Description
There may be a need to add a number of users as Employees into an Enterprise Vault (EV) Compliance Accelerator (CA) Customer. The quickest way to add a large number of Employees to CA is to create an Employee Group which can then be synchronized with the user account information held in Active Directory or a Domino directory, or a Windows or Domino group.
If this need cannot be fulfilled by adding the users via an Employee Group, alternate methods can be used, as below. An example of such a need would be the users are part of multiple Active Directory (AD) Organisational Units (OU) where the entire OU does not need to be added as an Employee Group. Note that Employees must be a part of the domain in order to be synchronized and must have an email address in order to be Randomly Sampled or Searched.
There are 2 methods to add such users as Employees:
Method 1 - Via the Employees tab in CA
This is the most straight-forward method for adding Employees one at a time.
1. Click the Employees tab in the CA Client.
2. Click New Employee at the top of the window.
3. In the right pane, click Browse under Windows account to display a list of user accounts, then select the account for this Employee. If the user is a Domino user, also click Browse under Domino account to display a list of user accounts, then select the account for this Employee.
4. Verify Automatically synchronize is selected so CA can synchronize the Employee profile properties with values in the associated Windows or Domino user account.
5. Click Save.
6. The Employee profile properties will be updated on the next Synchronization. To initiate a Synchronization, click the Synchronize Employees button in the Employees tab and Refresh the tab to see any changes.
7. Once Synchronized, the Employees can be added to Departments as needed.
Method 2 - Via an XML Import
If there are a large number of users to be added as Employees, the Employees can be imported into the CA Customer via the ImportExport command line utility. This requires manually creating an XML file with the details of each user needing to be added as an Employee. The prerequisite to these steps is to obtain SQL backups of the CA Customer database(s) that need to have Employees added via this method. Please read through all steps carefully and fully understand them before executing them. It may be best to execute them in a test environment first.
Steps to add Active Directory users:
1. Obtain the following required (not optional) information per user that needs to be added as an Employee (the steps include gathering data from the CA Customer database as well as gathering Active Directory (AD) data on the users):
1.1. EmployeeID: To obtain the EmployeeID, execute the following query against the CA Customer database in SQL Server Management Studio (SSMS):
SELECT * FROM tblAddressUser ORDER BY EmployeeID;
Review the EmployeeID column and find the highest EmployeeID listed. Note the EmployeeID may be a combination of characters and numerals, such as Employee15. Increment the highest numerical value listed in the database by 1 and use that for the first EmployeeID. For example, if the highest EmployeeID is Employee15, use Employee16 as the next EmployeeID. If multiple users need to be added, each user needing to be added will require a unique, incremental EmployeeID.
1.2. DisplayName: The user's AD Display Name.
1.3. ADSync: This should be set to true.
1.4. SID: The user's AD SID.
1.5. PrincipalLogin: The user's AD login in the format domain\login.
Notes:
- A list of all user AD Display Names, SIDs and PrincipalLogin names can be obtained in a CSV format by editing and running the following Active Directory PowerShell command in PowerShell on a domain controller:
Get-ADUser -Filter * -SearchBase "dc=<domain>,dc=com" | Select Name,SamAccountName,SID,@{name="PrincipalLogin";expression={$x = new-object 'security.principal.windowsidentity' -ArgumentList $_.UserPrincipalName; $x.Name}} | Export-csv -path c:\UserEmployeeInfo01.csv
- If the user is a Domino user, the following Domino attributes will also be needed:
-- DominoSync: This should be set to true.
-- DominoUserID: The user's Domino ID, typically in the format DisplayName/domain@domain.
-- DominoLDAPServer: The Domino server's LDAP path.
2. Create an XML-formatted string for each user based on the following example for (mail-enabled) users:
<Employee EmployeeID="EmployeeX" DisplayName="User's Display Name" ADSync="true" SID="S-X" PrincipalLogin="domain\login">
</Employee>
Here is an example for 2 users:
<Employee EmployeeID="Employee16" DisplayName="Fred Jones" ADSync="true" SID="S-1-1-11-111111111-1111111111-1111111111-1111" PrincipalLogin="domain\Fred.Jones">
</Employee>
<Employee EmployeeID="Employee17" DisplayName="Tom Smith" ADSync="true" SID="S-1-1-11-111111111-1111111111-1111111111-1112" PrincipalLogin="domain\Tom.Smith">
</Employee>
Notes:
- If the user is a Domino user, the Domino attributes will also be needed:
<Employee EmployeeID="Employee16" DisplayName="Fred Jones" ADSync="true" SID="S-1-1-11-111111111-1111111111-1111111111-1111" PrincipalLogin="domain\Fred.Jones" DominoSync="true" DominoUserID="Fred Jones/domain@domain" DominoLDAPServer="LDAP://<DominoServer">
</Employee>
3. Create an XML file with the following header and footer. All data will be inserted between the header and footer. Save the file in a location on the CA server. E.G.: E:\ImportEmployees01.xml.
3.1. Header:
<?xml version="1.0" encoding="utf-8"?>
<DataloadDS>
<Case CustID="Compliance System">
3.2. Footer:
</Case>
</DataloadDS>
4. Add the user's XML strings between the header and footer. Here is an example to add 2 Active Directory mail-enabled users:
<?xml version="1.0" encoding="utf-8"?>
<DataloadDS>
<Case CustID="Compliance System">
<Employee EmployeeID="Employee16" DisplayName="Fred Jones" ADSync="true" SID="S-1-1-11-111111111-1111111111-1111111111-1111" PrincipalLogin="domain\Fred.Jones">
</Employee>
<Employee EmployeeID="Employee17" DisplayName="Tom Smith" ADSync="true" SID="S-1-1-11-111111111-1111111111-1111111111-1112" PrincipalLogin="domain\Tom.Smith">
</Employee>
</Case>
</DataloadDS>
5. If there is a need to add the users (Employees) to a new Employee Group that will NOT be synchronised to an Active Directory object (Active Directory search, Active Directory container, Windows group or distribution list), the Employee Group can be created at this point.
Note these steps can also be used to add existing Employees to the Employee Group. If new users do not need to be added as Employees, simply omit the Employee creation information (between the <Employee and </Employee> anchors), as the Employees are already present in the Customer database, and use the existing EmployeeID information via the following query executed against the CA Customer database in SSMS:
SELECT
tau.EmployeeID
, tau.FirstName
, tau.Surname
, tp.PrincipalName
, tp.PrincipalLogin
, tp.PrincipalID
, tau.AddressOwnerID
, tp.SID
FROM tblPrincipal AS tp
JOIN tblAddressUser AS tau ON tp.AddressOwnerID = tau.AddressOwnerID
ORDER BY tau.EmployeeID;
If new and existing Employees need to be added, add the new users (Employees) as above in the Employee creation information (between the <Employee and </Employee> anchors), and then add the new and existing Employee's EmployeeIDs to the Employee Group.
5.1. The following information will be needed for the Employee Group:
5.1.1. Name: This is the name of the Employee Group (100 characters maximum).
5.1.2. Description: This is an optional description that can be added as needed (500 characters maximum).
5.1.3. CustGroupID: This is the unique CustGroupID for the Employee Group and is typically EmployeeGroupX where X is a sequential number. To obtain the CustGroupID, execute the following query against the CA Customer database in SSMS:
SELECT * FROM tblTargetGroup ORDER BY CustGroupID;
Review the CustGroupID column and find the highest listed number for EmployeeGroupX. Increment the highest numerical value listed in the database by 1 and use that number for the Group's CustGroupID. For example, if the highest CustGroupID is EmployeeGroup10, use EmployeeGroup11 as the next CustGroupID. If multiple Employee Groups need to be added, each Employee Group needing to be added will require a unique, incremental CustGroupID.
If no Employee Groups are listed in the query output, use EmployeeGroup1 for the first Employee Group in the XML. If there is only one Employee Group's entry listed in the query output with a blank CustGroupID, use EmployeeGroup2 for the first Employee Group in the XML.
5.2. Create an XML-formatted string for each Group based on the following example listing 1 Employee as a Group member:
<EmployeeGroup CustGroupID="EmployeeGroupX" Name="Employee Group Name" LDAP_Base="" LDAP_Path="" ADSync="false" TypeID="140" Description="" CustID="Compliance System" Remove="false">
<GroupMember EmployeeID="EmployeeX" CustGroupID="EmployeeGroupX" Remove="false" />
</EmployeeGroup>
IMPORTANT: Do NOT edit any of the following parameters: LDAP_Base, LDAP_Path, ADSync, TypeID, CustID, Remove.
Here is an example of an Employee Group with 2 Employees:
<EmployeeGroup CustGroupID="EmployeeGroup11" Name="Sales NAM" LDAP_Base="" LDAP_Path="" ADSync="false" TypeID="140" Description="" CustID="Compliance System" Remove="false">
<GroupMember EmployeeID="Employee16" CustGroupID="EmployeeGroup11" Remove="false" />
<GroupMember EmployeeID="Employee17" CustGroupID="EmployeeGroup11" Remove="false" />
</EmployeeGroup>
Note the following:
- The Name of the Employee Group is Sales NAM.
- The Description has been left blank (can be specified if needed).
- The CustGroupID is specified as EmployeeGroup11 as this was the next available CustGroupID. The CustGroupID has to be specified in the first line that contains the Employee Group information AND in each Employee's line so as to link the Employee to the Employee Group.
- There are 2 Employees added to the Group using their EmployeeIDs: Employee16 and Employee17.
5.3. Add the Group's XML string after the XML string for the last Employee and before the Footer containing </Case> and </DataloadDS>.
This sequence is important as the Group's XML information references EmployeeIDs that must exist in the database. Listing the Group's XML string after the XML string for the last Employee ensures the EmployeeIDs will be created before the Group, as the XML file is read and processed in order of items listed, i.e. top to bottom. Listing the Group's XML string before the XML string for the last Employee will cause the import to fail as the Group's XML information would reference EmployeeIDs that have not yet been created, i.e. processed by the import from top to bottom.
5.4. Multiple Employee Groups can be added, with each Group's information being listed in the XML string format as above. List each Group's XML string in sequential order, making sure to list all Employee Groups' information after the XML string for the last Employee and before the Footer containing </Case> and </DataloadDS>.
5.5. Here is an example file to add 2 Active Directory mail-enabled users and add the 2 new users (Employees) to an Employee Group:
<?xml version="1.0" encoding="utf-8"?>
<DataloadDS>
<Case CustID="Compliance System">
<Employee EmployeeID="Employee16" DisplayName="Fred Jones" ADSync="true" SID="S-1-1-11-111111111-1111111111-1111111111-1111" PrincipalLogin="domain\Fred.Jones">
</Employee>
<Employee EmployeeID="Employee17" DisplayName="Tom Smith" ADSync="true" SID="S-1-1-11-111111111-1111111111-1111111111-1112" PrincipalLogin="domain\Tom.Smith">
</Employee>
<EmployeeGroup CustGroupID="EmployeeGroup11" Name="Sales NAM" LDAP_Base="" LDAP_Path="" ADSync="false" TypeID="140" Description="Sales Group For North America" CustID="Compliance System" Remove="false">
<GroupMember EmployeeID="Employee16" CustGroupID="EmployeeGroup11" Remove="false" />
<GroupMember EmployeeID="Employee17" CustGroupID="EmployeeGroup11" Remove="false" />
</EmployeeGroup>
</Case>
</DataloadDS>
6. Import the XML file. There are 2 options to import the file. Use either of the 2 options:
6.1. Option 1 - Via the Client:
6.1.1. Go to the Configuration tab in the Client and click on the Import Configuration sub-tab.
6.1.2. Select the Clear log before import option.
6.1.3. Click Browse and browse to the location of the XML file.
6.1.4. Click Import.
6.1.5. Click on the down arrow next to the The import completed successfully message or the message indicating a failure to display the Import Log tab for review. Correct any failures in the XML file and re-try the import.
