Initial AD Bulk Loading of Random Users and propagating a NetIQ Identity Vault

Here is a method to populate an AD domain for a development environment. This document also includes additional detail of using an AD driver to pull the data into the Identity Vault.

This could be used for any Identity Manager Solution. Most customers have Active Directory in their environment and so an AD driver/connector will be available regardless of the Identity Manager framework / technology.

This script was originally created by Helge Klein, https://helgeklein.com. I have modified the script some to help pull accounts into my Windows 2016 test domain. Please continue to give credit to Helge in referencing his name in any script you use.
Obtain the original script and associated files from: https://github.com/RobBridgeman/ADImporter
I did not find the Original script from Helge’s website and used the one from Rob Bridgeman.

Copy in the below script over the existing powershell script from Helge’s script. Modify the powershell script with your configuration parameters for your development domain controller. There may be syntax formatting issues with the copy and paste with comments spanning multiple lines. Review the data input logs to add or remove data that would conform to your environment. Set the number of users to create to your desired amount. Currently set to 50,000.

AD Driver
Once your script works on creating accounts it will be easy to pull users into the Identity Vault with the AD driver. Modify the Publisher channel’s Matching NOVLADDCFG-pub-mp policy to disable the “veto out-of-scope events” rule. This will allow objects to not be entitled to have an association from the AD to eDirectory Publisher channel flow. If your AD environment will not be authoritative, re-enable this rule once your data is migrated. Last of all, migrate your data into the Identity Vault via iManager, or have the driver up and running when you create the users with the powershell script.

You can then modify the script to your needs. Use Apache Directory Studio to find similar objects and add a jobcode or other attributes that will be used for your business logic.

• Your dev environment isn’t using real users or real domain names and emails, so email notifications or other processes are dissimilar to production and testing.

• You can have similar data that conforms to your business, but consultants and other entities don’t see your production like data in your dev environment.

• Your dev environment is setup fairly quickly with large amounts of users to large jobs.

• You have a script to continue to modify to conform to your needs. Once you have the script the way you want and satisfactory data, you could proceed with LDIF exports to bulk data in the future.

When considering your authoritative systems such as an HR database, it may be worth considering populating a dev database table as an initial HR simulated table, using a JDBC driver. Many times the source system, such as a HR connected system, will need time to be configured and tuned by the HR sysadmins. I have seen this take 1-3 months depending on the size of the environment and how the backend HR system is configured.

You may be able to do your own development and testing ahead of time with a separate dummy table to mimic how your data is planned to look in advance. Once you have the data imported from the Identity Vault to the dummy HR system, you could then populate your additional HR columns such as employee number, hire date, etc into the table and start building your logic on how that data will get into the identity vault, etc.

Use a different driver from the HR system so that prior associations are available, so that you have data that already exists in AD and the vault and you can simulate matching data from a new HR source system and how it matches data in your other systems.

Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.

Leave a Reply

Your email address will not be published. Required fields are marked *