RBACRole - syncUsersWithAd

RBACRole - syncUsersWithAd

Description :

This command synchronizes users of the specified role with an external Active Directory server.

Prerequisite: To run this command, the role you used to initiate this BLCLI session must have read and write access to the users in the role you want to sync. Specifically, the BLCLI role must have User.Read, User.Modify, User.ModifyProperties and User.Delete permission for any users already assigned to the role you specify using the roleName argument.  The server used must be on the domain being contacted and is either a domain controller or a domain machine that is accessed via Automation Principals.

The userAttributeFlag argument provides the ability to customize which attribute is used for the user name. For the entire list of options, see the Microsoft Windows command 'dsget user'.  The userAttributeFlag '-upn' would be the most common for User Principal Name.

The operation argument provides the following options for deleting/disabling/pruning users from RBAC and from the role.

  • [pruneMissingUsers | -r] removes roles from users that are not found in the source
  • [disableMissingUsers | -e] disables users in RBAC if they are not found in the source
  • [disableAndPruneMissingUsers | -er | -re] performs both of the above operations
  • [deleteMissingUsers | -u] deletes users from RBAC if they are not found in the source

The operation argument is optional -- you can leave it blank ( as in ""). If you leave it blank, the synchronization process adds new users to the role and does not affect existing users.

Return type : DBKey

Command Input :

Variable Name

Variable Type




Name of the role.

domainServerStringName of an existing domain server.
Name of an existing domain server.
Important: Ensure that the domain server has an RSCD agent installed and that it is added to the BMC Server Automation (BSA) environment (see Adding a server to the system). If the domain server is not managed by BSA, the syncUsersWithAd fails to execute.
groupDnStringDistinguished name of group to synchronize the role against.
userAttributeFlagStringUser attribute flag.
operationStringOperation to be performed.

Suffix to be added to user names.


The following example synchronizes users of role ADRole with the Domain server DOMAINMACHINE. These users have the isSynchronizable property set to true. The group "CN=UniversalGroup,OU=qa,DC=bmc,DC=com" is used to source the users for the role. The flag used for the internal dsget command to retrieve the username is -upn. The operation pruneMissingUsers specifies that users not found in the Active Directory source should get removed from the role. The suffix "@bmc.com" specifies that we will add that string to the end of each username.


blcli RBACRole syncUsersWithAd ADRole DOMAINMACHINE "CN=UniversalGroup,OU=qa,DC=bmc,DC=com" -upn -r ""@bmc.com"
Was this page helpful? Yes No Submitting... Thank you