Automation should go alongside with any IT system. You simply can’t afford to ignore it, and if you do, eventually you’ll lose out. There might be many reasons why you might not have automation present in your environment yet. But there’s absolutely no excuse for not starting to implement it right now.
This article will tell you about five tasks in AD you can begin your automation route with. It’s an easy way to start saving time, be more efficient and eventually become the sysadmin rock star you deserve to be.
Provisioning New Users
For any reasonably-sized Active Directory environment it is common to have a regular flow of incoming users. And as environments grow it becomes more and more of an issue. As a result the IT department can just not cope with the load, because creating new accounts and setting them up is not the only their task. The consequences of that are not very pleasing. New employees can be forced to wait for quite some time before they can start working properly. This can literally take not hours but days (it actually happens much more often than you probably think).
Because setting up new account in AD and connected systems is a repetitive routine task, this means that it can be automated. And the simple rule that you always should follow is “if you see an opportunity for automating something, go for it!”
Start with basic things such as generating attributes based on already entered ones, e.g. generate username from the first name and last name. That will reduce the risk of human errors that can be easily made when typing in all that by hand. Such approach also helps with keeping data integrity in AD. Your future you will thank you for that.
After getting all fields filled in properly, you can then automate things like OU allocation and group membership management based on properties like department, job title, city, office, etc. This will make sure that new users will be properly positioned in AD and will only get a predefined set of permissions. Thus the least privilege principle will be followed and you’ll keep your environment from unpleasant situations of unwanted permission escalation.
Once you ensure that everything is properly set up in AD, you can advance your automation activity on other connected systems: create and setup an Exchange mailbox, enable users for Skype for Business, assign appropriate licenses in Office 365, etc.
All this will make user provisioning a one-action procedure rather than a long tedious process. If you do everything right, it will save a lot of time for new users, save lots of money for the company and it will massively reduce the load on the IT department. A typical win-win situation!
Get your user provisioning nailed! Just follow these instructions.
Users’ lifecycle doesn’t stop after they enter the company. They can change departments and job titles, move between offices and sites, get promoted, request new permissions for various projects, etc. All that can be automated as well.
For example, you can set up your environment in such a way, that once a user needs to change departments, the only thing that will be changed manually is the Department property. Everything else will be updated automatically according to the predefined rules for the new department. User can be moved to a new OU, added to new groups and removed from old ones, assigned with new Office 365 licenses and get the no longer needed ones revoked, etc.
Creating Infrastructure for New Projects
Of course, managing user accounts is a very important part of the IT department’s activities, but it definitely isn’t the only one. Another important task, that can be tedious and time-consuming, is setting up infrastructure in AD for new projects.
This can vary a lot from one AD environment to another, but let’s look at a quite typical example. Once a manager starts a new project, a specific construction in Active Directory is required for that. E.g. it can be a security group under the Projects OU that will have a set of permissions associated with the project and have other subgroups and distribution lists in it.
Remember the rule we already discussed? If there is a standard procedure, you should be automating it. Creating infrastructure for a new projects is one, so let’s automate! This will allow to not only save time for everybody, but also to delegate project creation to managers, not IT staff. Ideally it can be a one-click action, something like ‘Start a New Project’ button. Once the button is clicked, all that’s needed is created in AD, the IT staff will get an email notification, so that they can keep track of what’s happening in the system. Alternatively, approval mechanism can be used for even more control over the situation.
Active Directory Cleanup
Probably one of the most important things that you can do to keep your Active Directory safe and clean is performing regular cleanup activities. This will make sure that you won’t have any stale user and computer accounts, empty groups, OUs, unused Exchange mailboxes, etc.
If your AD environment is filled with garbage like that, it will sooner or later become a target for various attacks and breaches. Unused accounts are a serious threat as they can have various permissions associated with them that shouldn’t be there. That is really dangerous.
A good way to keep your AD tidy is to automatically detect and remove such unwanted objects. This can be achieved using scheduled tasks. Set everything up and get reports about cleanup activities and/or approvals for them. Simple and efficient!
Want to know even more about AD Cleanup? Check out this article!
There is a common misconception that setting up new users is more important than dealing with the leaving ones. However, that is not true. In fact, one improperly deprovisioned user account that is then used for a security breach might cost your company much more than all the time new users can spend waiting for account setup combined.
According to recent studies, over 40% of former employees report about having access to their previous corporate accounts and data after termination. So this is a real problem for almost half of environments worldwide.
Automating user deprovisioning is vital. During that process accounts should be disabled, moved to a separate OU, all permissions and Office 365 licenses should be revoked. The actual actions that need to be executed during deprovisioning might vary from one company to another depending on the environment structure and various policies. But the general conception that once a user leaves, there should be no way he or she can access any of the data or corporate accounts, should be taken really seriously.
A modern day Active Directory environment simply can’t cope without automating routine tasks. The amount of responsibilities of the IT staff is constantly growing and it can’t be solved by just increasing the amount of admins, helpdesks, etc. Something has to be done about it, and automation is a certain answer for that.
Ideally you should be automating as much as you can. Begin with the most vital activities that take up most of your time. Once that is done, allocate another time-consuming task and deal with it. Repeat until everything just runs on its own. Don't stop before this is achieved!