E-book

An IT admin’s guide to automated user provisioning

An IT admin’s guide to automated user provisioning

Manual user provisioning is not only costly and time-consuming, but can also result in security and compliance risks.

If your current process involves manually gathering employee data from multiple sources and provisioning users in AD and cloud platforms, requires manually verifying and granting folder and group permissions, and lacks reusable templates and automations for repeatable tasks, we have a solution for you.

In this e-book, we discuss how you can cut costs and optimize time spent on provisioning by:

  • Integrating your HR database and HCM solution with AD and cloud platforms.
  • Using standardized templates pre-populated with common attributes.
  • Configuring review-approval workflows for automating user provisioning.
  • Delegating user management tasks to non-admins.
  • Orchestrating user offboarding tasks for users that have left the organization.

Download guide

  •  
  •  
  •  
  • This field is required.

    Done

     

  • Done

     
  • By clicking 'Get your copy now!' you agree to processing of personal data according to the Privacy Policy.

Chapters

 

User provisioning — An introduction

User account provisioning is an identity management process that involves creating, modifying, disabling, and deleting user accounts across the IT environment of an organization.

Manually managing user provisioning activities as and when events like hiring, transfers, promotions, and terminations happen can be a headache for the stakeholders involved. Therefore, organizations need an automated user provisioning process that makes identity management secure and error-free.

Manual vs automated provisioning

Fig. 1: Manual vs automated provisioning

Next The HR and IT disconnect

The HR and IT disconnect

User provisioning can be complex due to the two main stakeholders—the HR and IT teams—having different priorities. While the HR team focuses on activities like planning onboarding, collecting candidate data, releasing offer letters, and more, the IT team focuses on creating or modifying users in the backend systems and providing them with the necessary permissions based on their roles, while meeting compliance requirements. The ad-hoc workflows and inefficient manual processes involved in the exchange of employee data between these two teams result in challenges such as:

  • Incorrect user data getting propagated across the IT systems
  • Risk of data leakage as sensitive employee information is sent over email
  • Lower productivity due to delay in communication between the teams
The disconnect between HR world and IT world

Fig. 2: The disconnect between HR world and IT world

Previous Introduction Next Aligning the HR and IT systems for streamlining user provisioning

Aligning the HR and IT systems for streamlined user provisioning

For most organizations, either an HR database or human capital management (HCM) software is the primary point of processing employee data. Therefore, these can serve as a single source of truth when events such as the addition of new employees, changes in personal details, promotions, transfers, and terminations occur. Organizations can streamline the user provisioning process by integrating their HR and IT systems, and triggering automated workflows when changes are made to employee records in the HCM software. Automation in the IT system should detect identity-related changes and make the necessary modifications in directories such as Active Directory (AD), Microsoft 365, Google Workspace, and other enterprise applications.

Previous Aligning the HR and IT systems for streamlining user provisioning Next User provisioning solution overview and architecture: ADManager Plus

User provisioning solution overview and architecture: ADManager Plus

With ManageEngine ADManagerPlus, organizations can take full control of their user provisioning process. ADManager Plus' integrations with HCM solutions, HR databases, ITSM tools, and enterprise applications—as well as its automation capabilities—help replace the error-prone and time-consuming manual processes with an automated process that ensures productivity and data security.

ADManager Plus helps organizations perform user onboarding actions such as capturing new hire data from HCM systems; creating new users across AD, Microsoft 365, and Google Workspace; adding users to required groups; creating Exchange mailboxes; providing necessary permissions; provisioning users in enterprise applications; and more, all with ease.

User onboarding solution architecture

Fig. 3: User onboarding solution architecture

It also helps automate user offboarding activities, including disabling accounts of departing employees, revoking folder permissions, deleting group memberships, removing AD and M365 accounts, deleting Exchange mailboxes, removing permissions for enterprise apps, and much more.

User offboarding solution architecture

Fig. 4 : User offboarding solution architecture

ADManager Plus' user provisioning capability consists of the following components which come together to help implement a smooth user onboarding and offboarding process:

Templates

ADManager Plus provides creation and modification templates for users, computers, groups, contacts, mailboxes, and OUs. With templates, organizations can standardize the process of user creation and modification. They can use separate templates preconfigured with the necessary settings, permissions, and privileges specific to each role.

