How to Provision Users to Active Directory
Import employee records from an HR SQL database, transform attributes in the mesh, and provision user accounts into Active Directory.
Before You Begin
This guide assumes you have the following in place:
- Identity Mesh Windows Service installed and running (Getting Started guide)
- Admin UI accessible via your browser
- SQL Server with an HR database (or willingness to create a sample one)
- Active Directory domain that you can create user accounts in
- Service account with write permissions to the target AD OU
- LDAPS (port 636) enabled on your domain controller — required for setting passwords on new accounts
Scenario
Your organization wants to automate employee provisioning. The HR system stores employee records in a SQL Server database. When a new employee is added to the HR database, Identity Mesh should automatically create a corresponding user account in Active Directory with the correct attributes, username, and OU placement.
The HR database contains an Employees table with columns: EmployeeId, FirstName, LastName, Email, Department, Title, and EmployeeType.
Architecture
HR SQL Database
Employees table
SQL Connector
Import from HR DB
Identity Mesh
Join, Flow, Transform, Project
AD Connector
Export to AD
Active Directory
OU=IMObjects
Components You Will Create
| Component | Description |
|---|---|
| SQL Database Connector | Reads employees from the HR database |
| AD Connector | Writes user accounts to Active Directory |
| Join Rule | Matches HR employees to mesh objects by EmployeeId |
| Flow Rules (Inbound) | Maps FirstName, LastName, Email, Department, Title from SQL to mesh and derives sAMAccountName and displayName using TransformScripts |
| Projection Rule | Provisions mesh objects as AD users in the IMObjects OU |
| Projection Attribute Rules | Maps mesh attributes to AD attributes (cn, sAMAccountName, displayName, givenName, sn, mail, department, title) |
Create the AD Organizational Unit
Create a dedicated OU in Active Directory where Identity Mesh will provision new user accounts.
# PowerShell — run on a domain controller or machine with RSAT
New-ADOrganizationalUnit -Name "IMObjects" `
-Path "DC=identitymesh,DC=com" `
-Description "Provisioned by Identity Mesh" Note: Replace DC=identitymesh,DC=com with your own domain distinguished name throughout this guide.
Create the HR Database Table
If you don't already have an HR database, create a sample Employees table and insert test data.
CREATE TABLE Employees (
EmployeeId INT PRIMARY KEY,
FirstName NVARCHAR(100),
LastName NVARCHAR(100),
Email NVARCHAR(200),
Department NVARCHAR(100),
Title NVARCHAR(100),
EmployeeType NVARCHAR(50),
ModifiedDate DATETIME2 DEFAULT GETUTCDATE()
);Insert a sample employee:
INSERT INTO Employees
(EmployeeId, FirstName, LastName, Email, Department, Title, EmployeeType)
VALUES
(1001, 'Jane', 'Doe', 'jane.doe@identitymesh.com',
'Engineering', 'Software Engineer', 'Employee');Configure the SQL Database Connector
In the Admin UI, navigate to Connectors → Add Connector and select SQL Database.
- 1. Name:
Corporate HR - 2. Connector Type: SqlDatabase
- 3. Import Query:
SELECT * FROM Employees - 4. ExternalIdColumn:
EmployeeId - 5. DeltaColumn:
ModifiedDate(enables delta imports)
The resulting ConfigJson will look like:
{
"ConnectionString": "Server=sqlserver;Database=HumanResources;Integrated Security=true;",
"ImportQuery": "SELECT * FROM Employees",
"ExternalIdColumn": "EmployeeId",
"DeltaColumn": "ModifiedDate"
}Configure the Active Directory Connector
Add a second connector for Active Directory. Navigate to Connectors → Add Connector and select Active Directory.
- 1. Name:
Corporate AD - 2. Connector Type: ActiveDirectory
- 3. UseSsl:
true, LdapPort:636(LDAPS, required for password set) - 4. CreateEnabled:
true, EnableAfterCreate:true(set password and enable account after creation) - 5. ExternalIdAttribute:
objectGUID
The resulting ConfigJson will look like:
{
"LdapServer": "dc01.identitymesh.com",
"BaseDn": "DC=identitymesh,DC=com",
"SearchBases": ["OU=IMObjects,DC=identitymesh,DC=com"],
"UseSsl": true,
"LdapPort": 636,
"Filter": "(&(objectClass=user)(objectCategory=person))",
"ExternalIdAttribute": "objectGUID",
"CreateEnabled": true,
"EnableAfterCreate": true,
"AttributesToLoad": [
"sAMAccountName", "displayName", "givenName", "sn",
"mail", "department", "title", "employeeID"
]
} SSL and password provisioning: Setting UseSsl: true with LdapPort: 636 enables LDAPS, which is required for setting passwords via unicodePwd. When EnableAfterCreate is true, the connector will set the generated password and enable the account (UAC 512) immediately after creation.
Create the Join Rule
A join rule tells Identity Mesh how to correlate imported objects with mesh objects. Navigate to Rules → Join Rules → Add Join Rule.
| Connector | Corporate HR (SQL connector) |
| MSAttribute | EmployeeId |
| MeshAttribute | employeeId |
| IsAnchor | true |
When an employee is imported from SQL, the engine reads EmployeeId directly from the raw connector object and searches mesh object attributes for a matching employeeId. Join rules work independently of inbound flow rules — no flow rule is needed for the join to match. If no match is found, a new mesh object is created with this as its anchor value.
