Active Directory management & automation

Tutorials

Allow Using Templates for User Creation

You can make the process of creating user accounts in the Adaxes Active Directory Web Interface even more fast and efficient by using templates.

By creating a user template, you can make a copy of it when you need to create an account for a new user. Properties of the user template and its group membership will be copied to the new user account. This eliminates the need to type in the same property values and specify group membership each time you create a new user in Active Directory.

Creating a User Template

Creating a user template involves creating a new user account. It is recommended to create a template account for each category of users in your organization. For example, you could create a template for regular users and another one for Help Desk users.

When naming a template, it is recommended to place an underscore or a hyphen at the beginning of the user's Full Name so it will be at the top of the list. Example: _SalesPerson, _Subcontractor.

In this tutorial you will learn how to define a Create User action for the Web Interface Home page that will use a template for creating users.

On the computer, where the Web Interface is installed, start the Web Interface Customization tool.


In the Interface type drop-down list, select the Web Interface that you want to configure.



Activate the General tab, select the Actions pane option, and click Configure Home Page Actions.


In the Home Page Actions dialog, you will see all the actions available on the Actions pane.



To add a new action to the Actions pane, click the Add button located at the bottom of the Home Page Actions dialog.

To add an action to a group of actions, select the group prior to clicking the Add button.

On the first step of the Add Home Page Action wizard, select Copy User and click Next.


At the second step of the wizard, provide a name and a brief description for the new action. Click Next.



On the Object Selection step, you can configure options for choosing the user account that will be used as the template. The default settings allow users to choose any user account to be used as the template.

If you want the account of the user who initiated the action to be always used as the template, select the Always copy the account of the currently logged on user option.



If you want a specific user account to be always used as the template, enable the Always copy a specific AD object option, and enter the distinguished name (DN) of the template account in the Object DN field.

How to get the DN of an object

To get the DN of an Active Directory object:
  • Launch the Adaxes Administration Console.
  • Right-click the object you need.
  • In the context menu, open the submenu of the Copy item.
  • Click Copy DN. The DN of the selected Active Directory object will be copied to the clipboard.
If you want the template account to be determined depending on the user initiating the action, you can insert value references (e.g. %department% or %company%) as a part of the object DN. When the action is executed, the value references will be substituted with corresponding property values of the account of the user who initiates the action. For example, if you specify the following DN:

CN=_%company%Template,OU=Templates,DC=company,DC=com,

and the Company property of the user who initiates the action is set to Acme, the DN will be set to

CN=_AcmeTemplate,OU=Templates,DC=company,DC=com.

To insert a value reference, click the button at the right side of the Object DN edit box.

To allow users to select the account to be used as the template, enable the Allow users to select the object to copy option.



If you store all user templates in a separate Organizational Unit, enable the Allow selecting only AD objects located under a specific OU or container option and enter the distinguished name (DN) of the OU in the Container DN field.

How to get the DN of an object

To get the DN of an Active Directory object:
  • Launch the Adaxes Administration Console.
  • Right-click the object you need.
  • In the context menu, open the submenu of the Copy item.
  • Click Copy DN. The DN of the selected Active Directory object will be copied to the clipboard.
If you want the OU containing user templates to be determined depending on the user initiating the action, you can insert value references (e.g. %department% or %company%) as a part of the object DN. When the action is executed, the value references will be substituted with corresponding property values of the account of the user who initiates the action. For example, if you specify the following DN:

OU=%department%,OU=Templates,DC=company,DC=com,

and the Department property of the user who initiates the action is set to IT, the DN will be set to

OU=IT,OU=Templates,DC=company,DC=com.

To insert a value reference, click the button at the right side of the Object DN edit box.

If when selecting the template users must be able to see only the accounts that match a specific search criteria, enable the Allow selecting only AD objects that match the specific LDAP filter option and enter a search filter in the LDAP filter field.