User creation rules

User creation rules help admins to define the attributes that should automatically be updated with predefined values while creating a new user account. Using user creation rules, admins can also define how to reactively update specific attributes while creating the user accounts. They can set up conditions which, on being satisfied in the user account being created, shall trigger auto-population of the desired attributes.

Custom naming formats

Organizations can also apply custom naming formats in the templates to create unique logon names and avoid duplication of names, which is a common problem in bulk user provisioning.

Automation

Routine tasks like bulk user creation, modification, and deletion can be configured and scheduled to run at specific times or intervals using ADManager Plus' automation capability. HCM solutions, HR databases, reports, or CSV files can be used as data source for these automations. Using the Automation Policy feature in ADManager Plus, organizations can define a set of follow-up tasks in a sequence after the main task, and specify time intervals for their execution.

Controlled automation according to organizational policies

A fully automated task can go completely wrong and produce devastating results if configured incorrectly. For instance, if a scheduled automation is configured to delete users who are on a long vacation instead of disabling them, the admins will have to spend a lot of time restoring these users. Instead, with ADManager Plus, organizations can configure controlled automation instead of full automation by incorporating workflows that introduce supervision from senior roles in the organization before executing any critical automated tasks.

Workflow

With ADManager Plus' workflow capabilities, organizations can ensure that all AD user management activities performed in their environment are supervised or verified. Using the Workflow feature, a hierarchy of approvals required to complete an automation can be defined, including who initiates the automation activity request, who reviews the process, who approves the process, and finally who executes it. Introducing supervision breaks like these while automating an activity helps eliminate errors and comply with IT regulations.

Review-approval workflow process

The workflow begins when a "requester" raises a request ticket for performing a task. This request is then reviewed by a "reviewer" who forwards this request to the next supervisory level, i.e., the "approver". Once the request is approved, the last level in the workflow, i.e., the "executor" can execute the requested task.

The workflow process not only reduces any margin for errors, but also helps create a ticket-based method for managing tasks. For compliance purposes, ADManager Plus also maintains a repository of all the requests and tickets created.

Review approval workflow

Fig 5: Review approval workflow

Delegation

If IT admins were to spend most of their time on routine provisioning activities like user modification, password reset, license assignment, folder access, etc., it would be a waste of their productive time. Provisioning tasks can be assigned to the HR or individual teams, thereby freeing up the IT admin team for more critical AD management tasks. ADManager Plus helps you create templates for user provisioning, which can be assigned to non-IT users—like HR, executives, teachers, principals, etc.—to delegate some of the user provisioning actions and offload the unnecessary burden from the IT team.

Non-invasive helpdesk delegation

While admins grant non-admin users the ability to perform AD management tasks, it doesn't come at the cost of security. Admins can create the technician role for delegating tasks only for those users already created in Active Directory. The technician role is not created in AD itself, but only in the tool, which enhances AD security because they're not granted any privileges in AD. These technicians can only view those tasks that are delegated, preventing them from making any other changes.

Auditing actions performed by technicians

With critical actions delegated to the helpdesk and HR department, it is critical to have an accurate record of the activities performed by the technicians. ADManager Plus provides Help Desk Audit Reports, which gives admins a detailed view of the changes effected by technicians.

Helpdesk delegation - challenges and solution

Fig 6: Helpdesk delegation - challenges and solution

Orchestration and webhook

With ADManager Plus' Orchestration capability, multiple tasks can be configured to execute in a sequence to complete a large process automatically. This will help organizations streamline routine and repeatable processes like user onboarding or offboarding, which are comprised of multiple tasks like permission management, mailbox management, group membership management, and more.

ADManager Plus also allows organizations to configure webhooks that can pass data between ADManager Plus and a target enterprise application in their environment to perform the desired user management actions. Once an ADManager Plus webhook integration is set up with an application, organizations can automate the creation or removal of users in the application whenever the webhook POST to a specific URL.

