Automating User Account Provisioning

Posted on by Luca Sturlese

Today we will be discussing a topic that I believe is very important and should be at the forefront of consideration for all medium and large IT shops. The topic I am talking about is Automating User Account Provisioning.

In this article we will be making a case for automation by highlighting the common problems IT teams face when tackling account provisioning manually. We then discuss some of the solutions that are available to IT professionals when looking at automating user account provisioning. These solutions range from the do-it-yourself style all the way through to off-the-shelf products that will take care of all of the hard work for you.

For more information, keep on reading…

The Problem: Manual Provisioning

First off, let’s take a look at some of the most common issues IT teams face when using a manual user account provisioning process:

  • Time Consuming
  • Laborious
  • Repetitive
  • Boring
  • Error Prone
  • Increased number of IT staff required

The culmination of these issues means that IT is essentially delivering a poorer service to the business when manually provisioning accounts. This translates into an increase cost in terms of both time and money for the organisation.

The problems don’t stop there, from a IT professional perspective, the sheer repetitiveness of the task results in boredom and frustration; especially as it prevents IT professionals from further developing their skills in new areas or preventing them from focussing on solutions to other more pertinent problems, which if solved would provide an even better and seamless IT experience to the underlying business users.

Removing the painstaking and ongoing manual process of having to provision (and de-provision) user accounts and permissions would not only free up your staff allowing them to improve the overall service provided by IT, but it would also improve team morale and motivation levels as they are no longer having to continually do the same thing time and time again.

By now, I hope you would agree with me that an alternate solution is required and that most IT teams should be looking at automating user account provisioning where they can and if they haven’t already. So the next questions is, what options do I have if I want to automate provisioning?

Well let’s have a look at some of the solutions available to you below….

Solution 1 – In-House Developed

Option one is to build and maintain a series of scripts or an application of some kind that will meet your business requirements for the automation of user account creation and removal. The benefit of developing the entire solution in-house (or outsourcing the development) is that you can build and develop a custom tailored solution that will cater for all of your business rules and requirements.

Having built and maintained a few web-based automated account provisioning solutions in the past, the biggest problem I found was the one of maintenance and upgrades, especially after I had left the organisation. I know of several organisations that stopped using the solutions I implemented a few years after I had left, simply because their IT systems and \ or their business requirements had changed and they no longer had the in-house skills to upgrade the custom built solution I had implemented.

This was a real shame because not only did it take me a significant amount of time and effort, but while I was there to maintain and support it, these solutions were highly successful and well received (and used) by all IT teams in the organisations.

Based on my experiences, in order to be successful in developing and maintaining an in-house automated account provisioning solution you not only need to make sure you have the current skill-sets available in-house and the adequate amount of time required to develop such a solution, but you will also need to ensure that these skill-sets are maintained and available well after the initial developers have left the organisation.

Alternatively, an outsourced approach to the in-house developed solution is available, however I would imagine that this would be considerable expensive, especially when taking into consideration ongoing updates and maintenance. For this reason, I couldn’t see this option as a feasible solution for most organisations.

Solution 2 – Off-the-Shelf Product

The second and I would say preferred option for many, would be to purchase and implement an off-the-shelf product that would take care of all of your automating user account provisioning requirements. The benefits of implementing and configuring an off-the-shelf solution are a significant saving in time, as well as eliminating the requirement of specialised in-house skills to build and maintain the solution.

Although I am a strong advocate (and contributor) for scripting and development, I do believe that you have to pick your battles and for most organisations I would suggest that an off-the-shelf product might provide them with a better and more robust solution in the long-term. In addition, using an off-the-shelf solution does not eliminate the need for scripting or development skills, as more often than not, the more complex and advanced requirements are achieved through the creation of custom scriptlets that are integrated within the purchased product.

The benefit of selecting this type of solution means you only need to spend time configuring the product to integrate with your existing IT environment, rather than having to build the entire solution from scratch. This approach allows you to implement functionality in stages as and when your IT staff and users become more aquatinted with the solution.

In addition, by purchasing an existing product you have the added benefit of working closely with the vendor to assist you in all stages of the product lifecycle, including initial implementation and configuration, ongoing updates and features, as well as training and documentation.

Selecting a Product

By now, I hope you have an idea of what kind of solution would better suite your organisation. If you are looking at the off-the-shelf side of things, then your next question is most likely, what product should I choose.

If you do a quick google search, you will find that there are many account provisioning solutions available on the market today; however if I was to recommend a product, from my experience I would have to suggest Softerra Adaxes.

Below are some of my experiences with Adaxes and a quick product overview…

Softerra Adaxes – Product Review

The Adaxes product suite is an identity management and automation provisioning solution, which provides you with the ability to implement an automated Active Directory user provisioning and de-provisioning solution that is accessible via a web portal; which can be used by your IT staff or even delegated out to the business along with an approval workflow system.

In addition to automating user account provisioning, the Adaxes product suite contains many powerful tools and features that will greatly assist you in management and automation of your Active Directory environment.

Some of the key features of Adaxes include:

  • Automated Account Provisioning & De-Provisioning
  • Automated Group Management via a role-based security model – allowing you to easily delegate permissions and access to applications based on role type
  • Approval Workflow – allowing you to automate and delegate AD administration tasks out to the business without having to compromise on security
  • Significant Improvements in Data Entry and Data Integrity – ensuring your AD environment is current, up-to-date and meets business requirements. This allows you to be confident when using it as your one-source-of-truth
  • User Self-Service – providing end-users with the ability to manage their account, personal details and reset their own passwords
  • Scheduled Tasks – create automated solutions and have then run at predefined times or on specific events as and when required

In regards to automating user account provisioning, I have used Adaxes in the past and found it easy to use and set-up. In my instance, I created a custom web form that allowed Help-Desk staff to automatically create an Active Directory user account, Exchange Mailbox and optionally assign the user an Office 365 subscription.

I also used Adaxes to create a scheduled task that ran every month which would find all user accounts (excluding service accounts) that had not not logged into the domain within the last 90 days and disabled them.

Another feature I really found useful was business rules, which allows you to set values for attributes based on the value of other attributes or data entered within the input form. For example, I used it for determining what OU the user was to be created in, as well as determining the value of the Office attribute in the user account. I achieved this by creating business rules that would set these properties based on the value selected in a drop-down list on the user creation form on the web interface.

This not only saved time and effort, but also ensured that all Office attribute values across all user accounts were standardised. This was important, as other solutions (such as an internet billing script) would use this field to accurately determine which department to bill.

More Information?

If you are after more information about the Adaxes product and the features it provides, then check out their website – Softerra Adaxes.

I hope this article has helped you gain a better understanding around why and how to automate some of the regular and repetitive tasks IT professionals do on a day-to-day basis, especially the automating of user account provisioning and de-provisioning.

If you have any questions or comments or would like to share your experiences, then please let me know in the comments below.

Thanks
Luca

Categories Active Directory
Tags , , , ,

Leave a Comment

Comment Formatting
You may use the following HTML tags and attributes in your comments: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Markdown is also supported to style and format your comments, making it useful for when posting code. See the Markdown Quick Refernce Guide for more information.

This site uses Akismet to reduce spam. Learn how your comment data is processed.