MicroStrategy IServer has two ways of import synchronisation for Users and Groups, one is via a MicroStrategy schedule and the other via an AD query at login. We have several demos available based on figure 1, we can show to any group with an interest in this for their area.

Figure 1: MicroStrategy IServer connection to AD


This is based on event driven Group import and login import for Users setting in IServer

  1. time based event to import groups based on a definition e.g. (&(objectclass=group) (cn=MSTR_G*))
  2. manually assign group Project access in IServer
  3.  login as MSTRWEB User
  4. User runs report country in LDAP MicroStrategy project
    1. User sees MicroStrategy Attribute Element UK
    2. User logs out
  5. Users Country code attribute in AD is changed to Vatican City
    1. User logs in and re-runs same report
    2. User sees MicroStrategy Attribute Element Vatican City
    3. User logs out
  6. User is moved in AD to MSTR_GroupB
  7. User logs in and only sees Other MicroStrategy Project.

AD LDAP browser accounts

DN: CN=LDAP Search,OU=Tasks,OU=Administrative,OU=Users,OU=UK,DC=mstrblog,DC=co,DC=uk
UPN: ldapsrch
PW: in the vault
CN: cn=ldap mstr,ou=test,ou=standard,ou=users,OU=US,DC= mstrblog,DC=co,DC=uk
UPN: mstrldap
PW: in the vault

The two accounts have the same rights but are located in different country OUs

Key settings

Server fields

The host name should be the location of the MicroStrategy Intelligent Server

Platform fields

 Filter fields

Schedules fields

Import fields

Options fields

MicroStrategy User and Group creation process


The follow is the naming conventions used for MicroStrategy group creation in AD and User creation via service desks.

MicroStrategy Groups linked AD Groups


for example to set up data restrictions on a production project called project1 in market1 it would be:



Area Label Required
Business area (Note must be same as access name) Area can be abbreviated eg PSR ricestrat Reporting Market1 Y
Environment: Note only these are acceptable Dev UAT PROD Y
Group Type: Note only these are acceptable MSG: MicroStrategy Group SQLG: Kerberos implementations MSG SQLG  
Usage: Note only these are acceptable Data Funct obj Y
Project name Project1 …. Y
other restrictNonPG confidential reporting ….. N
DSGET Command
Display user(s) from active directory.
(installable option either via AD DS or adminpack.msi)
      DSGET user UserDN [-dn] [-samid] [-sid] [-upn] [-fn] [-mi] [-ln]
        [-display] [-empid] [-desc] [-office] [-tel] [-email] [-hometel] [-pager] [-mobile]
           [-fax] [-iptel] [-webpg] [-title] [-dept] [-company] [-mgr] [-hmdir] [-hmdrv] [-profile]
              [-loscr] [-mustchpwd] [-canchpwd] [-pwdneverexpires] [-disabled] [-acctexpires] [-reversiblepwd]
                 [{-uc | -uco | -uci}] [-part PartitionDN [-qlimit] [-qused]]
      DSGET user UserDN [-memberof] [-expand][{-uc | -uco | -uci}]
   UserDN  Distinguished Name of the user to view.
   -dn     Display the distinguished names
   -samid  Display the Security Account Manager (SAM) account names
   -sid    Display the user security identifiers (SIDs).
   -upn    Display the user principal names (UPNs)
   -fn     Display the first names
   -mi     Display the middle initials
   -ln     Display the last names
  -display Display the display names
   -empid  Display the employee IDs
   -desc   Display the descriptions
   -full   Display the full names
   -office Display the office locations
   -tel    Display the telephone numbers
   -email  Display the email addresses
  -hometel Display the home telephone numbers
   -pager  Display the pager numbers
   -mobile Display the mobile phone numbers
   -fax    Display the fax numbers
   -iptel  Display the user IP phone numbers.
   -webpg  Display the user Web page URLs.
   -title  Display the titles
   -dept   Display the departments
  -company Display the company information
   -mgr    Display the managers
   -hmdir  Display the users home directory
   -hmdrv  Display the user's home drive letter
  -profile Display the user profile paths
   -loscr  Display the user logon script paths
-mustchpwd Display whether users must change their passwords at next logon (yes/no).
 -canchpwd Display whether users can change their password (yes/no).
 -pwdneverexpires Display whether passwords never expire (yes/no).
 -disabled     Display whether user accounts are disabled (yes/no).
-acctexpires   Display the dates when user accounts expire. (date/never)
-reversiblepwd Display whether user passwords will be stored with reversible encryption (yes/no).
  -memberof Display the immediate list of groups of which the user is a member.
   -expand  Display the recursively expanded list of groups of which the user is a member. 
   -uc      Unicode format
   -uco     Unicode format for output only
   -uci     Unicode format for input only
   -part    Connect to the directory partition PartitionDN
   -qlimit  Display the effective quota of the user within PartitionDN
   -qused   Display how much quota the user has used within PartitionDN
Find the list of groups, recursively expanded, to which the user Fred belongs:
C:\> dsget user "cn=fred,ou=Users,ou=AcmeCo,dc=ss64,dc=com" -memberof -expand
Display the distinguished name and description of domain controller Dom1:
C:\> dsget server CN=Dom1,CN=Servers,CN=AcmeCo,DC=ss64,DC=Com -dn -desc
dsget group "CN=Market1_PROD_Project1_ALL,OU=Resource Access,OU=Groups,OU=Enterprise,DC=Mstrblog,DC=co,DC=uk" -members | dsget user -display
dsget group "CN=MSTR_Market1_PROD_Project1_ALL,OU=Resource Access,OU=Groups,OU=UK,DC=Mstrblog,DC=co,DC=uk" -members | dsget user -display
CMD PROMPT cmd /c dsget group "CN=MSTR_Market1_access,OU=Resource Access,OU=Groups,OU=UK,DC=Mstrblog,DC=co,DC=uk" -members  | dsget user -dn
sADAllGroups.append("cmd /c dsquery group -name \""+sThisADGroup+"*\""+loginInfo+" -limit 2000 |dsget group -samid");
sADAllUsers.append("cmd /c dsget group \"CN="+sGroupName+",OU=Resource Access,OU=Groups,OU=Enterprise,DC=Mstrblog,DC=co,DC=uk\" -members  | dsget user -samid");
dsget group piped to dsget user gives an error on groups in the group
The error occurs when "dsget user" is used on group-objects. The -c switch is neaded to continue when error occurs, but the error message will still be displayed if not using 2>nul to throuw away stderr
C:\>dsget group "CN=thegroup,OU=firstfloor,DC=company,DC=com" -members -expand | dsget user -samid -display -c 2>nul
Another solution that can be used when the groups are located in dedicated OUs is to pipe the result through find-command to exclude those lines before using "dsget user".
C:\>dsget group "CN=thegroup,OU=firstfloor,DC=company,DC=com" -members -expand | find /i /v "ou=group" | dsget user -samid -display
dsquery group "ou=roles,ou=Market1,ou=Project1,ou=US,dc=Auth,dc=local"
sADAllUsers.append("cmd /c dsget group \"CN="+sGroupName+",OU=Resource Access,OU=Groups,OU=UK,DC=Mstrblog,DC=co,DC=uk\" -members  -expand | find /i /v \"ou=group\" | dsget user -samid -display");
String sGroupName = "MSTR_Project1_access";
sADAllUsers.append("cmd /c dsget group \"CN="+sGroupName+",OU=Resource Access,OU=Groups,OU=UK,DC=Mstrblog,DC=co,DC=uk\" -members  -expand |  dsget user -samid -display -c 2>nul");
dsget group "CN=Brynild Gruppen_PortalUser_CNO,OU=Groups,OU=CNO Brynild Gruppen,OU=Clients,OU=Coop No,OU=Retailers,OU=AppStore Client Portal,OU=US,DC=Auth,DC=local" -members  -expand |  dsget user -samid -display -c 2>nul
dsquery group "OU=Groups,OU=CNO Brynild Gruppen,OU=Clients,OU=Coop No,OU=Retailers,OU=AppStore Client Portal,OU=US,DC=Auth,DC=local" -limit 2000
dsquery group -name "mstr_Project1*" -s Mstrblog.auth.LOCAL:389 -u ldapuser1 -p pass -limit 2000 |dsget group -samid