Integrations and Rest API

Most organizations rely on HCM systems such as Zoho People, UKGpro, BambooHR, and Workday or databases like Oracle and MS SQL to maintain a record of their employee information. ADManager Plus provides out-of-the-box integrations with these tools to make user account management easy for organizations.

Custom HCM integrations provided by ADManager Plus can help organizations setup user data collection from an HCM tool of their choice for user provisioning.

ADManager Plus allows for the integration of its AD management functions—such as user creation, password reset, disable user, delete user, and more—with other applications using REST API. These APIs allow organizations to access ADManager Plus from the web services or applications they use, and perform the necessary AD user account management functions.

Hybrid provisioning

For organizations with a hybrid environment, onboarding user accounts separately in AD, Microsoft 365, and Google Workspace can result in unnecessary delays. With ADManager Plus, organizations that have M365 and Google Workspace configured can sync the new user information from their AD to the cloud. They can automatically create mailboxes, perform M365 license management, and do much more for these users.

For users who are already present in the AD environment, Microsoft 365 accounts can be created instantaneously using reports or CSV files. Organizations can also provision users only in Microsoft 365 by simply selecting the Microsoft 365 option alone during user creation.

Backup and recovery

Unwanted and accidental changes in your AD can sometimes result in a disaster for organizations. With ADManager Plus' backup and recovery capability, organizations can create full and incremental backups of AD objects, including users, computers, contacts, groups, OUs, GPOs, and dynamic distribution groups. These AD objects can also be restored down to the attribute level. Thus, in the event of any mishaps in their AD, organizations can restore access for employees to their IT applications without much downtime and ensure productivity is not affected.

Previous User provisioning solution overview and architecture: ADManager Plus Next ADManager Plus implementation for user provisioning: Use cases
 

ADManager Plus implementation for user provisioning: Use cases

Education

Here's the case of one of the schools where we recently implemented ADManager Plus for user provisioning.

IT environment details:

The school has around 3,000 users and 250 groups. They use a third-party student information system and HCM solution for onboarding their staff and students.

The users in the school have the following user codes:

  • Student
  • Teacher
  • Principal
  • Admin staff

The codes for the buildings where these users are assigned are as follows:

  • ES Elementary school
  • MS Middle school
  • HS High school
  • AD Administration
Requirements:
  • 1. Automating the routine user onboarding tasks
  • 2. Integrating the school HR system with their IT system to avoid duplicate data entry
  • 3. Ensuring new users have all the necessary access from day one
Implementation:

The entire user provisioning process was automated using ADManager Plus as follows:

Integrating the school's HR system with ADManager Plus

For this description, let's assume we are provisioning a user account for a teacher in the middle school. The department code for this user is MS-02, where MS stands for middle school and 02 is the user code for teacher.

The HR team creates a record for the new user in the HCM solution with basic details such as first name, last name, and department.

To automatically capture this data from the HCM solution every time a user record is created or modified, the HCM solution was integrated with ADManager Plus using the Custom HCM Integration feature (as seen in Fig. 7).

Custom HCM integration

Fig. 7: Custom HCM integration

How to enable custom HCM integration in ADManager Plus

Watch now
Setting up user creation templates

The user account attributes required for a middle school teacher were configured in a single step using user creation templates.

Using the customizable naming formats, a unique logon name format was created (as shown in Fig. 8) and applied in the template to standardize logon names.

Custom HCM integration

Fig. 8: Customizable Naming Formats

How to create a customized naming format with ADManager Plus

Watch now

The Prevent Duplication feature in the template was enabled to ensure that no two users are created with the same logon name.

Custom HCM integration

Fig. 9: Prevent Duplication check

Using the Creation Rules option, the user attributes—like office, address, container, group membership, home folder, and M365 licenses—were defined to be reactively-populated for department MS-02 (as shown in Fig 10).

Custom HCM integration

Fig. 10: User creation rules

How to set rule-based actions using templates with ADManager Plus

Watch now
Creating user provisioning automation with workflow

The next step was to create a user provisioning automation with a workflow. A new automation was created (as shown in Fig 11), which uses the user creation template created above to onboard new users after collecting new user information from the HCM solution. The automation fetches the details of the new teacher with the department marked as MS-02 from the user records in the HCM solution.

