Active Roles Server – Bulk Import with Delegation using a Workflow

Feb. 22nd 2014

Active Roles Server – Bulk Import with Delegation using a Workflow

                I recently had a customer that required bulk importing with some sort of security or delegation.  The first thought was using a CSV connector with Quick Connect, but Quick Connect does not have any facilities for delegation, therefore anyone with permissions on the server would be able to execute bulk imports.  The next thought is to create a bulk import script within ARS and attach it to a Workflow.  ARS would allow for user delegation within the ARS management console.

The first step in the process was to develop a PowerShell bulk import script that would read an import file and utilize the QAS PowerShell cmdlets to provision the objects within the directory.

The script example below can be used to import user accounts:

function CreateUserAccounts {$Accounts = Import-Csv -Path “C:\CSV\UserImport.csv”$WorkflowInfo = Get-QARSWorkflowInstance -Workflow “CN=Import User Accounts,CN=Custom,CN=Workflow,CN=Policies,CN=Configuration” -TaskStatus Pending

$WorkflowID = $WorkflowInfo.ID


$i = 1


foreach ($Account in $Accounts) {

    $UserID = $Account.logonname

    $Domain = $Account.FQDomain

    $UPN = $UserID + “@” + $Domain

    $OU = $Account.ou

    $Password = $

    if ($Account.accountExpires -eq “”) {

        $AccountExpires = $Null


    else {  

        $accountExpires = $Account.accountExpires


    $Description = $Account.description

    $FirstName = $Account.givenName

    $LastName = $

    $displayName = $Lastname + “, ” + $FirstName

    $i ++

    try {

        New-QADUser -name $UserID -SamAccountName $UserID -ParentContainer $OU -UserPrincipalName $UPN -UserPassword $Password -Description $Description -FirstName $FirstName -LastName $LastName -displayName $displayName -ErrorAction Stop

        Set-qaduser -identity $upn -usermustchangepassword $true -accountExpires $accountExpires


    catch {

        $str += “Error occurred while processing Line ” + $i + ” where logonname = ” + $UserID

        $str += [System.Environment]::NewLine

        $str += $_

        $str += [System.Environment]::NewLine

        $str += “———————————————————-“

        $str += [System.Environment]::NewLine



[System.IO.File]::AppendAllText(“C:\ImportLogs\UserImport_$WorkflowID.log”, $str)




This script utilizes a CSV file with specific headers.  The headers the script above uses are below:

LogonName, FQDomain, OU, PW,AccountExpires, description, givenName, sn

These headers are fairly self-explanatory, LogonName is the user’s logon (sAMAccountName), FQDomain is the fully qualified domain name or more specifically, the UPN suffix.  OU is the DN of the organizational unit where the user account needs to be created.  PW is the user’s initial password, description is the user’s description, givenName is the user’s last name, and sn is the user’s first name.

The basic outline of the script operation is:

  • Import the CSV
  • Acquire the Workflow ID
  • Loop through the user array
    • Assign a variable to the logonname
    • Assign a variable to the FQDomain
    • Construct the UPN from the logonname and FQDomain
    • Assign a variable to the OU
    • Assign a variable to the pw
    • Verify if the accountexpires  is populated
      • Assign null if it is empty
      • Assign a variable to accountexpires if populated
    • Assign a variable to the description
    • Assign a variable to the givenName
    • Assign a variable to the sn
    • Build the CN from givenName and sn
    • Use New-QADUser cmdlet to create an account using the variables from above
    • Use Set-QADUser cmdlet to set usermustchangepassword and accountexpiration
    • Catch errors and write them to a log file named UserImport_<WorkflowID>

The next step is to create a script module:

  • Launch the ARS MMC
  • Expand the Configuration node
  • Expand Script Modules
  • Right click on the container you wish to use, navigate to New->Script Module
  • Enter the script name and leave PowerShell as the script language
  • Click Next

  • Select Policy Script as the type and click Next

  • Do not select any handler and click Next
  • Click Finish
  • Click on the newly created script module, you should see an empty windows to the right.
  • Copy the script from above and paste it into the script module window.
    • Click yes to edit the script
    • Right Click on the script in the tree and click Save script on Server

Now that the script is saved, a workflow needs to be created.

  • Within the ARS MMC, expand the Configuration node
  • Expand the Policy node
  • Expand the Workflow node
  • Right click on the container you want to create a Workflow in
  • Click Next on the Welcome screen
  • Enter the Workflow name and click next
  • Select On user demand or on a schedule and click next
  • Click Finish on the next page

Now we will configure the Workflow.

  • Click on the new Workflow in the tree to see the Workflow screen
  • Click on Workflow Options and Click Configure
  • Leave the workflow on demand and select Do not start a new instance and click ok
  • Drag the script activity over to the workflow
  • Right click on the run script activity and click properties
  • Click on browse                and select the script that was created earlier
  • Click on the Function and select the CreateUserAccounts function
  • Click OK
  • Click on Save Changes

After the CSV is created and placed in the appropriate location all that is left is to delegate permissions to the workflow.  Configuring an import in this fashion, it allows the administrators of ARS the ability to place the files in the import location so the delegated user is only able to execute the bulk import.

Currently the below template is the only way I can make the delegation work, as far as allowing a non-Administrator the ability to Run a workflow.  I will revisit this to discover the least amount of permission needed to accomplish the delegation.

  • Open the ARS MMC
  • Expand the Configuration node
  • Expand the Access Template node
  • Right click on the container you wish to you, select New->Access Template
  • Enter the name of the Access Template and click Next
  • In the permissions entry page, we will need several entries
    • All Classes – Read All Properties
    • All Classes – Read Control
    • Workflow Container – List Object
    • Workflow Container – List Contents
    • Workflow Definition – List Object
  • After add these to the list, click Next
  • Click Finish

Now that the Access Template has been created, we need to assign or delegate control to the workflow container that holds the workflow you wish to delegate.  Note:  If the workflow is in a nested hierarchy of workflow containers, you will need to create another template that only has the List Object and List Contents permissions to be able to navigate the Workflow Tree.

  • Open the ARS MMC
  • Expand the Configuration Node
  • Expand the Policies Node
  • Expand the Workflow Node
  • Right Click on the container you wish to delegate and click Delegate Control
  • In the Security box click the Add button
  • Click Next on the Welcome page
  • Click Add and select the user or group you want to delegate control to (The user or group you want to be able to run the Import Workflow), Click Next
  • Select the Run Workflow Access Template from the list and click Next
  • Leave the Inheritance options default and click Next
  • Click Finish on the confirmation page
  • Click OK to close the Security box

With these steps completed, you should now be able to log in as the delegated user and have the ability to run the Workflow.  With these permissions in place, the delegated user will be able to open the workflow and review the configuration options of the workflow, but will be unable to modify the workflow.



Author: Russ Burden, Technical Architect, LeadThem Security





Posted by bc-admin | in ARS | Comments Off on Active Roles Server – Bulk Import with Delegation using a Workflow