Make Enterprise aliases for AD/NT/LDAP/etc users

Author: Garrett OBrien
Author Notes: This java program will loop through a given group and add secEnterprise aliases to each user in that group if they don’t have one each with a given password. The alias name will be the exact same as the existing user name. The purpose of this is to add Enterprise aliases to AD/NT/LDAP/etc users.
Platform: Java, tested on BOE XIr2, but it should work with any version

The program is a .JAR file, and can be renamed from .ZIP to .JAR

This program can be run from the command line, or published to BOE as a Java application and scheduled through BOE.

To run this from the command line, you have to have to have the BOE libraries available (preferably local) as well as java installed. The command line would be:


To run this through BOE, publish the .JAR file as a Java program and set the logon username and password to the proper system credentials if needed. Set the classpath to MakeEnterpriseAliases and set the arguments to GROUPNAME NEWPASSWORD (the actual group name and new password – if they have spaces, surround each with double quotes – e.g. “my group” “my password”). This can then be scheduled as needed.

The .java source file is in the .jar file, so that can be extracted with WinZip or some other zip application and modified.

I wrote this in about 20 minutes including testing, so it hasn’t been extensively tested. I would suggest looking at the .java source code to see how it works. It’s such a simple program that it shouldn’t cause issues, but, as always, use at your own risk. (3.0 KB)

gobrien :us: (BOB member since 2008-03-14)

Moderator note:
Approved and moved to BOB’s Download section.

Marek Chladny :slovakia: (BOB member since 2003-11-27)

Thanks a lot for sharing this…Its really useful!!!

Just a query, the NewEnterprisePassword we provide will be applied to all the Enterprise aliases created for that group?

nicholas (BOB member since 2008-07-31)

Yes, the NewEnterprisePassword will be the default password for each alias created for the group. You can open the source code and change this. I had thought about adding all sorts of things, but I wanted the code to be minimalistic so someone could easily change it if they wanted to.

gobrien :us: (BOB member since 2008-03-14)

I’m going out on a limb here, to sound incredibly dumb. But where are the Java libraries? I have a vanilla BOXI 3.1 install, and I can’t figure out which Java folder has the necessary libraries. No matter which one I point it to, it says it can’t find what it needs.

Lugh (BOB member since 2009-07-16)

The libraries should be in the “/common/3.5/java/lib” folder (or 4.0/java/lib for xir3). It’s the folder that has cecore.jar in it.

gobrien :us: (BOB member since 2008-03-14)

Where do I do the changes…in this code?

and how do I publish through boe?

import java.util.Iterator;

import com.crystaldecisions.sdk.exception.SDKException;
import com.crystaldecisions.sdk.framework.CrystalEnterprise;
import com.crystaldecisions.sdk.framework.IEnterpriseSession;
import com.crystaldecisions.sdk.occa.infostore.IInfoObjects;
import com.crystaldecisions.sdk.occa.infostore.IInfoStore;
import com.crystaldecisions.sdk.plugin.desktop.program.IProgramBase;
import com.crystaldecisions.sdk.plugin.desktop.user.IUser;
import com.crystaldecisions.sdk.plugin.desktop.user.IUserAlias;
import com.crystaldecisions.sdk.plugin.desktop.user.IUserAliases;

public class MakeEnterpriseAliases implements IProgramBase
public static void main(String[] args)
if(args.length != 5)
System.out.println("5 parameters are needed: ");
} else
String username = args[0];
String password = args[1];
String cms = args[2];
IEnterpriseSession enterpriseSession = CrystalEnterprise.getSessionMgr().logon(username, password, cms, “secEnterprise”);
IInfoStore infoStore = (IInfoStore) enterpriseSession.getService(“InfoStore”);
new MakeEnterpriseAliases().run(enterpriseSession, infoStore, new String[] {args[3], args[4]});
} catch (SDKException e)

public void run(IEnterpriseSession enterpriseSession, IInfoStore infoStore, String[] args) throws SDKException
	if(args.length != 2)
		System.out.println("2 parameters are needed: <GroupName> <NewEnterprisePassword>");
	} else
		String group = args[0];
		String enterprisePassword = args[1];
		IInfoObjects objects = infoStore.query("select * from ci_systemobjects where children(\"si_name = 'usergroup-user'\", \"si_name = '" + group + "'\")");
		for (Iterator iterator = objects.iterator(); iterator.hasNext();)
			IUser object = (IUser);
			System.out.println("User: " + object.getTitle());
			IUserAliases aliases = object.getAliases();
			boolean hasEnterprise = false;
			for (Iterator iterator2 = aliases.iterator(); iterator2.hasNext();)
				IUserAlias alias = (IUserAlias);
				System.out.println("\tExisting Alias: " + alias.getAuthentication());
					hasEnterprise = true;
				System.out.println("\tAdding Alias: secEnterprise");
				object.getAliases().addNew("secEnterprise:" + object.getTitle(), false);


In the code, I see five ids needed
System.out.println("5 parameters are needed: ");

what is group name and password?

