Getting Active Directory Users in UCM User Admin - Users Tab

Similar Messages

• Active Directory as readonly UME except of user's password

  Hi there,
  we would like to configure the portal-datasource to connect to the active directory read-only. However, (LDAP) users must be able to change there passwords. How could the xml file look like.
  We checked out http://help.sap.com/saphelp_nw70/helpdata/de/46/07a02c920f4f0fe10000000a114a6b/frameset.htm, but this doesn't work. Here the portal tries to create ldap users and fails as no mandatory fields are writeable.
  Also we tried to dsitriubte the active directory in one writeable and one readable. However according to help.sap.com (http://help.sap.com/saphelp_nw70/helpdata/en/4e/4d0d40c04af72ee10000000a1550b0/frameset.htm) it is not possible to assign users from one source to groups of another.
  Does anybody know a solution or a hint?
  Thanks a lot and regards
  Stephan

  Hi Michael,
  thanks for your help. We finally solved the issue using the "homefor"-approach:
  <dataSources>
      <dataSource id="PRIVATE_DATASOURCE"
                  className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"
                  isReadonly="false"
                  isPrimary="true">
          <homeFor>
              <principals>
                      <principal type="group"/>
                    <principal type="account">
                            <nameSpace name="$serviceUser$">
                                <attribute name="SERVICEUSER_ATTRIBUTE">
                                     <values>
                                          <value>IS_SERVICEUSER</value>
                                     </values>
                                </attribute>
                            </nameSpace>
                      </principal>
                      <principal type="user">
                           <nameSpace name="$serviceUser$">
                                <attribute name="SERVICEUSER_ATTRIBUTE">
                                     <values>
                                          <value>IS_SERVICEUSER</value>
                                      </values>
                                </attribute>
                           </nameSpace>
                      </principal>
                  <principal type="team" />
                  <principal type="ROOT" />
                  <principal type="OOOO" />
              </principals>
          </homeFor>
          <notHomeFor/>
          <responsibleFor>
              <principals>
                   <principal type="group"/>
                   <principal type="user"/>
                   <principal type="account"/>
                  <principal type="team"/>
                  <principal type="ROOT" />
                  <principal type="OOOO" />
              </principals>
          </responsibleFor>
          <notResponsibleFor/>
          <attributeMapping />
          <privateSection/>
      </dataSource>
      <dataSource id="CORP_LDAP"
           className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
           isReadonly="false"
           isPrimary="true">
           <homeFor>
                <principal type="account"/>
                <principal type="user"/>
           </homeFor>
           <notHomeFor>
                <principal type="user">
                     <nameSpace name="$serviceUser$">
                          <attribute name="SERVICEUSER_ATTRIBUTE">
                               <values>
                                    <value>IS_SERVICEUSER</value>
                               </values>
                          </attribute>
                     </nameSpace>
                </principal>
                <principal type="account">
                     <nameSpace name="$serviceUser$">
                          <attribute name="SERVICEUSER_ATTRIBUTE">
                               <values>
                                    <value>IS_SERVICEUSER</value>
                               </values>
                          </attribute>
                     </nameSpace>
                 </principal>
            </notHomeFor>
           <responsibleFor>
  Thanks and regards
  Stephan

• Exchange Connector not get Active Directory Object_GUID

  Hi all.
  I've upgraded the Exchange Connector to version 11.1.1.5.0 and I have a issue.
  The connector is unable to get Active Directory Obejct_GUID and populate the ReturnValue field in UD_MSEXCHG and  the provisioning user in Microsoft Exchange is not completed.
  Anyone can help me ?
  Thks,
  Joel

  Hi all.
  I've upgraded the Exchange Connector to version 11.1.1.5.0 and I have a issue.
  The connector is unable to get Active Directory Obejct_GUID and populate the ReturnValue field in UD_MSEXCHG and  the provisioning user in Microsoft Exchange is not completed.
  Anyone can help me ?
  Thks,
  Joel

