Sponsored: Automating User Provisioning in Active Directory

adaxes-automating-user-provisioning-in-active-directory

Editor’s Note: This blog post is the first in a four-part blog series from Adaxes.

Active Directory (AD) is an identity and authorization service for managing access to systems and applications, both on-premises and in the cloud, and is a key component in securing corporate data and assets. Such is the popularity of Microsoft’s directory services solution, that it’s often used for identity management in heterogeneous environments that include systems running Unix-based operating systems.

Identity-driven security, where user logins are the primary control factor, is effective only if user details in AD are kept up-to-date. But unless you’re working with the smallest environments, managing AD user objects through the entire lifecycle can be complex using the built-in management consoles. Active Directory Users and Computers (ADUC) and Active Directory Administrative Center (ADAC), amongst other consoles, provide basic tools for provisioning user accounts, Organizational Units (OUs), groups, and other AD objects.

Aside from the technical challenges, business processes can also cause delays in user provisioning, deprovisioning, and changes. A typical scenario for new employees is having to wait for access to resources while HR informs the IT department about the new employee, and then waiting again while IT provisions the account in AD. HR not informing IT about employee changes, or worse still that an employee has been put on gardening leave or left the company, is also a common situation that can lead to security breaches.

Active Directory Management Consoles

Windows Server 2008 R2 introduced ADAC, which provides management for features that were previously configurable only using the command line, such as Fine-Grained Password Policies and Active Directory Recycle Bin. There are also other useful features, such as Global Search, which can be used to search all objects and attributes across multiple domains in a forest. And if you’re just starting out with PowerShell, you can view the PowerShell syntax for commands executed using the console. ADAC is also customizable to a limited extent, and provides a more digestible GUI for help desk users or staff with little or no IT experience.

For more information about working with ADAC, see 3 Tips for Working with the Active Directory Administrative Center (ADAC) and Use Active Directory Administrative Center to Create PowerShell Commands in Windows Server 2012 on Petri.

Automation Using PowerShell

Manually setting up users in Active Directory is not only tedious, but also error prone. PowerShell alone doesn’t provide an easy way to create new AD user accounts; if you look at the syntax of the New-ADUser cmdlet, it’s not the most user-friendly, although PowerShell tab completion can be used to construct a command if you don’t know the correct syntax.

One method for creating new AD user accounts is to use PowerShell and a comma delimited file containing the account details. See Create New Active Directory Users with Excel and PowerShell on the Petri IT Knowledgebase for more details about how to use a simple spreadsheet for creating new user accounts, and Manage Active Directory Groups Using PowerShell for working with groups.

Other operations might also need to be carried out when provisioning AD user accounts, such as creating a home folder or creating an Exchange mailbox. Both of these tasks can also be carried out using PowerShell, but would require a more complex script.

Scripts are great for one-off bulk operations, or where a task can be scheduled or automatically launched by another process, but trying to manage large AD environments without a specialized application for user provisioning can prove difficult. Especially in cases in which staff that are not IT specialists are required to provision user accounts.

Adaxes Active Directory Management & Automation

Softerra Adaxes is a management suite for AD that includes tools that can be customized for IT or other groups of users that enables organizations to automate AD user account operations throughout their entire lifecycle. A single operation in AD, such as adding a new user account, can trigger a series of actions to ensure the account, and any dependencies, are set up so that the user can start working immediately. Dependencies might include adding the user to AD groups, OUs, Exchange distribution lists, setting up home folders, running a script to perform a custom operation, and many more built-in operations.

Similarly, changing a user’s department can trigger a set of actions to revoke access to resources relevant to the user’s previous position, while ensuring the user can use resources pertinent to their new job from the get-go. Approval workflows can be configured to require that operations are approved by a designated person before they are actioned.

Adaxes not only saves time and money by reducing downtime for users and the workload for HR and IT, but also provides confidence through robust management and automation for AD that users are granted only the permissions required, and guarantee that access is granted and revoked in a timely manner.