You can read users from Active Directory on-prem automatically and then you do not need to add/update users manually in Xink.
When new users are created in your Active Directory, they are automatically added to your Xink EMPLOYEE list.
It's all automatic so hires and fires are reflected in Xink as soon as they're updated in your on-premise AD. This is the easiest way for IT to maintain email signature information like name, mobile number, title etc..
You can start by running ADExport from your own domain PC just to try it out.
When you have successfully seen users exported into Xink, you can always move it to a server and set it up to run as a scheduled task in a production environment.
You can add additional information which maybe you don't want to maintain in AD, like LinkedIn, Twitter, headshots, Skype, etc.
What exactly is exported?
ADExport is completely safe to run. Check out these bald facts about ADExport:
- ADExport does not make any changes to your AD.
- ADExport only reads data.
- ADExport cannot write or update any data anywhere in your AD.
- ADExport does not grab any passwords.
- ADExport exports only the data for a user that you instruct it to export (Preferences > Fields).
- ADExport means “Active Directory Export” which again means “export of data from AD” — there is no import or updates.
- ADExport doesn’t export anything else but user information — no schema information or anything deeper is exported.
- Windows 7 PC or higher connected to the domain you plan to export users from.
- Windows Server 2008 or higher connected to the domain you plan to export users from.
- Only unique email addresses not used in other Xink accounts are imported.
- Latest .NET Service Pack.
- Port 443 (HTTPS) enabled.
Your antivirus software might prevent the file to run on your server, so you might need to allow the executable to run and access the internet through port 443.
Make sure that all users you want to export have email addresses.
Only users with primary SMTP email address will be exported:
Your Step-by-step Guide to Xink AD Export
You need both AD Export and your secret token to uniquely identify your AD with your cloud account.
Log into your Xink account > You will find your account's secret token in Preferences menu (the top right corner):
Download Export Tool and save in your file system. It is a single file and no installation is needed.
Copy your AD Export secure token.
Finally set up emsadexport (Xink ADExport tool) to run scheduled on a Windows Server (e.g. an application server, file server etc. - Domain Controller/Exchange is not Best Practice). You can choose your own Schedule depending on how often you want it to update data from your AD.
Before you read data from your Active Directory, scroll down to learn about the different switches and examples later in this guide.
Then, when you're ready, run the file manually to start with so you know it exports as expected before you schedule it to run on your server.
Start on your Windows domain PC. If you only need to export a part of your AD, then apply one of the switches described below (use the examples later in this guide).
How to run 'emsadexport' to export user contact details from your Active Directory on-prem to Xink Employees
You can run the file as:
- .CMD or
- Command Prompt, where you browse to the directory where you have saved it:
The export tool comes with a number of switches you can use.
The switch can be added anywhere after the emsadexport file name.
The secret switch includes your unique account token. The result of this switch is that your AD data ends up in your Xink account.
P.S. You always need to include the /secret switch when exporting:
Export only users who belong to a specific OU.
Users in sub-OUs are pulled.
Exports only users who belong to a certain group (both security groups and distribution groups are supported).
The value of the switch is the group name from Active Directory (not the OU name).
Users in sub-groups (nested) are not pulled.
P.S: If the group contains blank space in the name, you need to write the Group name in quotes.
Example: The Group name is 'Sales North America' so your switch will be /group:"Sales North America".
P.S.S: Reading from groups is much slower than reading from OUs.
This switch removes users not included in the export.
E.g. your Xink account has 100 users and next time it found only 2 users to export, then these 2 users will remain. All others will be deleted in Xink.
C:\emsadexport.exe /secret:"INSERT-YOUR-SECRET-TOKEN" /remove+
This switch supports your own custom AD names if you have an AD with the extended schema. Learn more.
C:\emsadexport.exe /secret:"INSERT-YOUR-SECRET-TOKEN" /field:ATTRIBUTE1 /field:ATTRIBUTE2
You can enable LDAP over SSL (LDAPS) by using this switch.
When adding this switch nothing will actually be exported to your Xink account. It will display the users who will be included in the export. This switch is often used in connection with the initial setup to make sure that only a minor selection of users will be exported. Remember to remove the switch when you actually want to export the users.