• Weblogic with Active Directory Authentication provider problem: DN for user ....: null

  I have a java application (SSO via SAML2) that uses Weblogic as a Identity Service Provider. All works well using users created directly in Weblogic. However, I need to add support for Active Directory. So, as per documentation:
  - I defined an Active Directory Authentication provider
  - changed it's order in the Authentication Providers list so that it comes first
  - set the control flag to SUFFICIENT and configured the Provider Specific; here's the concerned part in config.xml:
  <sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
          <sec:name>MyOwnADAuthenticator</sec:name>
          <sec:control-flag>SUFFICIENT</sec:control-flag>
          <wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception>
          <wls:host>10.20.150.4</wls:host>
          <wls:port>5000</wls:port>
          <wls:ssl-enabled>false</wls:ssl-enabled>
          <wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal>
          <wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn>
          <wls:credential-encrypted>{AES}deleted</wls:credential-encrypted>
          <wls:cache-enabled>false</wls:cache-enabled>
          <wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn>
  </sec:authentication-provider>
  I configured a AD LDS instance(Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created users and one admin user "tadmin" which was added to Administrators members. I also made sure to set msDS-UserAccountDisabled property to FALSE.
  After restarting Weblogic I can see that the AD LDS's users and groups are correctly fetched in Weblogic. But, when I try to connect with my application, using Username:tadmin and Password:<...> it does not work.
  Here's what I see in the log file:
  <BEA-000000> <LDAP Atn Login username: tadmin>
  <BEA-000000> <authenticate user:tadmin>
  <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
  <BEA-000000> <DN for user tadmin: null>
  <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
  <BEA-000000> <DN for user tadmin: null>
  <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied
    at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
    at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
  So, I tried to look why do I have: <DN for user tadmin: null>. Using Apache Directory Studio I reproduced the ldap search request used in Weblogic and, sure enough, I get no results. But, changing the filter to only "(&(cn=tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; here's the result from Apache Directory Studio:
  #!SEARCH REQUEST (145) OK
  #!CONNECTION ldap://10.20.150.4:5000
  #!DATE 2014-01-23T14:52:09.324
  # LDAP URL     : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user))
  # command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass"
  # baseObject   : CN=wl,DC=at,DC=com
  # scope        : wholeSubtree (2)
  # derefAliases : derefAlways (3)
  # sizeLimit    : 1000
  # timeLimit    : 0
  # typesOnly    : False
  # filter       : (&(cn=tadmin)(objectclass=user))
  # attributes   : objectClass
  #!SEARCH RESULT DONE (145) OK
  #!CONNECTION ldap://10.20.150.4:5000
  #!DATE 2014-01-23T14:52:09.356
  # numEntries : 1
  (the "[email protected]" is defined as userPrincipalName in the tadmin user on AD LDS)
  As you can see, "# numEntries : 1" (and I can see as result the entry "CN=tadmin,CN=wl,DC=at,DC=com"  in Apache Directory Studio's interface); if I add the userAccountControl filter I get 0.
  I've read that the AD LDS does not use userAccountControl but "uses several individual attributes to hold the information that is contained in the flags of the userAccountControl attribute"; among those attributes is msDS-UserAccountDisabled which, as I said, I already set to FALSE.
  So, my question is, how do I make it work? Why do I have "<DN for user tadmin: null>" ? Is it the userAccountControl ? If it is, do I need to do some other configuration on my AD LDS ? Or, how can I get rid of the userAccountControl filter in Weblogic?
  I didn't seem to find it in config files or in the interface: I only have "User From Name Filter: (&(cn=%u)(objectclass=user))", there's no userAccountControl.
  Another difference I noticed is that, even though in Weblogic I have set ssl-enabled flag to false, in the logs I see ldaps and not ldap ( I'm not looking to setup something production-ready and I don't want SSL for the moment ).
  Here are some other things I tried but did not change anything:
  - the other "msDS-" attributes were not set so I tried initializing them to some value
  - I tried other users defined in AD LDS, not tadmin
  - in Weblogic I added users that were imported from AD LDS in Roles and Policies> Realm Roles > Global Roles > Roles > Admin
  - I removed all userAccountControl occurrences that I found in xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)
  Any thoughts?
  Thanks.

