Help Desk and Knowledge Base

IT Pro: How to read users from Active Directory on-premises

You can read users from Active Directory on prem automatically and then you do not need to add/update users manually in Xink.

When new users are created in your Active Directory, they are automatically added to your Xink EMPLOYEE list. 

It's all automatic so hires and fires are reflected in Xink as soon as they're updated in your on-premise AD.
This is the easiest way for IT to maintain email signature information like name, mobile number, title etc.. 

You can start by running ADExport from your own domain PC just to try it out. 
When you have successfully seen users exported into Xink, you can always move it to a server and set it up to run as a scheduled task in a production environment.

After using Xink ADExport, you can add additional information which maybe you don't want to maintain in AD, like LinkedIn, headshots, Skype, etc.

What exactly is exported?

ADExport is completely safe to run. Check out these bald facts about ADExport:

  • ADExport does not make any changes to your AD.
  • ADExport only reads data.
  • ADExport cannot write or update any data anywhere in your AD.
  • ADExport does not grab any passwords.
  • ADExport exports only the data for a user that you instruct it to export (Preferences > Fields).
  • ADExport means “Active Directory Export” which again means “export of data from AD” — there is no import or updates.
  • ADExport doesn’t export anything else but user information — no schema information or anything deeper is exported.

Learn more in this blog post about ADExport and what it does and doesn't do.

System requirements

  • Windows 7 PC or higher connected to the domain you plan to export users from.
  • Windows Server 2008 or higher connected to the domain you plan to export users from. 
  • Only unique email addresses not used in other Xink accounts are imported. 
  • Latest .NET Service Pack. 
  • Port 443 (HTTPS) enabled.
    Your antivirus software might prevent the file to run on your server, so you might need to allow the executable to run and access the internet through port 443.
  • Make sure that all users you want to export have email addresses.
    Only users with primary SMTP email address will be exported:

Your Step-by-step Guide to Xink AD Export

You need both AD Export and your secret token to uniquely identify your AD with your cloud account. 

Log into your Xink account > You will find your account's secret token in Preferences menu (the top right corner):

Download Export Tool and save in your file system. It is a single file and no installation is needed.

Copy your AD Export secure token.

Finally set up emsadexport (Xink ADExport tool) to run scheduled on a Windows Server (e.g. application server, file server etc.).
You can choose your own Schedule depending on how often you want it to update data from your AD.

Before you read data from your Active Directory, scroll down to learn about the different switches and examples later in this guide.
Then, when you're ready, run the file manually to start with so you know it exports as expected before you schedule it to run on your server.

Don't run it on your Domain Controller or Exchange Server. Start on your Windows domain PC. If you only need to export a part of your AD, then apply one of the switches described below (use the examples later in this guide).

How to run 'emsadexport' to export user contact details from your Active Directory on prem to Xink Employees

You can run the file as: 

  • .BAT, 
  • .CMD or 
  • Command Prompt, where you browse to the directory where you have saved it:

Export Switches

The export tool comes with a number of switches you can use. 

The switch can be added anywhere after the emsadexport file name.


The secret switch include your unique account token. The result of this switch, is that your AD data ends up in your Xink account.  

P.S. You always need to include the /secret switch when exporting:



Export only users who belong to a specific OU.


Exports only users who belong to a certain group (both security groups and distribution groups are supported). 

The value of the switch is the group name from Active Directory (not the OU name).

P.S: If the group contains blank space in the name, you need to write the Group name in quotes. 

Example: The Group name is 'Sales North America' so your switch will be /group:"Sales North America".

P.S.S: Reading from groups are much slower than reading from OUs. 


This switch removes users not included in the export. 

E.g. your Xink account has 100 users and next time it found only 2 users to export, then these 2 users will remain. All others will be deleted in Xink.  

C:\emsadexport.exe /secret:"INSERT-YOUR-SECRET-TOKEN" /remove+


This switch supports your own custom AD names if you have an AD with extended schema.  

C:\emsadexport.exe /secret:"INSERT-YOUR-SECRET-TOKEN"  /field:ATTRIBUTE1 /field:ATTRIBUTE2 


You can enable LDAP over SSL (LDAPS) by using this switch.


When adding this switch nothing will actually be exported to your Xink account. It will display the users who will be included in the export. This switch is often used in connection with the initial setup to make sure that only a minor selection of users will be exported. Remember to remove the switch when you actually want to export the users.


This switch removes default mapped fields. Followed by /field switches for the fields you use in your email signature, you can bypass e.g. Photo field when if you have images that exceed our 4Mb limit.
C:\emsadexport.exe /secret:INSERT-YOUR-SECRET-TOKEN /nd /field:mail /field:displayname /field:telephoneNumber /field:title


This switch will read a text file with your switches. If you have both /secret, /Group and /remove+ options you can just edit these in a text file.