C:\emsadexport.exe /secret:"INSERT-YOUR-SECRET-TOKEN" /nd /field:mail /field:displayname /field:telephoneNumber /field:title
This switch will read a text file with your switches. If you have both /secret, /Group and /remove+ options you can just edit these in a text file.
You can edit your switches in this file and then run this line (where the file in this example is called 'switches.txt':
This switch will pull user groups from the AD. It does not work when users are pulled from an OU. Learn more in this KB.
C:\emsadexport.exe /secret:"INSERT-YOUR-SECRET-TOKEN" /group:"My Test" /ug
Export all users from Active Directory with an email address (replace INSERT-YOUR-SECRET-TOKEN with your token):
This command will export users from this OU: 'OU=Users,OU=Company Name,DC=gt,DC=local'.
All other existing users in your Xink account will remain:
C:\emsadexport.exe /secret:"INSERT-YOUR-SECRET-TOKEN" /domain:"OU=Users,OU=Company_1OU,DC=Company_1,DC=internal"
This command will export users from this OU: 'OU=Users,OU=Company Name,DC=gt,DC=local'.
All other existing users in your Xink account will be removed and only the users from this OU will be in your Xink account:
C:\emsadexport.exe /secret:"INSERT-YOUR-SECRET-TOKEN" /domain:"OU=Users,OU=Company_1OU,DC=Company_1,DC=internal" /remove+
This command will remove all users except for the users in the group 'My Test':
C:\emsadexport.exe /secret:"INSERT-YOUR-SECRET-TOKEN" /group:"My Test" /remove+
This command will update two fields from your extended AD schema (no need to add default AD fields):
C:\emsadexport.exe /secret:"INSERT-YOUR-SECRET-TOKEN" /field:manager /field:generationQualifier
Example #6 - Enterprise environment with multiple domains
Your enterprise incl. 3 companies; Company_1, Company_2 and Company_3.
You have a group marketing department and you want to collect all employee contact details in one corporate Xink account (with employee data from 3 domains).
You already assigned a role-based login to your group marketing team.
You export from 3 different domains using the same secure token (across domains):
C:\emsadexport.exe /domain:"OU=Users,OU=Company_1OU,DC=Company_1,DC=internal" /secret:"Ok+v67Le2Tahs62lOWy0Ag=="
C:\emsadexport.exe /domain:"OU=Users,OU=Company_2OU,DC=Company_2,DC=internal" /secret:"Ok+v67Le2Tahs62lOWy0Ag=="
C:\emsadexport.exe /domain:"OU=Users,OU=Company_3OU,DC=Company_3,DC=internal" /secret:"Ok+v67Le2Tahs62lOWy0Ag=="
This command will pull user groups for all users to the field mapped to 'groupCnList': (Learn more)
C:\emsadexport.exe /secret:"INSERT-YOUR-SECRET-TOKEN" /ug
This command will write log to C:\Xink:
C:\emsadexport.exe /secret:"INSERT-YOUR-SECRET-TOKEN" > C:\Xink\Xink_log.txt
This command will import one target user and import to https://app.xink.io:
C:\emsadexport.exe /secret:"INSERT-YOUR-SECRET-TOKEN" /filter:”SAMAccountName=username"
How to map DirectPhone field to your AD data
When you run AD Export it will update user's details in Employees menu.
Per default when you run AD Export all Employee data is updated and you do not need to configure anything else.
DirectPhone field sometimes must be re-mapped as it's not a default field in the AD.
By default, DirectPhone data is updated from otherTelephone field in the AD.
Preferences menu > Fields, click the 'gear wheel' and select edit:
- Property Name is the LDAP name of the field that holds this field information.
- Use 'pager' property name if you store the direct tel. number in pager field in the AD.
How to map extensionAttribute fields to Xink fields
How to schedule AD updates on an application server
Example - BAT file for a group which you schedule on a Windows File Server
START emsadexport.exe /secret:"[INSERT-YOUR-SECRET-TOKEN]" /group:"My Test" /remove+
Example - CMD file for a group which you schedule on a Windows File Server
"\\emsadexport.exe" /secret:"[INSERT-YOUR-SECRET-TOKEN]" /group:"My Test" /remove+
How to fix 'Proxy Authentication Required' when behind Proxy Server?
IT Pro: How to read groups from Active Directory (AD on-premises and Azure AD).