  I managed to narrow it down: the AD LDS does not support the userAccountControl.
  Anyone knows how I can configure my Active Directory Authentication Provider in Weblogic so that it does not implicitly use userAccountControl as filter?
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)> 

• Active Directory, single sign-on and  SRM Users

  We are in the process of installing SRM 7.0. using the Classic Scenario. I am seeking clarification around the creation of users in that system given the following:
  - My Basis colleagues are in the process of implementing single sign-on using Active Directory for our SAP Portal, SAP Business Warehouse and SRM systems.
  - Single sign-on will not  at this point be used for our SAP ECC 6.0 system
  My questions are:
  1. If active directory is being used do we need to create actual users within the SRM system?
  2. If actual users in the SRM system are not required, does this have any impact on the creation of the Organizational structure in SRM from the SAP ECC HR hierarchy?
  Many Thanks

  Hi Claire,
  The Single Sign On work only if user exist on every systemes.
  For example :
  If you connect trough portal to access ECC and SRM, your user id must exist in ECC and SRM.
  For Active Directory you can synchronize your user table to AD by using LDAP option.
  The best way is to configure a CUA for ECC and SRM, use the UME of Portal on ECC and synchronize the CUA to Active Directory.
  Finally use the SSO certificate between Portal ECC and SRM.
  Regards,
  Gilles SEBBAG
  Sap Technical Consultant.

• Is Active Directory's ExtensionAttributes9 a field in user object and how to retrieve it in the class type userprincipal?

  Hi, I'm using VS2012.
  I want to use this ExtensionAttributes9 field to store date value for each user object.  I use UserPrincipal class, a collection of these objects are then bind to a gridview control.  Is ExtensionAttributes9 a field in AD user object? 
  How can I access it and bind to the gridview?
  If this field isn't available then what other field can use?
  Thank you.
  Thank you

  UserPrincipal is basically a wrapper around DirectoryEntry:
  http://msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry.aspx and only provides a subset of the Active Directory, although the most common, attributes that are available for the user object.  The attribute that you
  seek is not one of them.
  By utilizing the method that I provided you a link to, it will return the underlying DirectoryEntry that was used to build the UserPrincipal object and should allow you to access the attribute that you seek.
  It would be greatly appreciated if you would mark any helpful entries as helpful and if the entry answers your question, please mark it with the Answer link.

• Store signature image in Active Directory and deploy it to each users desktop

  What I am trying to achieve is to have each user a hand written signature scanned in and stored in the .jpgPhoto attribute in Active Directory and then have some sort of script, like our login script, pull that information and copy the file to the users
  desktop.  We are wanting to be able to allow users to apply the signature image on a signature line in Office 2010 or InfoPath forms instead of typing their name.    I know there has to be a way to do this but I have not found it yet and I am
  not very good at scripting.  Is there anyone here that has accomplished such a task and if so, how did you go about doing it? 
  David Hood

  We already have Outlook email signatures created from AD information deployed to all users.  Someone else on my team deployed that already and it works great.  But that is just basic user info pulled from fields that were manually entered in
  the user account.  What I want to do is have a user scribble their signature on a piece of paper or a tablet, capture an image of that to crop and resize to store in the AD user account or somewhere secure that can be queried to be pushed to that users
  desktop.  I work at a state government agency and I have heard of another agency doing this but I have no idea how they did it.  The only thing I could think of is to have a script ran during login to query the AD attribute the image is stored in,
  pull it and then copy it to the users machine so when they sign a word document or .PDF with a digital signature they also have the option to place that image in the signature line. 
  David Hood

• What is the default Win2000 Active Directory Object Attribute definition for adding users? I'm using the 4.1 Netscape Directory SDK

  The Netscape/NDS AddUser implements inetOrgPerson, and some other objects/Attributes not implemented in Active Directory Object Attributes, and I receive errors about the Attributes. Could you tell me the correct Attribute definition for the default DS, to add a user?