Create Inbound Flow Rules
Flow rules define how attributes move from the SQL management space into the mesh. Navigate to Rules → Flow Rules → Add Flow Rule and create one rule per attribute.
| MSAttribute (SQL column) | MeshAttribute | Confidence | TransformScript |
|---|---|---|---|
FirstName | firstName | 90 | — |
LastName | lastName | 90 | — |
Email | mail | 90 | ToLower(value) |
Department | department | 90 | — |
Title | title | 90 | — |
EmployeeType | employeeType | 90 | — |
EmployeeId | employeeId | 100 | — |
FirstName | sAMAccountName | 90 | Concat(Substring(value, 0, 1), ms("LastName")) |
FirstName | displayName | 90 | Concat(value, " ", ms("LastName")) |
Derived attributes: The last two rows (highlighted) use TransformScript expressions to compute new values during import. ms("LastName") references the LastName column from the same imported row. For Jane Doe: sAMAccountName = "JDoe", displayName = "Jane Doe".
The confidence score of 90 means the HR system is a high-authority source. If another connector provides the same attribute with a lower confidence, the HR value wins.
Create the Projection Rule
A projection rule tells Identity Mesh which mesh objects should be provisioned to a target connector. Navigate to Rules → Projection Rules → Add Projection Rule.
| Target Connector | Corporate AD |
| MeshObjectType | User |
| TargetObjectType | user |
| CreateIfMissing | true |
| TargetContainer | OU=IMObjects,DC=identitymesh,DC=com |
| PreconditionScript | source.employeeType !== "Contractor" |
The precondition script filters out contractors — only full employees will be provisioned to AD. Remove this condition if you want all employee types to be provisioned.
Create Projection Attribute Rules
Projection attribute rules define how mesh attributes map to the target AD attributes. Add one rule per attribute on the projection rule you just created.
| MeshAttribute | TargetAttribute (AD) | TransformScript |
|---|---|---|
displayName | cn | — |
sAMAccountName | sAMAccountName | — |
displayName | displayName | — |
firstName | givenName | — |
lastName | sn | — |
mail | mail | — |
department | department | — |
title | title | — |
| (none) | unicodePwd | GeneratePassword(16) |
Password generation: The last row (highlighted) uses the GeneratePassword(16) transform to generate a random 16-character password that meets AD complexity requirements (uppercase, lowercase, digit, special character). The MeshAttribute is left empty because the password is entirely generated — it has no source attribute. The AD connector encodes this value as UTF-16LE and sets it over LDAPS.
Run the Initial Import
Trigger a full import from the SQL connector to pull employee records into the management space and apply join/flow rules.
- 1. Navigate to Connectors and select Corporate HR
- 2. Click Full Import
- 3. Monitor the run history until the import completes successfully
Verify:
Verify Mesh Objects
Navigate to Mesh Objects in the Admin UI and confirm the imported data was joined and flowed correctly.
firstName = "Jane", lastName = "Doe" mail = "jane.doe@identitymesh.com" (lowercased by flow rule transform) sAMAccountName = "JDoe" (derived by flow rule TransformScript) displayName = "Jane Doe" (derived by flow rule TransformScript) Run the Export
The projection engine has evaluated the projection rule and queued Jane Doe for creation in AD. Trigger an export on the AD connector.
- 1. Navigate to Connectors and select Corporate AD
- 2. Click Export
- 3. Monitor the run history until the export completes successfully
Verify:
Verify the User in Active Directory
Confirm the new user account was created in the target OU with the correct attributes.
# PowerShell
Get-ADUser -Filter "sAMAccountName -eq 'JDoe'" `
-SearchBase "OU=IMObjects,DC=identitymesh,DC=com" `
-Properties displayName, givenName, sn, mail, department, title, Enabled, PasswordLastSetExpected output:
| sAMAccountName | JDoe |
| displayName | Jane Doe |
| givenName | Jane |
| sn | Doe |
| jane.doe@identitymesh.com | |
| department | Engineering |
| title | Software Engineer |
| Enabled | True |
| PasswordLastSet | (recent timestamp) |
Test Delta Sync
Verify that changes in the HR database flow through to Active Directory automatically.
1. Update the HR record:
UPDATE Employees
SET Title = 'Senior Software Engineer',
ModifiedDate = GETUTCDATE()
WHERE EmployeeId = 1001;2. Run a delta import on the Corporate HR connector via the Admin UI.
3. Verify the mesh object's title attribute updated to "Senior Software Engineer".
4. Run an export on the Corporate AD connector.
5. Verify in AD:
# PowerShell
(Get-ADUser -Filter "sAMAccountName -eq 'JDoe'" -Properties title).title
# Expected output: Senior Software EngineerSummary
You have successfully set up an end-to-end provisioning pipeline:
Next Steps
Need Help with Your Deployment?
Our team can help you design provisioning pipelines for your specific environment and identity systems.