6.2. Option 2 - Execute the ImportExport command from the Accelerator installation folder via command prompt on the CA server, as follows.
6.2.1. Log on to the CA server as the Vault Service Account (VSA), start a command prompt, navigate to the CA Server installation folder in the command prompt and execute ImportExport.exe:
E:\Program Files (x86)\Enterprise Vault Business Accelerator>ImportExport.exe
6.2.2. Select the option to Import:
Welcome to the Accelerator Export ToolI
Select Import or Export (default E):
Enter 'I' for Import or 'E' for Export:
6.2.3. Select the CustomerID (use the question mark (?) to see the list of CustomerIDs):
Enter the customer ID ("?" for Customer list): ?
CustomerID Customer Type Customer Name
-----------------------------------------------------------------------------------------------------------------------
1 Compliance <CustomerName>
Enter the customer ID ("?" for Customer list): 1
6.2.4. Enter the name of the Import XML file:
Enter the name of the import file (Default ConfigurationData.xml): E:\ImportEmployees01.xml
6.2.5. Create a log file (will be useful to review any errors in the XML file):
Do you want to create a log file? (Default Y)Y
Enter 'Y' for Yes or 'N' for No:
Enter the name of the Log file (default ImportEmployees01.log): E:\ImportEmployeesLog01.log
6.2.6. Connect to the Accelerator server:
Do you want to connect to the Accelerator server? (Default Y)Y
Enter 'Y' for Yes or 'N' for No:
6.2.7. Do not log processes to the Customer database:
Do you want to log the processes to the Accelerator Database? (Default N)N
Enter 'Y' for Yes or 'N' for No:
6.2.8. Validate the ImportExport XML prior to import:
Validate XML before import? (Default Y)Y
Enter 'Y' for Yes or 'N' for No:
6.2.9. Only commit the changes if all validations are correct:
Commit only on full success? (Default N)Y
Enter 'Y' for Yes or 'N' for No:
6.2.10. Review the selected parameters and import the XML:
Import will starts with the following parameters:
Input File: E:\ImportEmployees01.xml
Log File: E:\ImportEmployeesLog01.log
Overwrite Files: False
Use Service: True
Log to DB: False
Leave DB Log: False
XML Validation: True
Show Only Errors: False
Customer ID: 1
Commit only on success: True
Do you want to run the tool with these parameters? (Default Y)Y
Enter 'Y' for Yes or 'N' for No:
6.2.11. A successful import should look like this:
ImportExport: Loading DTrace
ImportExport: Diagnostics assembly is KVS.EnterpriseVault.Runtime, Version=X, Culture=neutral, PublicKeyToken=...
<Date> <Time> Starting ...
Validating XML File...
Loading XML File...
Importing Configuration data...
Creating Log File...
<Date> <Time> Info <HR class='bar'>
<Date> <Time> Info Starting Import
<Date> <Time> Info Loading 'Case'
<Date> <Time> Count Number of Cases: X
<Date> <Time> Info Loading 'Employee'
<Date> <Time> Count Number of Employees: X
<Date> <Time> Info The dataload has been imported to the database
<Date> <Time> Info Import completed
<Date> <Time> Import Finished successfully in X hours X minutes X seconds
Writing Log file...
type return to exit
6.2.12. Press the Enter key on the keyboard to complete the ImportExport process and return to the command prompt. The Command prompt window can then be closed. If any errors are seen, review the log, correct the errors and retry the import process.
7. The Employee profile properties will be updated on the next Synchronization. To initiate a Synchronization, click the Synchronize Employees button in the Employees tab in the Client and Refresh the tab to see any changes. Once Synchronized, the Employees can be added to Departments as needed, either individually or via any Employee Groups that may have been created.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.