Query Active Directory user attributes

User attributes are data fields in string format. A standard set of user attributes are required from the Active Directory to validate the user for provisioning, but these are not accessible for reporting purposes.

Back to Active Directory Connector Contents

You can query additional user attributes from Active Directory to support reporting or invoicing by department, product, etc. You can also add user data for reporting needs:

The data in the custom user fields and created through the Set User Attributes call can also be updated.
The Active Directory data is queried by the ADC for a new user - any user added to an assigned group for the ADC - and when a user is updated (starting in ADC version 1.4).You can perform a full synch, described below, for your existing users.

This article describes how to query additional user data from the Active Directory. The default attributes are listed below. In addition, you can:

Attributes used to access the Active Directory

The following group and user attributes are used to collect info about groups or members from your Active Directory. The data in these attributes must be valid based on the rules for that attribute (e.g., data type, legal characters, existence of required data, etc.). See Provision Users.

Required attributes Group User
distinguishedName X X
objectSID X X
uSNChanged X X
member X  
mail   X
name   X
userAccountControl   X
aAMAccountName   X
sn   X
givenName   X
accountExpires   X

Modify config file to query AD attributes

The following steps assume that you have completed the installation of the Active Directory Connector and that the ADC is in a Stopped state.

IMPORTANT: Because the loading and parsing of the config file is done by system methods, the config file is not validated. Make sure you follow the correct syntax as shown to avoid errors.

1. Save a backup of ADConn.exe.config located in C:\Program Files (x86)\ Citrix\Active Directory Connector.

2. Open the main ADConn.exe.config file in an editor and add attributes in the <appSettings> section using the following format for each attribute:

<add key="ID" value="employeeID" />

Where the key, "ID", is the description/column in the Active Directory, and the value, "employeeID", is the attribute description/column in the ADC.

3. Save the changes, and restart the ADC if you want to test the query for a set of new users, or apply it to all future new users. Once you have tested the query successfully against new users, you can add the attributes to existing user records as needed.

Complete file example:

<?xml version="1.0" encoding="utf-8"?><configuration>    <configSections>    </configSections><startup>    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup<appSettings>    <add key="department" value="Department" />    <add key="description" value="Description" />    <add key="ID" value="employeeID" />    <add key="number" value="employeeNumber" />    <add key="type" value="employeeType"/></appSettings></configuration>

Query attributes for existing users

You can force a full synchronization of specified attributes for existing users by deleting cached data and restarting the ADC. Because most existing users will likely have identical emails for their AD and GoTo accounts, the matching process following a full synch should go quickly.

1. On the Operations tab of the ADC, click Stop if the ADCis running.

2. Configure the attributes in the ADConn.exe.config file.

3. Ccreate a backup for, and then delete, the ADC data cache file C:\ProgramData\Citrix\ADConn\ UserList.json.

4. On the Operations tab of the ADC, click Start to start the Active Directory Connector.

5. On the Users tab click Automatic matching. This should link the majority of the GoTo accounts to your AD users. Do manual matching for the remaining unmatched users as necessary.

6. Click Apply changes.

7. Click Deactivate edit mode. The new attributes query is updated for all existing users.

Add custom fields to view user attributes

As an account admin, you can add custom fields in the Admin Center in order to view and report on the AD user attributes. Custom fields appear as appended columns on many of the administrative reports.

If you create custom fields that match the AD attributes you are querying, the attributes are written to these fields. If you do not add matching custom fields, the AD attributes appear in untitled columns.

IMPORTANT: AD attributes written to custom fields are visible and editable in the user record in the Admin Center. Any AD data that you modify in the Admin Center will be overwritten if the user record in the AD changes.

1. In the Admin Center, select Admin Settings.

2. Scroll down to Custom Field and click Add a Custom Field.

3. Enter a custom field, you can include numeric and alpha characters. Click Save.

4. To view the data for a user, select Manage Users and open one of the user records. The new custom field displays.

Run attribute reports

Any report that provides user data will include the custom fields and any AD attribute fields in columns to the right of the base report. You can create reports:

See also