Active Directory, your user directory, a powerful tool but also very complex! You probably dream of automating certain recurring tasks such as creating an account, configuring it, managing its rights, and suspending it?
Every system and network administrator would like a magic wand to avoid having to create advanced scripts in PowerShell to perform these repetitive actions.
As a result, you are now looking for that tool, that solution that would save you hours of programming/scripting.
Before going any further, if you would like to know more about Active Directory, it's this way 😉
Why automate your actions on AD?
I think we should start from the same bases; why automate these creation, suspension... actions?
Let's take a step back: it's not about finding the best script, but above all about seeing the purpose of the action: we're looking to automate in order to provide optimal satisfaction to a new person arriving in a company (this is called onboarding and it's very fashionable).
The goal behind all these scripts is ultimately human-centric. You have a request that often comes from the human resources department with information (more or less complete) about this new hire: their first name, last name, start date, possible end date, status, and the tools they will need.
This then implies that a person in IT receives and performs these settings and creations, and of course, it is at this moment that the need to automate via scripts arises. What is being sought:
- save time for the IT department
- avoid errors (even when copying and pasting, mistakes can happen)
- respond to a request in an optimal way
- Secure and control your information system
Which method to choose?
There is therefore the hard way, which is to create scripts in your PowerShell to automate certain tasks, and for this there are many tutorials that will help you to write all this, such as on Openclassrooms or Github. They are very well done and we are not going to do better.
We then move on to third-party applications that could help you achieve this automation. We are therefore looking for access management software for the information system, in other words an IAM solution. Perhaps you have already heard this term, but I will summarize it for you. It is a set of processes implemented within a company, and more specifically the IT department, to govern user authorizations in order to manage access to the network and applications.
This therefore encompasses the creation, assignment, and suspension of accounts.
From this point on, you'll be able to find things that are more or less complex, but in your case, start with something simple, configurable, and intuitive. Why? If you were looking for a large IAM tool, you wouldn't have come across this article ^^
You need to alleviate this point and automate it: the creation of accounts.
Besoin d'échanger sur vos processus ?
15 minutes pour voir si on peut vous simplifier la vie côté accès. Sans pression, sans engagement.
How does a third-party application work?
A third-party application will link your Active Directory to its platform. You will be able to connect your AD with an agent that acts as a proxy in order to find all the accounts present in a clear and readable way. We're going from something like this
to that
Once you have your accounts clearly displayed with email addresses and active or inactive status, you can move on to the next step, which is automating account creation.
You configure your Active Directory connector once, where you enter the format for emails, SamAccountName, UPN, security groups, etc.
Then you create the account:
- Either you manually enter the information of the person you want to add.
- Either you send a form to managers, HR, or others, and you receive all the information to automatically create an account.
- Either you connect your HRIS to the accounts and identity management platform and automatically receive employee arrival and departure information.
The latest solution greatly simplifies your task because, as you can see, you also automate the user part.
Next, simply add an Active Directory account by clicking a button, and it's done!
Besoin d'automatisez vos accès sans chantier IT ?
En 60 minutes découvrez comment Youzer fiabilise vos onboarding et offboarding pour gagner plusieurs heures par semaine côté IT.
In the long term, an IAM or scripts?
I haven't asked the question in the short term because it's unlikely you're looking for automation for a 'one-shot' task. This search for time savings and error reduction is indeed a long-term need.
So, an identity and access management platform or PowerShell scripts? Scripts will address a very specific need, which is to automate account creation. They will not be able to go beyond their function. They have the advantage of being 'free' and achievable internally. I put free in quotation marks because they represent skills to have internally, research and implementation time.
An IAM solution has the advantage of addressing multiple issues and expanding upon your initial consideration, which is the simple creation of accounts.
Several subjects come into play, more than just saving time.
- Employee satisfaction is a real issue for HR, but recently also for IT. Newcomers will judge their well-being in the first few days of their arrival, which includes their equipment and access to various applications.
- There are security issues. Controlling access and rights is essential in these times of increased cybersecurity. We find what is called shadow IT, these active accounts of departed users. How can you make sure that you have correctly closed the accounts if you do not have an accurate report of departures?
- During security audits, how and, above all, how much time do you spend extracting data? An IAM solution offers you an overview and, above all, a real-time status of your IS at all times. Quickly visualize who has what. You don't just manage accounts, you manage accounts and users who are real people with multiple accesses. Is it easy to find your way around at the moment? Do you have a file that tells you that Jean Dupond has access to Exchange, Active Directory, 365, Eurecia, Zoom, Pipedrive...
Conclusion
As we understand it, automating the creation of AD accounts represents the tip of the iceberg.
It is becoming important to automate account creation on AD as well as on the HRIS, the company's common core software, and those dedicated to the business lines.
It is important to control its security, to know who is in its AD and which users have left. A collaborator who changes position raises the question, 'how are their rights managed'?
Regarding both knowledge and budget, it is important to have a clear summary of the users who have an account on Active Directory or another application, and conversely, to have a list of the accounts that each user has.