You can edit your switches in this file and the run this line (where the file in this example is called 'switches.txt':   

C:\emsadexpot.exe @switches.txt


This switch will user groups from AD. Learn more in this KB.

C:\emsadexport.exe /secret:INSERT-YOUR-SECRET-TOKEN /ug


Example #1

Export all users from Active Directory with an email address (replace INSERT-YOUR-SECRET-TOKEN with your token):  


C:\emsadexport.exe /secret:"Ok+v67Le2Tahs62lOWy0Ag=="


C:\emsadexport.exe /secret:"INSERT-YOUR-SECRET-TOKEN"

Example #2

This command will export users from this OU: 'OU=Users,OU=Company Name,DC=gt,DC=local'.
All other existing users in your Xink account will remain:    

C:\emsadexport.exe /secret:"INSERT-YOUR-SECRET-TOKEN" /domain:"OU=Users,OU=Company_1OU,DC=Company_1,DC=internal" 

Example #3

This command will export users from this OU: 'OU=Users,OU=Company Name,DC=gt,DC=local'.
All other existing users in your Xink account will be removed and only the users from this OU will be in your Xink account:    

C:\emsadexport.exe /secret:"INSERT-YOUR-SECRET-TOKEN" /domain:"OU=Users,OU=Company_1OU,DC=Company_1,DC=internal" /remove+

 How to find the distinguishedName of an OU:

Example #4

This command will remove all users except for the users in the group 'My Test':    

C:\emsadexport.exe /secret:"INSERT-YOUR-SECRET-TOKEN" /group:"My Test" /remove+

Example #5

This command will update two fields from your extended AD schema (you need to add default AD fields): 

C:\emsadexport.exe /secret:"INSERT-YOUR-SECRET-TOKEN" /field:manager /field:generationQualifier


Example #6 - Enterprise environment with multiple domains

Your enterprise incl. 3 companies; Company_1, Company_2 and Company_3.

You have a group marketing department and you want to collect all employee contact details in one corporate Xink account (with employee data from 3 domains).

You already assigned role-based login to your group marketing team. 

You export from 3 different domains using the same secure token (across domains):   

C:\emsadexport.exe /domain:"OU=Users,OU=Company_1OU,DC=Company_1,DC=internal" /secret:"Ok+v67Le2Tahs62lOWy0Ag=="

C:\emsadexport.exe /domain:"OU=Users,OU=Company_2OU,DC=Company_2,DC=internal" /secret:"Ok+v67Le2Tahs62lOWy0Ag=="

C:\emsadexport.exe /domain:"OU=Users,OU=Company_3OU,DC=Company_3,DC=internal" /secret:"Ok+v67Le2Tahs62lOWy0Ag=="

Example #7

This command will pull user groups for all users to the field mapped to 'groupCnList': 

C:\emsadexport.exe /secret:"INSERT-YOUR-SECRET-TOKEN" /ug

How to map DirectPhone field to your AD data

When you run AD Export it will update user's details in Employees menu. 

Per default when you run AD Export all Employee data is updated and you do not need to configure anything else.

DirectPhone field sometimes must be re-mapped as it's not a default field in AD. 

By default DirectPhone data is updated from otherTelephone field in AD

Preferences menu > Fields, click the 'gear wheel' and select edit: 

  • Property Name is the LDAP name of the field that holds this field information.
  • Use 'pager' property name if you store direct tel. number in pager field in AD.

How to map ExtentionAttribute fields to Xink fields 

  • extensionAttribute1
  • extensionAttribute15

Default AD fields which you can can extend using /field switch

givenName, initials, sn, displayname, distinguishedName, description, physicalDeliveryOfficeName, telephoneNumber, mail, wWWHomePage, homePhone, pager, mobile, facsimileTelephoneNumber, ipPhone, title, department, company, streetAddress, postOfficeBox, l, c, postalCode, co, otherTelephone, st, jpegPhoto, sAMAccountName

Example - BAT file for a group which you schedule on a Windows File Server

START emsadexport.exe /secret:"[INSERT-YOUR-SECRET-TOKEN]" /group:"My Test" /remove+

Example - CMD file for a group which you schedule on a Windows File Server

"\\emsadexport.exe" /secret:"[INSERT-YOUR-SECRET-TOKEN]" /group:"My Test" /remove+

How to fix 'Proxy Authentication Required' when behind Proxy Server?

When you authenticate and, 'Proxy Authentication Required' is gone:

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.