How to automate user accounts in Active Directory?

MĂ©lanie Lebrun

|

Youzer Marketing Manager

03/2021

Articles
>
ITSM automation
Active Directory, your user directory, a powerful tool but also very complex! You surely dream of automating certain recurring tasks such as account creation, configuration, rights management and suspension?

Contents

Active Directory, your user directory - a powerful tool, but also a complex one! Do you dream of automating recurring tasks such as account creation, configuration, rights management and suspension?

Every system and network administrator would love a magic wand to avoid having to create advanced scripts in PowerShell to perform these repetitive actions.

So you set off in search of that tool, that solution that would save you hours of programming/scripting.

Before we go any further, if you'd like to know more about Active Directory, it's this way 😉

Why automate AD actions?

I think we need to start from the same premise: why would we want to automate these actions of creation, suspension...?

Let's take a step back: it's not a question of finding the best script, but above all of seeing the purpose of the action: we're looking to automate to bring optimum satisfaction to a new person joining a company (it's called onboarding, and it's very fashionable).

The objective behind all these scripts is human. You often receive a request from the human resources department with information (more or less complete) about the recruit: first and last name, date of arrival and departure, status and the tools he or she will need.

This then implies that an IT person receives and carries out these settings and creations, and of course this is where the need to automate via scripts comes in. What we're looking for:

  • save time in the IT department
  • avoid mistakes (even when copying and pasting, you can make mistakes)
  • respond optimally to demand
  • secure and control your information system

Which method to choose?

So there's the hard way, which is to create scripts in your PowerShell to automate certain tasks, and for that there are plenty of tutorials to help you write them, such as on Openclassrooms or Github. They're very well done, and we're not going to beat them.

So we turn to third-party applications that could help you achieve this automation. We're looking for software to manage access to the information system, in other words, an IAM solution. You may have heard the term before, but I'll summarize it for you. It's a set of processes set up within a company, and more specifically within the IT department, to govern user authorizations in order to manage access to the network and applications.

This includes the creation, allocation and suspension of accounts.

From this point on, you'll be able to find things that are more or less complex, but in your case, start with something simple, configurable and intuitive. What's the point? If you were looking for a big IAM tool, you wouldn't have come across this article ^^
You need to automate the creation of accounts.

Envie de voir une démo instantanée de Youzer ?  
View demo

How does a third-party application work?

A third-party application will act as the link between your Active Directory and its platform. You'll be able to connect your AD with an agent that acts as a proxy, enabling you to retrieve all the accounts in your Active Directory in a clear and legible way. It goes something like this

lecture-active-directory

to this

active unit on Active Directory

Once you have your accounts clearly displayed with e-mail addresses and active or inactive status, you can move on to the next step, which is to automate account creation.

You set up your Active Directory connector once, in which you enter the mail format, SamAccountName, UPN, security groups...

Then create your account:

  • Enter the details of the person you wish to add by hand
  • Either you send a form to managers, HR or others and you receive all the information to automatically create an account.
  • Either you connect your HRIS to the account and identity management platform and automatically receive information on employee arrivals and departures.

The last solution makes your task much easier because, as you can see, you also automate the user part.

Then simply add an Active Directory account by clicking a button, and you're done!

Would you like to receive our white paper on identity and access management?

Nous n'avons pas pu confirmer votre demande.
Votre demande de livre blanc est bien prise en compte.

In the long term, IAM or scripts?

I didn't ask about the short term, because it's unlikely that you're looking for automation for a "one shot". The need to save time and reduce errors is a long-term one.

So, an identity and access management platform or PowerShell scripts? Scripts will meet a very specific need, which is to automate account creation. They won't be able to go beyond their function. They have the advantage of being 'free' and can be created in-house. I put 'free' in quotation marks, because they require in-house skills, research and set-up time.

An IAM solution has the advantage of responding to a number of issues, and taking your initial thinking, which was simply to create accounts, a step further.

There's more to it than just saving time.

  • Employee satisfaction is a real issue for HR, but recently also for IT. New arrivals are going to judge their well-being in the first few days of their arrival, and this involves their equipment and access to the various applications.
  • There are security issues at stake. Controlling access and rights is essential in these times of heightened cybersecurity. We find what is known as shadow it, these active accounts of users who have left. How can you be sure that you've closed the accounts correctly if you don't have an accurate record of departures?
  • When it comes to security audits, how much time do you spend extracting data? An IAM solution provides you with an overview and, above all, an inventory of your IS in real time at all times. Quickly see who has what. You don't just manage accounts, you manage accounts and users, who are real people with multiple accesses. How easy is it to find your way around these days? Do you have a record that tells you John Smith has access to Exchange, Active Directory, 365, Eurecia, Zoom, Pipedrive...

Conclusion

As you can see, automating the creation of AD accounts is just the tip of the iceberg.
It is becoming increasingly important to automate the creation of accounts for AD as well as for HRIS, the company's common base software and business-specific software.

It's important to control your security, to know who's in your AD and which users have left. When an employee changes jobs, the question arises: "How are their rights managed?

Both for reasons of knowledge and budget, it's important to have a clear summary of the users who have an account on Active Directory or another application, and conversely to have a list of the accounts that each user has.

RĂ©cap'IT the IT Newsletter

Get the best of the month's IT news.
Market developments, IT trends, cyberattacks in France... a digest of the month's IT news.

We have been unable to confirm your registration.
Your registration is confirmed! You'll receive your next RĂ©cap'IT at the end of the month 😊

Recommended items

Discover Youzer, the first
platform for easy management of your users and their access.

Hey! you know the drill :) We use anonymous data analysis cookies. By "Accept all cookies", you help us understand (anonymous) page views. Learn more about our privacy policy.