Query Active Directory user attributes
User attributes are data fields in string format. A standard set of user attributes are required from the Active Directory to validate the user for provisioning, but these are not accessible for reporting purposes.
You can query additional user attributes from Active Directory to support reporting or invoicing by department, product, etc. You can also add user data for reporting needs:
- In the custom user fields in the Admin Center
- Using the Administrative REST Set User Attributes API call
The data in the custom user fields and created through the Set User Attributes call can also be updated.
The Active Directory data is queried by the ADC for a new user - any user added to an assigned group for the ADC - and when a user is updated (starting in ADC version 1.4).You can perform a full synch, described below, for your existing users.
This article describes how to query additional user data from the Active Directory. The default attributes are listed below. In addition, you can:
- Modify the ADC config file to specify the attributes for all future new users
- Apply newly defined attributes to all existing users
- View the Active Directory attributes by user
- Report on the attribute values
The following group and user attributes are used to collect info about groups or members from your Active Directory. The data in these attributes must be valid based on the rules for that attribute (e.g., data type, legal characters, existence of required data, etc.). See Provision Users.
The following steps assume that you have completed the installation of the Active Directory Connector and that the ADC is in a Stopped state.
1. Save a backup of ADConn.exe.config located in C:\Program Files (x86)\ Citrix\Active Directory Connector.
2. Open the main ADConn.exe.config file in an editor and add attributes in the <appSettings> section using the following format for each attribute:<add key="ID" value="employeeID" />
Where the key, "ID", is the description/column in the Active Directory, and the value, "employeeID", is the attribute description/column in the ADC.
3. Save the changes, and restart the ADC if you want to test the query for a set of new users, or apply it to all future new users. Once you have tested the query successfully against new users, you can add the attributes to existing user records as needed.
Complete file example:<?xml version="1.0" encoding="utf-8"?><configuration> <configSections> </configSections><startup> <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup<appSettings> <add key="department" value="Department" /> <add key="description" value="Description" /> <add key="ID" value="employeeID" /> <add key="number" value="employeeNumber" /> <add key="type" value="employeeType"/></appSettings></configuration>
You can force a full synchronization of specified attributes for existing users by deleting cached data and restarting the ADC. Because most existing users will likely have identical emails for their AD and GoTo accounts, the matching process following a full synch should go quickly.
1. On the Operations tab of the ADC, click Stop if the ADCis running.
3. Ccreate a backup for, and then delete, the ADC data cache file C:\ProgramData\Citrix\ADConn\ UserList.json.
4. On the Operations tab of the ADC, click Start to start the Active Directory Connector.
5. On the Users tab click Automatic matching. This should link the majority of the GoTo accounts to your AD users. Do manual matching for the remaining unmatched users as necessary.
6. Click Apply changes.
7. Click Deactivate edit mode. The new attributes query is updated for all existing users.
As an account admin, you can add custom fields in the Admin Center in order to view and report on the AD user attributes. Custom fields appear as appended columns on many of the administrative reports.
If you create custom fields that match the AD attributes you are querying, the attributes are written to these fields. If you do not add matching custom fields, the AD attributes appear in untitled columns.
1. In the Admin Center, select Admin Settings.
2. Scroll down to Custom Field and click Add a Custom Field.
3. Enter a custom field, you can include numeric and alpha characters. Click Save.
4. To view the data for a user, select Manage Users and open one of the user records. The new custom field displays.
Any report that provides user data will include the custom fields and any AD attribute fields in columns to the right of the base report. You can create reports: