Highlighted
Posted by Protime
Henagon

Teamviewer AD integration: user creation does not work

Hi,

I tried to use the Powershell script for user creation.

I succeed in connecting to AD and teamviewer using the API access token. My users assigned to the teamviewer security group are found, but I don't get them created in the teamviewer account portal.

Here is my script output:

Starting AD OU Sync...

Ping API...
Request [GET] /api/v1/ping
200 OK
Ping: Token is valid

Reading AD OU members

Get all users...
Request [GET] /api/v1/users?full_list=true
200 OK
Request ok!

Get single user by mail (name1@domain.com)...
Request [GET] /api/v1/users?email=name1@domain.com&full_list=true
200 OK
Request ok!

No user with email= name1@domain.com  found.
CreateUser:  name1@domain.com  with this values:
 =


Get single user by mail (name2@domain.com)...
Request [GET] /api/v1/users?email=name2@domain.com&full_list=true
200 OK
Request ok!

No user with email= name2@domain.com  found.
CreateUser:  name2@domain.com  with this values:
 =

AD OU Sync finished.

I use this script:

###############
# Configuration
###############

# API access token 
$accessToken = "xxxxxxx-xxxxxxxxxxxxxxxxxxxxx" #<-- your access token, can be left empty when OAuth (below) is configured.

# OAuth: API client id & authorizationCode
# if all variables are set here, OAuth will be used to request an access token
$clientId = ""            				#<-- Create an app in your TeamViewer Management Console and insert the client ID here.
$clientSecret = ""						#<-- Insert your client secret here.
$authorizationCode = ""      #<-- Visit https://webapi.teamviewer.com/api/v1/oauth2/authorize?response_type=code&client_id=YOURCLIENTIDHERE
                             #    Login, grant the permissions (popup) and put the code shown in the authorizationCode variable here
				 
							 
# domain settings
$dn = "dc=domain,dc=com"

# ldap settings
$dcIP = "10.1.1.1"
$dcLdapPort = "389"

# user group to sync with management console
$syncGroupCN = "SG-Teamviewer-Users"
$syncGroupOU = "General Groups,ou=Security Groups"
#$syncGroupSearchFilter = "(&(objectCategory=user)(memberOf=cn=$syncGroupCN,ou=$syncGroupOU,$dn))"

# new user defaults (if not available in csv import file)
$defaultUserLanguage = "en"   
$defaultUserPassword = "myInitalPassword!"
$defaultUserPermissions = "ShareOwnGroups,EditConnections,EditFullProfile,ViewOwnConnections"

# deactivate company users not found in the configured AD group 
$deactivateUnknownUsers = $false
# testRun needs to be set to false for the script to perform actual changes
$testRun = $true

##########
# includes
##########

$currentPath = Split-Path ((Get-Variable MyInvocation -Scope 0).Value).MyCommand.Path

. (Join-Path $currentPath "Common.ps1")

###########
# Functions
###########

# Returns the AD members of the configured usergroup from above
function GetADMembersOfOU()
{
	Write-Host 
	Write-Host "Reading AD OU members"

	$result2 = $NULL

	try
	{
		$domain = "LDAP://" + $dcip + ":" + $dcLdapPort + "/$dn"
	    $root = New-Object System.DirectoryServices.DirectoryEntry $domain
	    
	    $query = new-Object System.DirectoryServices.DirectorySearcher
	    $query.searchroot = $root        
	    $query.Filter = $syncGroupSearchFilter
	    
	    #needed user properties
	    $colProplist = "name", "mail", "givenName", "sn", "department", "description", "userAccountControl"
	    
	    foreach ($i in $colPropList)
	    {
	        [void]$query.PropertiesToLoad.Add($i)
	    }    
	    
	    $result2 = $query.findall()

		$userDict = @{}
		
	    foreach ($objResult in $result2)
	    {
			$user = @{}
			
			$user["email"] = [string]$objResult.Properties.mail
			$user["name"] = [string]($objResult.Properties.givenname + $objResult.Properties.sn)
			
			#check user account status (00000000000000000000000000000010 binary, 2 decimal, UF_ACCOUNT_DISABLE)
			$uacVal = $objResult.Properties.useraccountcontrol.Item(0)
			$userEnabled = (($uacVal -BAND 2) -eq 0)
			
			#skip user when required fields are missing, or account is disabled
			if($user.email.length -gt 0 -and $user.name.length -gt 0 -and $userEnabled -eq $true)
			{
				$userDict.Add([PSCustomObject]$user.email, [PSCustomObject]$user)
			}
			else
			{
			 	Write-Host "AD user is missing name and/or email. Skipped."
			}
	    }
		
	
		$result2 = $userDict
	}
	catch [Exception]
	{
		Write-Host ("AD read failed! The error was '{0}'." -f $_)
		$result2 = $NULL
	}
	
		return $result2
	
}

#######################################
# Sync AD Usergroup with TeamViewer API
#######################################

if($testRun -eq $true)
{
	Write-Host "testRun is set to true. Information in your TeamViewer account will not be modified. Instead, all changes that would be made are displayed on the console. Press any key to continue..."
	$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
}
Write-Host ("Starting AD OU Sync...")

# check OAuth requirements
if ($clientId -and $authorizationCode) 
{
	#get token
		$token = RequestOAuthAccessToken $clientId $clientSecret $authorizationCode
	if ($token){
		$accessToken = $token
	}
}

#ping API to check connection and token
if (PingAPI($accessToken) -eq $true)
{
    #read users from the AD OU	
	$dictUsersAD = GetADMembersOfOU
	
    #get all current users of our company from the API
	$arrUsersAPI = GetAllUsersAPI $accessToken
	
	#put all current API users in a dictionary, id field as key
	$dictUsersAPI = @{}
	foreach ($u in $arrUsersAPI)
	{
		#Write-Host $u.id
		$dictUsersAPI.Add($u.id, $u)	
	}
	
	#sync
	#for each user in AD group: check against API if user exists (by mail)	
	foreach($usrKey in $($dictUsersAD.keys))
	{
		#Write-Host $usrKey
	
		$userApi = $null
		$userAD = $null
		
		$userAD = $dictUsersAD[$usrKey]
		$userApi = GetUserByMail $accessToken $usrKey #lookup API user by mail	
		
		if($userApi) #user found -> update user
		{ 
			Write-Host
			Write-Host "User with email=" $usrKey " found."
			
			if ($testRun -eq $true)
			{
				Write-Host "UpdateUser: " $usrKey " with this values:"
				$userAD | Foreach-Object {
					Write-Host $_.Key " = " $_.Value
				}
				Write-Host
				$dictUsersAPI.Remove($userApi.id)
			}
			else
			{
			#Update the user
			UpdateUser $accessToken $userApi.id $userAD
			#remove this user from our dictionary
			$dictUsersAPI.Remove($userApi.id)
			}
		}
		else #no user found -> create user
		{
			Write-Host
			Write-Host "No user with email=" $usrKey " found."
			
			if ($testRun -eq $true)
			{
				Write-Host "CreateUser: " $usrKey " with this values:"
				$userAD | Foreach-Object {
					Write-Host $_.Key " = " $_.Value
				}
				Write-Host
			}
			else
			{
            #Create User
            CreateUser $accessToken $userAD $defaultUserPermissions $defaultUserLanguage $defaultUserPassword
			}
		}		
	}
	
	# if configured, delete all users not in AD group
    if ($deactivateUnknownUsers -eq $true)
	{
		if ($testRun -eq $true)
		{
			Write-Host "Deactivate Unknown Users:"
			#$dictUsersAPI.GetEnumerator() | Foreach-Object {
			#	Write-Host "DeactivateUser: id = " $_.Key " name = " $_.Value["name"]
			#}
			foreach( $id in $($dictUsersAPI.Values))
			{
				Write-Host "DeactivateUser: id = " $id.id " name: " $id.name
			}
			Write-Host
		}
		else
		{
			#all users remaining in dictUsersAPI dictionary are not present in the AD group an can be deactivated
			foreach( $id in $($dictUsersAPI.Keys))
			{
				DeactivateUser $accessToken $id		
			}
		}
	}
}
else
{
	Write-Host ("No data imported. Token or connection problem.")
}
 
Write-Host ("AD OU Sync finished.")
11 Replies
1 Accepted Solution

Accepted Solutions
Posted by TeamViewer Staff
TeamViewer Staff
Solution

Re: Teamviewer AD integration: user creation does not work

Hello Stephan72,

this is now fixed and we are currently planning a release for the Active Directory Connector.

Team Lead Product Development (Enterprise)

Did my reply answer your question? To help others, please accept it as solution. Thanks!
11 Replies
Posted by stephan72
Digon

Re: Teamviewer AD integration: user creation does not work

Hi,

I'm receiving the same errors.

domain.local -> OU = tvusers -> security group 'tvusers' -> 2 regular domain users are members 

In AD snap-in we can look for the email-adresses and it finds them.

Does this script still supposed to work?

 

 

Posted by TeamViewer Staff
TeamViewer Staff

Re: Teamviewer AD integration: user creation does not work

Hi Stephan72,

please give our new Active Directory Connector (AD Connector) a try.

 

Team Lead Product Development (Enterprise)

Did my reply answer your question? To help others, please accept it as solution. Thanks!
Posted by stephan72
Digon

Re: Teamviewer AD integration: user creation does not work

Hey!

Thanks for the quick response.

It's working almost perfectly.

Just one thing: It seems to have trouble with users having German characters (ä,ö,ß) in their names. It fails to create those.

Posted by TeamViewer Staff
TeamViewer Staff

Re: Teamviewer AD integration: user creation does not work

Hi Stephan72,

thanks for the feedback.

In which AD fields you are having the Umlauts?
Did you get an error message, if yes, what?

Team Lead Product Development (Enterprise)

Did my reply answer your question? To help others, please accept it as solution. Thanks!
Posted by stephan72
Digon

Re: Teamviewer AD integration: user creation does not work

Both Firstname, Lastname (givenName, sn) and Displayname

 

Error: 2018-04-13 13:31:48 Creating user x.xxxx@xxx.com
2018-04-13 13:31:48 Failed to create TeamViewer user xxxx@xxxxx.com: @{error=invalid_request; error_description=Unable to translate bytes [F6] at index 98 from specified code page to
Unicode.; error_code=1}

values of bytes and index  are different for the other users

Posted by TeamViewer Staff
TeamViewer Staff

Re: Teamviewer AD integration: user creation does not work

Hello,

thanks for the details, we will look into it.

Team Lead Product Development (Enterprise)

Did my reply answer your question? To help others, please accept it as solution. Thanks!
Posted by carlos2
Henagon

Re: Teamviewer AD integration: user creation does not work

Hi there,

for my end I am stuck with this PingAPI, it keeps telling me:

"Starting CSV export...
PingAPI : The term 'PingAPI' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was
included, verify that the path is correct and try again."

Does someone knows how to solve this ?

Best

Posted by TeamViewer Staff
TeamViewer Staff
Solution

Re: Teamviewer AD integration: user creation does not work

Hello Stephan72,

this is now fixed and we are currently planning a release for the Active Directory Connector.

Team Lead Product Development (Enterprise)

Did my reply answer your question? To help others, please accept it as solution. Thanks!
Posted by stephan72
Digon

Re: Teamviewer AD integration: user creation does not work

Cool. Thx :)

Posted by TeamViewer Staff
TeamViewer Staff

Re: Teamviewer AD integration: user creation does not work

Hello,

we released :smileyhappy: a new version of our Active Directory Connector, please download the latest version and try it again.

Team Lead Product Development (Enterprise)

Did my reply answer your question? To help others, please accept it as solution. Thanks!
Posted by stephan72
Digon

Re: Teamviewer AD integration: user creation does not work

Hello,

We used it in test mode and it seems to be working fine now.

Thanks