again, it is recommended to test the specified connection using the Test connection button.

Specifying the AD domain controller

Step 4 – Import settings

Adjust the general settings of the import process:

  • Import users/groups - determines, which users or groups (roles) will the wizard preselect in Step 6:
    • All - the wizard will preselect all users or groups.
    • Only selected - when using an existing import profile, the wizard will use the selection stored in the profile. Otherwise, it will not preselect anything.
    • Only selected and new - same as above, with new users and groups selected as well.
  • Update user and role data - if enabled, properties of users and roles already imported from the AD will be updated in Kentico based on the current values in AD.
  • Update user membership in roles - if enabled, membership of users imported from the AD will be updated in Kentico based on the current membership settings in AD.
  • Import new users only from selected roles - if enabled, only those new users who belong to at least one role (group) selected in Step 6 or 8 of the wizard will be imported.
    • Note that enabling this option may override previous selection of users to be imported.
  • Delete users and roles that were deleted in the Active directory - if enabled, users who were previously imported from the Active Directory, but were deleted on the source server since then, will be deleted also in Kentico.
  • Log import process to file - if enabled, you can specify a file where the import log will be stored.
  • Select sites - choose the sites to which the imported users and roles will be assigned.

If you do not choose any site in this step, the rest of the wizard will leave out steps related to the import of roles (groups). This happens because it is currently not possible to import roles from AD into Kentico as global objects and they must be assigned to a specific site.

Adjusting the settings of the import process

Step 5 – Import properties

Define the user name and role name format and bind AD user properties to Kentico user properties:

  • User name format - choose one of the three possible formats:
    • Domain\SAM (e.g., intranet\joe)
    • SAM account name (e.g., joe)
    • UPN (joe@intranet.mycompany.com)
  • Configure user as CMS editor - turn on to grant the imported users the Editor privilege level.
  • Target/Source - you can choose which attributes from AD (Source) will be mapped to particular attributes of the CMS_User role.
  • Show all attributes - turn on to enable all the attributes, including custom attributes, from your AD schema to be selected as Source.
    • Note that you can import attributes of any data type, however, their values are always imported to Target as string.
  • Role display name format:
    • Domain\SAM (intranet\DB Admins)
    • SAM (DB Admins)
  • Role code name format:
    • Domain\SAM (intranet\DB Admins)
    • SAM (DB Admins)
    • Guid (16-byte number)
  • Import description - indicates if role description should be imported from the AD.

Mapping of attributes

Step 6 – Select users & groups to be imported

Select roles and users that will be imported. It is possible to adjust the settings made here in the following two steps.

On the left, you can see all groups (roles) found on the source server. If you select a group, its members are displayed in the list on the right. You can define which users and roles will be imported using the appropriate check-boxes.

By right-clicking a group, you can display a context menu with the following actions:

  • Select all - selects all child groups directly under the selected group.
  • Select all recursively - selects all child groups under the selected group until the last level.
  • Deselect all - selects all groups directly under the selected group.
  • Deselect all recursively - selects all group under the selected group until the last level.

All users in a role or all roles can be selected or deselected in one click using the Select all and Deselect all buttons.

Selecting users/groups to be imported

Step 7 – Adjust users to be imported

Adjust the users to be imported using the check-boxes. Users are selected according to the settings made in the previous step. You can filter the listed users by Display name and User name.

Selecting/deselecting users to be imported

Step 8 – Adjust groups to be imported

Adjust the groups (roles) to be imported using the check-boxes. You can filter the listed groups by Group nameusing the filter above the list.

Step 9 – Assign to roles

Select roles to which the imported users will be assigned. If you are importing to multiple sites, first choose the site whose roles should be displayed using the Site drop-down menu.

Step 10 – Finalize

You have configured your import profile.

You can now execute the import immediately, save the profile into a file or perform both of these actions, depending on which of the Import now and Save import profile to file check-boxes is enabled.

You should create an import profile file if you want to run the AD Import Utility from the command line.

Step 11 – Import log

The last step displays an import log, showing the progress of the import process. When the import finishes, close the wizard using the Finish button.