If I schedule this, does this have to be run for each group?

and the new enterprise password set for each user?

Is there a way to make this optional?

If I want to schedule, do I just schedule in BOE. I see a CLASS file and a META-INF file. Where does that need to go if i publish through CMC?

hena (BOB member since 2010-08-17)

If you look at the description, it tells what the group name and password are.

You can run this for the everyone group if you want it to affect everyone, or if you want specific groups, you will have to make a schedule for each one of them, changing the command line parameters for each group.

The new enterprise password will be set for each new enterprise alias, it will not make new users, and it will not change the password of existing aliases.

The password is semi-optional, you have to put it, but you can just give it empty quotes “”

You can change the code if you want, or just use it as is. To publish it, rename the whole .zip file to .jar and publish it through the CMC. When you publish this, it only needs 2 parameters, not the full 5. The 5 are if you run it through the command line.

Hope that helps.

gobrien :us: (BOB member since 2008-03-14)

This is really good. Work well.
Is there a way to create Enterprise ID’s in disabled state?
We are using LDAP as primary auth, but few days ago with a problem we faced LDAP user accounts drop issue. To prevent such losses further we are planning to create enterprise Alias, but we would like to keep it in disabled status.
It will be really great if a way to do same can be suggested.

Thanks a ton. :+1: you saved a lot of our efforts with this code.

PRIME (BOB member since 2011-08-31)

Hello Gobrien,
We are on BO 4.0 and want to create enterprise aliases for LDAP groups will this code work for 4.0 if yes where should I keep these jar file?? Java - Lib?? please let me know

Thanks in Advance

phani (BOB member since 2003-11-24)

Tried executing JAR file through command prompt using admin credentials; throwing following error:

OCA_Abuse exception 10503 at [.\exceptionmapper.cpp : 77] 42005 {12, 41953} … You do not have the permission to perform requested action. Please contact your system administrator for details Can’t change password

Referring above error, seems as if the admin dont have rights to change enterprise password, however, admin has been granted all the rights.

Could anyone please guide us? Thanks !!

bhavikumehta (BOB member since 2012-04-24)

Check the top level security for user groups and top level security for users. The “everyone” group has some rights explicitly denied by default including edit objects. Remove that restriction and you should be fine.

BoB LoblaW :us: (BOB member since 2007-10-23)

I’ve got a separate program that does this so I know the method is correct.


tmcd :us: (BOB member since 2005-10-02)

Hello, changing rights for ‘Everyone’ group helped. Thanks a lot :slight_smile:

Few more queries:

Instead of assigning a common password for all newly created Enterprise aliases, is it possible to assign existing user LDAP password to its Enterprise alias as well?
Can we enable ‘Force change password at first logon’ option through script for the newly created Enterprise aliases?
I want to send an auto-generated mail (with an attachment) to all users for which Enterprise alias is created, is it possible to do so?

Thanks in advance !!

bhavikumehta (BOB member since 2012-04-24)

I don’t think this is possible. Every decent LDAP provider stores the password hash instead of the actual password itself. Consequently, you can never read this value to assign it to the Enterprise alias.

BoB LoblaW :us: (BOB member since 2007-10-23)

Thanks for your reply buddy !!

Have a query - m trying to use alias name for enterprise password instead of static password. please find below a minor modification in the code:

//assigns alias-name to aliases variable
IUserAliases aliases = object.getAliases();
//use this alias-name as enterprise password
String enterprisePassword = (String)aliases;

while typecasting in the last line m getting an error, i guess this is not the correct way of type-casting. Please let me know how can we convert a IUserAliases data value to String value.

thank you !!

bhavikumehta (BOB member since 2012-04-24)

I think if you change this line…

object.getAliases().addNew(“secEnterprise:” + object.getTitle(), false);

to this (true instead of false)…

object.getAliases().addNew(“secEnterprise:” + object.getTitle(), true);

Then your enterprise user will be created in a disabled state.

nscheaffer :us: (BOB member since 2012-04-26)


Anybody knows if this jar work fine with SAP BO BI 4.1 plateform?

Thanks in advance.


rhtastayrebd (BOB member since 2016-03-11)

Apologies this is an old topic for me to be replying to, but did not want to create a new one as this one has more than enough information for others.

I have tested ok on BI 4.2 SP10, however it only creates the first 1,000 enterprise aliases (or just under 1k) of our very large customer accounts, 15,000 plus LDAP accounts. Is there a limit somewhere I can alter either on the server side of things or within the Java code itself so it’s unlimited?

I think it is 956 based on this query
select si_group_members from ci_systemobjects where si_name =‘Everyone’

Ran in query builder

Macroman :uk: (BOB member since 2002-11-13)

In most cases for API type queries, if you do not specify select top xxxxx where xxxxx is some number, you will get the default of 1000 records. Add top 999999 and you should get all your users.

Steve Rademacher :us: (BOB member since 2004-02-17)