Update Active Directory from Profit (Command Line Utility)

Details of the users are saved in Profit and in Active Directory (AD). In practice it is difficult to ensure that the data in AD also stay current. The ADSYNC action allows updating of Active Directory from Profit. This action changes data in Active Directory and may therefore have serious consequences. First try this out in a test environment.

Profit does not create any users or authorisation groups in Active Directory. It is the system administrator's responsibility to create users and groups. The user under which the command line is executed must have the correct rights in Active Directory for performing the actions.

Data

 

Action:

ADSYNC

"C:\Program files (x86)\Profit\AFAS Windows\Kernel\Bin\AFASCMD.EXE"/O"Environment name " /G"Username" /W"Password" /L"<logbestand>.log" ADSYNC /R"<active directory root>" /F"<soort actie>" /L"<organigram niveau>" / O"<organigramnaam>"

General options:

Default.

Example:

"C:\Program files (x86)\Profit\AFAS Windows\Kernel\Bin\AFASCMD.EXE"/O"Environment name " /G"Username" /W"Password" /L"c:\Log.txt" ADSYNC /R"OrgUnit" /F"ALL" /L"1" /O"Bedrijf X" /U"Kees" /G"Managers"

Extra options

Option

Explanation

 /R<active directory root>

 (mandatory)

 

The path to an organisational unit in Active Directory over which the synchronisation is being performed. Actions are only performed within this folder and the underlying items.

Note: The user under which the command line is executed must have sufficient rights for this organisational unit.

Example:

 /R"OrgUnit" of /R"OrgUnit/SubUnit"

/F<action type> (mandatory)

The specific update action in Active Directory that should be performed.  See also additional explanation.

Options for this action:

  • "USER" - The data of the Active Directory users are updated based on the user data in Profit.

    Example:

    "C:\Program files (x86)\Profit\AFAS Windows\Kernel\Bin\AFASCMD.EXE"/O"Environment name " /G"Username" /W"Password" /L"c:\Log.txt" ADSYNC /R"OrgUnit" /F"USER"

  • "GROUP" - Updates which users belong to certain authorisation groups based on the authorisation groups in Profit.   

    Example:

    "C:\Program files (x86)\Profit\AFAS Windows\Kernel\Bin\AFASCMD.EXE"/O"Environment name " /G"Username" /W"Password"/L"c:\Log.txt" ADSYNC /R"OrgUnit" /F"GROUP"

  • "OU" - A structure of organisational units is created/updated with underlying users based on the organisation chart in Profit.

    Example:

    "C:\Program files (x86)\Profit\AFAS Windows\Kernel\Bin\AFASCMD.EXE"/O"Environment name " /G"Username" /W"Password"/L"c:\Log.txt" ADSYNC /R"OrgUnit" /F"OU"

  • "ALL"- All the above options are performed.

    Example:

    "C:\Program files (x86)\Profit\AFAS Windows\Kernel\Bin\AFASCMD.EXE"/O"Environment name " /G"Username" /W"Password"/L"c:\Log.txt" ADSYNC /R"OrgUnit" /F"ALL"

For OU and ALL: /L<organisation chart level>

The starting level within the Profit organisation chart used as a basis for synchronisation.

If this option and the /O option are not included, synchronisation is performed based on the "Root" level.

This option must be used in combination with /O.

Example:

"C:\Program files (x86)\Profit\AFAS Windows\Kernel\Bin\AFASCMD.EXE"/O"Environment name " /G"Username" /W"Password"/L"c:\Log.txt" ADSYNC /R"OrgUnit" /F"OU" /L"1" /O"Bedrijf X"

For OU and ALL/O<organisation chart name>

The code for the organisational unit at the organisation chart level entered (/L) where synchronisation starts.

If this option and the /L option are not included, synchronisation is performed based on the Root level.

This option must be used in combination with /L.

Example:

"C:\Program files (x86)\Profit\AFAS Windows\Kernel\Bin\AFASCMD.EXE"/O"Environment name " /G"Username" /W"Password"/L"<logbestand>.log" ADSYNC /R"<active directory root>" /F"OU" /L"<organigram niveau>" / O"<organigramnaam>"

For USER and ALL:

/U<user ID>

 

Indicates a specific user that should be updated. If this option is not included, all the users synchronise.

Example:

"C:\Program files (x86)\Profit\AFAS Windows\Kernel\Bin\AFASCMD.EXE" /O"Environment name " /G"Username" /W"Password"/L"c:\Log.txt" ADSYNC /R"OrgUnit" /F"USER" /U"Kees"

For GROUP and ALL:

/G<authorisation group ID>

 

Indicates a specific authorisation group that should be updated. If this option is not included, all the users groups will be synchronised.

Example:

"C:\Program files (x86)\Profit\AFAS Windows\Kernel\Bin\AFASCMD.EXE"/O"Environment name " /G"Username" /W"Password"/L"c:\Log.txt" ADSYNC /R"OrgUnit" /F"GROUP" /G"Managers"

Additional explanation for option /F<action type> for ADSYNC

/F<action type> is mandatory. Here you must state the root folder in AD containing everything that should be updated.  This may be a path, so AFAS/Profit link if you want. The root folder must be an OU object. The command line only searches for and edits data in this root folder.

Two fixed folders are present below the root folder; they are created by the tool (if they do not yet exist). These are OU objects:

  1. Profit OrgChart: This contains the organisation chart with the users that should be included.
  2. Profit Moved Items: Users and authorisation groups that are no longer in an OU or whose OU was deleted are moved here.

Note System administrators can decide for themselves where they put new users and authorisation groups. If they are to be updated by this tool, they must, however, be located somewhere in the root folder or its subfolders.

Update user data for existing users.

The data of the users who can be matched in AD from Profit are updated. This only relates to updating of non-critical user information, in other words, no user names and passwords, (but job, telephone, address, etc.). What does, however, happen is automatic expiry of a Windows account based on the employment end date.

Note It is therefore not necessary to know the location of the user in AD, as only the code is used to search.

The following table states the fields that are updated in AD:

AD tab

AD field

LDAP attribute

Value (from Profit)

--

Organizational Unit

Organisatiorische eenheid

 

--

Distinguished name

DN

 

Object

Canonical name of object

canonical Name

Path from organisation chart + cn

General

Description

description

Updated by Profit on <date/time changed>

General

Display name/Common name

FullName

Full name of person in the following structure, followed by the user ID to make it unique [First name Prefix Last name] ([User ID])

General

First name

givenName

First name

General

Initials

initials

Initials (only the first 6 characters of the initials (the maximum length in AD)).

General

Last Name

SN

Last name

General

Telephone number

telephoneNumber

Work phone

General

E-mail (disabled veld)

Mail

Work e-mail

Updating the e-mail address in combination with the [Automatically update e-mail address based on recipient policy] option in AD may result in undesirable changes. you should disable the option in AD when using synchronisation from Profit.

General

Web page

wWWHomePage

Homepage

General

Office

physicalDeliveryOfficeName

Employer address

Address

Street

streetAddress

Private Street + house number

Address

City

L

City

Address

ZIP/Postal Code

postalCode

Postal code

Address

Country/region

c

Country

Telephones

Home

homePhone

Private telephone

Telephones

Mobile

mobile

Work mobile phone

Telephones

Fax

facsimileTelephoneNumber

Work fax

Organization

Company

company

Employer name

Organization

Department

department

Organisational unit

Organization

Title

title

Job

Account

Account expires end of

accountExpires **

Employment end date + 1 day

AD blocks the account at the start of the date indicated, which is why one day should be added.

See also