For example, if all user templates contain the word 'Template' in their names, you can use the following filter: (name=*Template*). If you follow the convention that names of all user templates begin with an an underscore, you can use the following LDAP filter: (name=_*)

How to construct an LDAP filter

To construct an LDAP filter, you can use the Find dialog in the Adaxes Administration Console:
  • Launch the Adaxes Administration Console.
  • Connect to your Adaxes service and click Find on the toolbar.
  • Activate the LDAP Search tab.
  • In the Enter LDAP filter field, click the embedded button to build a filter using the LDAP Filter Builder.
If you want the search filter to depend on the user initiating the action, you can insert value references (e.g. %department% or %company%) as a part of the LDAP filter. When the action is executed, the value references will be replaced with corresponding property values of the account of the user who initiated the action. For example, if you specify the following filter:

(manager=%distinguishedName%)

the %distinguishedName% value reference will be replaced with the DN of the user who initiated the action. In this case, only user templates for which the user is set as the manager will be available.

To insert a value reference, click the button at the right side of the Object DN edit box.
It is recommended to clear the Do not display available objects automatically check box if at least one of the two options described above is enabled.


When finished, click Next.

On the Target OU/Container Selection step, configure the options for selecting the OU or container where new users will be created. Click Next.
For details on how to customize the options, see Configure Home page actions.

On the Form Customization step, you can customize the form used to create users.
Customization of the form for the action doesn't affect other user creation forms used in the Web Interface.
To customize the form that will be used to create new users:
  • Select the Use customized form option.
  • Click Customize Form.
  • Modify the form to fit your needs and click OK.
For details on how to customize forms, see Customize Forms for User Creation and Editing (starting from Step 6).
Click Finish and then click Apply.
There is no need to restart IIS to apply the changes, as the changes are applied automatically.

Delegating Permissions

Hide Active Directory objects from users
Grant rights to create users
Grant rights to modify account options
Allow managers to manage their teams
Grant rights to modify AD group membership
Grant rights to reset passwords and unlock accounts
Grant rights to create and modify Business Units
Deny rights to delete users
Grant rights to execute Custom Commands
Grant rights to modify specific properties of AD objects
Grant rights to move users between OUs

Automating Daily Tasks

Automate user home directory creation
Relocate home directories after disabling users
Automatically add users to groups by department
Add users to a specific group when they are disabled
Automatically change group membership using scripts
Move newly created users to a specific OU
Request approval for user deletion
Run PowerShell script after creating a user
Automate Exchange mailbox creation for new users
Automate Exchange mailbox configuration
Schedule tasks for AD management
Automatically set profile path for Remote Desktop Services
Send e-mail on adding members to specific groups
Send initial password to newly created users via SMS
Delete inactive computers from Active Directory
Automatically deprovision inactive AD users

Simplifying Data Entry

Auto-populate the company name when creating users
Change template for auto-generating users' full name
Specify list of departments to avoid repetitive typing
Disallow specifying telephones without country code
Make Employee ID a required property & specify its format
Set default account options for new users
Validate/modify user input using a script
Predefine selection of Exchange mailbox stores
Automatically set account expiration date for new users
Generate initial password on user creation
Automatically set users' address based on their office
Provide custom help and tips for AD object properties

Active Directory Management

View & manage AD objects collectively
Create a Custom Command
Rename multiple AD users with one operation
Reset passwords for multiple users
Import user accounts from a CSV file
Schedule import of users from a CSV file
Modify Remote Desktop Services settings in bulk
Update user account options in bulk
Update multiple AD objects using PowerShell
View AD operations performed via Adaxes
Manage Fine-Grained Password Policies
Configure user deprovisioning

Web Interface Customization

Set custom logo and colors
Customize forms for user creation and editing
Customize Sign-In page and logon name options
Prevent users from viewing the Active Directory structure
Allow/deny access to the Web Interface
Disallow certain operations on Active Directory objects
Customize the Home page
Configure Home page actions
Configure the Active Directory pane
Customize Active Directory search
Put a custom message on the Change Password form
Hide specific Active Directory reports
Disable specific Web Interface components
Select the AD object types to be displayed in the UI
Manage Active Directory objects of a custom type
Configure columns in Active Directory object lists
Allow using templates for user creation
Customize Help and Support links
Create additional Web Interface sites

Self-Service

Configure Password Self-Service
Autoenroll users for Self-Password Reset
Allow users to modify specific properties of their accounts