  Unsure what you mean. iDS 5 implements the inetOrgPerson as of the RFC. It is made of 4 objects top, person, organizationPerson and inetOrgPerson. The user object in MAD using many more MS specifi attributes in the top class. (53 extras)

• Fail to connect on Citrix with Limited User but succeeds with Admin user

  On one of our customer's installations which is on a Citrix server, the users cannot connect to the database when they are Limited users. But if the same user is promoted to Administrator it can connect.
  The Application uses ODP.Net to connect. Other tools in the installation that use ODBC works for limited users.
  The OracleConnection.Open method throws an exception without an error message.
  The stack trace is:
  at Oracle.DataAccess.Client.OracleException.HandleErrorHelper(Int32 errCode, OracleConnection conn, IntPtr opsErrCtx, OpoSqlValCtx* pOpoSqlValCtx, Object src, String procedure)
  at Oracle.DataAccess.Client.OracleException.HandleError(Int32 errCode, OracleConnection conn, IntPtr opsErrCtx, Object src)
  at Oracle.DataAccess.Client.OracleConnection.Open()
  On the server we have installed Oracle Client 10.2.0.1 where the .Net provider also is installed (otherwise it would not work for the admin user either).
  Anyone who has a clue on why this strange behavior happens?
  / Nils

  That was a known issue in 10201, and should be resolved by patching the client up to 10204. You do that by applying the database patch to the client, and you can get the 10204 database patch on Metalink.
  Cheers,
  Greg

• HT4889 Can I merge the new migrated users files with the admin user on the new mac?

  I used the migration assistant to transfer users, files, apps etc from my MacBook Pro to my new iMac.  I had already set up the desktop with my name as the user. So, during transfer, it created a new user... So, I want the initial user and the new transfer user accounts to be merged. Is this possible? If not, does it matter?
  Thanks.

  It's possible by using the Shared folder to move items into and then into your admin account.
  It can be messy. If it were me I'd do a factory reset and then do the migration in Setup Assistant.
  http://pondini.org/OSX/Transfer.html

• Get Active directory users in C# error

  Hello,
  I am tring to get all folders and users name from AD in C#, but got error.
  this is my code:
     DirectoryEntry de = new DirectoryEntry(domainName, ConfigurationManager.AppSettings[AdminUserName],    ConfigurationManager.AppSettings[AdminUserPwd]);
              de.AuthenticationType = AuthenticationTypes.Secure;
              DirectorySearcher myDirectorySearcher = new DirectorySearcher(de);
              myDirectorySearcher.Filter = "sAMAccountName=" + AdminUserName;
              myDirectorySearcher.PropertiesToLoad.Add("MemberOf");
              SearchResult myresult = myDirectorySearcher.FindOne(); // Error is here
  "The provider does not support searching and cannot search "
  Thanks,
  Deepak
  Deepak

  Hello,
  This forum is for discussions and questions regarding profiles and Microsoft's recognition system on the MSDN and TechNet sites. It is not for products/technologies.
  As it's off-topic here, I am moving the question to the
  Where is the forum for... forum.
  Karl
  When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
  My Blog: Unlock PowerShell
  My Book: Windows PowerShell 2.0 Bible
  My E-mail: -join ('6F6C646B61726C40686F746D61696C2E636F6D'-split'(?&lt;=\G.{2})'|%{if($_){[char][int]&quot;0x$_&quot;}})

• Changing a username in Active Directory - does this update People picker, User Info List etc?

  What happens in SP2013 when a user gets married and changes their name in AD?
  My understanding is that after a full  (?) User Profile import and a People crawl (Full/inc?) - their display name in SharePoint will be updated but in SP2013 do the entries in People picker and User Info Lists also get updated or are their manual steps
  that have to be taken?
  Thanks
  J

  First, User Profiles will be updated after the next incremental sync.  SP 2013 only does Full User Profile syncs manually.  A full sync is not really required.
  Second, there are two timer jobs that will sync the user profile with the user lists in each site collection.  The "Quick" job only syncs new users, while the "Full" job should sync all user changes.  The "Full" job
  runs hourly by default.
  Third, the people picker should be getting its info from AD, although there is some caching that goes on.  So it should pick up the change from AD when the cached information ages out.
  Paul Stork SharePoint Server MVP
  Principal Architect: Blue Chip Consulting Group
  Blog: http://dontpapanic.com/blog
  Twitter: Follow @pstork
  Please remember to mark your question as "answered" if this solves your problem.

• While in the root directory trying to reset my admin user i tried the input of commands that included launchctl list and was informed it was invalid and could'nt be loaded

  my admin acct was changed to standard i tried the actions to update in root but rthe launchctl was unaccepted also the nicl - raw didnt work any ideas

  That situation went from inconvenient to complicated quickly.  Wait for any pending orders to drop off, wait for things to clear up, wait till your upgrade comes up and then upgrade when your contract is fulfilled.  I would have suggested a replacement phone, I know, with only a month left why couldn't you just upgrade early, but these situations where people try to upgrade early always end horribly and once a phone order starts, it almost cannot finish until something winds up shipped received and returned.  Sorry this happened the way it did.  Definitely not efficient.

• Active Directory: user has admin rights when logs in for the first time

  I have an Xserve server running OS X server 10.5.8 and trying to host _open and active directory_ for both Mac and PC machines. The open directory works fine but what happens on the active directory side is that, when a user logs in from a windows machine he/she can access all the other users folders. In other words, he/she almost has *admin rights*. Is this normal or there is some settings that I can look into to fix this?
  Details: The first time user logs in, his only effect on the server is the password change. What this means is that his changes dont get uploaded to the server. It is only the second time the user logs in from ANOTHER computer that the server starts saving the his profile. Also, after the second login the user doesnt have admin rights anymore.
  Thanks,
  MR

  If you've just changed your login password in Recovery mode, follow these instructions. Otherwise, see below.
  At some point, you may have reset your keychain to default in Keychain Access. That action would have caused your login keychain to be renamed.
  Back up all data before proceeding.
  In Keychain Access, delete the login keychain from the keychain list. Choose Delete References when prompted, not Delete References & Files.
  Triple-click anywhere in the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
  ~/Library/Keychains
  In the Finder, select
            Go ▹ Go to Folder...
  from the menu bar, paste into the box that opens (command-V), and press return. A folder will open. Rename the file "login.keychain" in that folder to something like "login-old.keychain". Rename the file "login_renamed_1.keychain" to "login.keychain". You can then close the folder.
  Back in Keychain Access, select 
            File ▹ Add Keychain...
  from the menu bar. Add back the file now named "login.keychain". If any of your needed keychain items are missing from it, also add back the file you named "login-old.keychain". I suggest you transfer any needed items from that keychain to the login keychain, then delete it. The transfers are made by drag-and-drop in Keychain Access. You'll need to enter your password for each item transferred.

• Using PowerShell to import CSV data from Vendor database to manipulate Active Directory Users

  Hello,
  I have a big project I am trying to automate.  I am working in a K-12 public education IT Dept. and have been tasked with importing data that has been exported from a vendor database via .csv file into Active Directory to manage student accounts. 
  My client wants to use this data to make bulk changes  to student user accounts in AD such as moving accounts from one OU to another, modifying account attributes based on State ID, lunchroom ID, School, Grade, etc. and adding new accounts / disabling
  accounts for students no longer enrolled.
  The .csv that is exported doesn't have headers that match up with what is needed for importing in AD, so those have to be modified in this process, or set as variables to get the correct info into the correct attributes in AD or else this whole project is
  a bust.  He is tired of manually manipulating the .csv data and trying to get it onto AD with few or no errors, hence the reason it has been passed off to me.
  Since this information changes practically daily, I need a way to automate user management by accomplishing the following on a scheduled basis.
  Process must:
  Check to see if Student Number already exists
  If yes, then modify account
  Update {School Name}, {Site Code}, {School Number}, {Grade Level} (Variables)
  Add correct group memberships (School / Grade Specific)
  Move account to correct OU (OU={Grade},OU=Students,OU=Users,OU={SiteCode},DC=Domain,DC=net)
  Remove incorrect group memberships (School / Grade Specific)
  Set account status (enabled / disabled)
  If no, create account
  Import Student #
  Import CNP #
  Import Student name
  Extract First and Middle initial
  If duplicate name exists
  Create log entry for review
  Import School, School Number, Grade Level
  Add to correct Group memberships (School / Grade Specific)
  Set correct OU (OU={Grade},OU=Students,OU=Users,OU={SiteCode},DC=Domain,DC=net)
  Set account Status
  I am not familiar with Powershell, but have researched enough to know that it will be the best option for this project.  I have seen some partial solutions in VB, but I am more of an infrastructure person instead of scripting / software development. 
  I have just started creating a script and already have hit a snag.  Maybe one of you could help.
  #Connect to Active Directory
  Import-Module ActiveDirectory
  # Import iNOW user information
  $Users = import-csv C:\ADUpdate\INOW_export.csv
  #Check to see if the account already exists in AD
  ForEach ( $user in $users )
  #Assign the content to variables
  $Attr_employeeID = $users."Student Number"
  $Attr_givenName = $users."First Name"
  $Attr_middleName = $users."Middle Name"
  $Attr_sn = $users."Last Name"
  $Attr_postaldeliveryOfficeName = $users.School
  $Attr_company = $users."School Number"
  $Attr_department = $users."Grade Level"
  $Attr_cn = $Attr_givenName.Substring(0,1) + $Attr_middleName.Substring(0,1) + $Attr_sn
  IF (Get-ADUser $Attr_cn)
  {Write-Host $Attr_cn already exists in Active Directory

  Thank you for helping me with that before it became an issue later on, however, even when modified to be $Attr_sAMAaccountName i still get errors.
  #Connect to Active Directory
  Import-Module ActiveDirectory
  # Import iNOW user information
  $Users = import-csv D:\ADUpdate\Data\INOW_export.csv
  #Check to see if the account already exists in AD
  ForEach ( $user in $users )
  #Assign the content to variables
  $Attr_employeeID = $users."Student Number"
  $Attr_givenName = $users."First Name"
  $Attr_middleName = $users."Middle Name"
  $Attr_sn = $users."Last Name"
  $Attr_postaldeliveryOfficeName = $users.School
  $Attr_company = $users."School Number"
  $Attr_department = $users."Grade Level"
  $Attr_sAMAccountName = $Attr_givenName.Substring(0,1) + $Attr_middleName.Substring(0,1) + $Attr_sn
  IF (Get-ADUser $Attr_sAMAccountName)
  {Write-Host $Attr_sAMAccountName already exists in Active Directory
  PS C:\Windows\system32> D:\ADUpdate\Scripts\INOW-AD.ps1
  Get-ADUser : Cannot convert 'System.Object[]' to the type 'Microsoft.ActiveDirectory.Management.ADUser'
  required by parameter 'Identity'. Specified method is not supported.
  At D:\ADUpdate\Scripts\INOW-AD.ps1:28 char:28
  + IF (Get-ADUser $Attr_sAMAccountName)
  + ~~~~~~~~~~~~~~~~~~~~
  + CategoryInfo : InvalidArgument: (:) [Get-ADUser], ParameterBindingException
  + FullyQualifiedErrorId : CannotConvertArgument,Microsoft.ActiveDirectory.Management.Commands.GetAD
  User