Search

Search for words used in entries on this website

Enter the words[s] to search for here:

Sponsors

Account provisioning, done easy

A customer asked me to clean up his Active Directory structure, while this is a half way solution ( AD will be a mess and inconsistent again within two weeks after the clean up). I searched for a quick and flexible tool that could help me to add new accounts, synchronising account data and deleting user accounts in Active Directory.

We already had a new naming convention. We had to find the most stable naming convention, one that didn’t affect the account name when people marry and 2 weeks later divorce ;] We decided to go with a combination of the first name and the maiden name. These never change. So directories, and login names will stay the same when people get married or divorce. SMTP aliases could be added, so the new name of a person was usable for the outside world.

We predicted the hardest part to be the handling double login names and customize alternatives. We tried several options like building a vbscript or microsofts csvde tool, but we came across a tool called “User Management Resource Administrator (UMRA)” from a dutch company Tools4ever (they make Spaceguard quota manager too).

The nifty tool let me build my functionality in a graphical script language within 15 minutes the most complex functionality (prevent double names) worked in a test environment. After this succesfull test, we had to decide what property of an account would be unique. To distinguish the accounts, we went for the obvious, the employeeID.

First challenge was to fill AD with the employeeIDs of existing accounts. Because of an old name convention we were able to do this automatically using the UMRA tool. The first batch filled about 80% of the accounts. Another 10% could be done by an even older naming convention and the last 10% was done by hand.

Next up was to build the UMRA script that synchronized the personnel management (HR) system database (RAET’s Beaufort in our case) with the AD accounts. The goal was a script that would run every night it created, updated or disabled accounts according to their most recent contract.
Other then the basic AD settings we discovered that we could make directories, share and put permissions on them, aswell as making mailboxes and set mailbox options.

Result; 100% consistent AD user accounts, changes to AD are done by the Human resources department, so less (boring) work for the helpdesk/ AD admin.

Name:			Remember personal info? Yes No
Email:
URL:
Comment:		Emoticons / Textile
Before sending a comment, you have to correctly answer a simple question you know the answer to. This is a countermeasure against automated spam bots. What are the first four letters of Techlog?     ( Register your username / Log in )
Notify:		Yes, send me email when someone replies.
Hide email:		Yes, hide my email address.
Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.