dsquery group domainroot -name "MSTR_Project1" -s Mstrblog.auth.LOCAL:389 -u ldapbrowse -p pass

String sOUName = "ou=Market1,ou=Project1,ou=US,dc=Auth,dc=local";
String sGroupName = "";
StringBuffer sAllGroups = new StringBuffer();
StringBuffer sADAllUsers = new StringBuffer();
sAllGroups.append("cmd /c dsquery group \""+sOUName+"\" -limit 2000");
Process procReadADGroups=Runtime.getRuntime().exec(sAllGroups.toString());
BufferedReader brInputReadADGroups = new BufferedReader(new InputStreamReader(procReadADGroups.getInputStream()));
//BufferedReader brErrorReadADGroups = new BufferedReader(new InputStreamReader(procReadADGroups.getErrorStream()));
//String sReadADGroup = brInputReadADGroups.readLine();
String sReadADGroup = "";
String unprocessedGroupDN = brInputReadADGroups.readLine();
while (unprocessedGroupDN!= null) {                           
sReadADGroup =(unprocessedGroupDN.substring((int)unprocessedGroupDN.indexOf('=')+1,(int)unprocessedGroupDN.indexOf(','))).trim().toLowerCase();
if (sReadADGroup.contains("mstr_project1") || sReadADGroup.contains("aduser")){
sADAllUsers.append("cmd /c dsget group \"CN="+sReadADGroup+","+sOUName+"\" -members  -expand |  dsget user -samid -display -email -c 2>nul");                
unprocessedGroupDN = brInputReadADGroups.readLine();
Process procReadADUsers=Runtime.getRuntime().exec(sADAllUsers.toString());
BufferedReader brInputReadADUsers = new BufferedReader(new InputStreamReader(procReadADUsers.getInputStream()));
BufferedReader brErrorReadADUsers = new BufferedReader(new InputStreamReader(procReadADUsers.getErrorStream()));
String sReadADUserErrors = null; 
String sReadADUser = "";
String unprocessedUserDN = brInputReadADUsers.readLine();
while (unprocessedUserDN!= null) {                           
if((! unprocessedUserDN.equals("dsget succeeded")) ){
sReadADUser =unprocessedUserDN.trim().toLowerCase();
unprocessedUserDN = brInputReadADUsers.readLine();
while ((sReadADUserErrors = brErrorReadADUsers.readLine()) != null) {
//printOut("Error reading members of AD group "+sGroupName+": "+sReadADUserErrors);                
int exitValue = procReadADUsers.waitFor();        
printOut("Exit Status: "+exitValue);

Leave a Reply

Your email address will not be published. Required fields are marked *