Custom HCM integration

Fig. 11: Automation for new user onboarding

How to automate AD user creation using ADManager Plus

Watch now

A workflow was added to ensure that new user the data was verified by the Principal before the IT admin executed the task. The automation is raised as a ticket to the Principal. Once the request is reviewed and approved by the Principal, the automation request will be moved to the IT admin for execution.

Custom HCM integration

Fig. 12: Workflow

Configuring orchestration for provisioning enterprise apps

A webhook was configured for the exchange of data between ADManager Plus and various applications used in middle school for interactive learning, assignments, grading, and more.

Custom HCM integration

Fig. 13: Configuring webhooks for access to the school's apps

An orchestration profile was then created, which used the above webhook configuration to grant the teacher access to the configured apps when the user was created in the Middle School OU.

Custom HCM integration

Fig. 14: Orchestration profile

Delegating user modification tasks to teachers and the principal

A help desk role was created to let teachers and the principal perform tasks such as resetting passwords or managing group memberships and folder permissions for users in their respective OUs.

Custom HCM integration

Fig. 15: Help Desk Role creation

How to delegate AD permissions to technicians using ADManager Plus

Watch now
Configuring user offboarding automation with workflow

A user offboarding automation policy was created to deprovision users who have left the school. The automation is triggered for users in the HCM system with status as "Resigned". The automation proceeds to:

  • Remove all group memberships for these accounts.
  • Disable the user accounts.
  • Move them to a separate OU for departing user AD accounts.

A workflow was also implemented in this automation to ensure that no user would be deleted by mistake.

An orchestration profile was also configured to perform a sequence of user offboarding actions like removing M365 licenses, disabling the users mailbox, removing group memberships, and more.

With this automation, the user accounts that are no longer necessary will be removed from the school's IT environment within a specific time of the user's departure.

Custom HCM integration

Fig. 16: Automation policy for user offboarding

How to automate AD user deprovisioning using ADManager Plus

Watch now

Government

The ADManager Plus team helped the IT department of a government organization automate their provisioning process.

IT environment details:

The government agency's network spans over 2 sites and has approximately 1,800 groups. It currently uses Microsoft Forms where managers gather user data and CSV files for user provisioning. The IT admin was manually onboarding employees, resulting in a waste of productive time.

  • 1. CSV-based bulk user onboarding
  • 2. Creating a naming convention for user logon name using the following rules:
    • First 4 letters of first name
    • Then an underscore
    • Followed by the first 2 letters of last name
    • For duplicate user names, add a number at the end of it, such as: adam_go1, adam_go2, etc.
Implementation:
  • 1. User provisioning and modification templates
  • 2. Custom naming formats
  • 3. Automation with workflows
  • 4. Delegation of non-admin tasks to managers

Banking

ManageEngine helped a state-chartered bank with their user provisioning needs.

IT environment details:

The bank had over 550 employees and 50 groups. They used UKGPro as their HR management software.

Requirements:
  • 1. Integration with UKGPro
  • 2. Exchange mailbox creation for new users
  • 3. User creation template that will create users with SAM Account Name in H+Employee ID format
  • 4. Automate last working day process for exiting employees
Implementation:
  • 1. Out-of-the-box HCM integration with UKGPro
  • 2. User creation templates with Exchange Server mailbox creation and custom naming formats
  • 3. User offboarding automation

NGO

The ManageEngine team was approached by an NGO for their user provisioning requirement.

IT environment details:

The NGO has a network consisting of 600 user objects and 60 group objects. It uses Paycom HRMS solution and iSupport as their IT help desk tool. They wanted a solution to automate their user provisioning process as they faced high turnover of employees.

Requirements:
  • 1. Automating user creation and termination process due to high turnover
  • 2. Delegating user management tasks to non-admins to reduce IT admins' workload
Implementation:
  • 1. Custom HCM integration
  • 2. User creation templates
  • 3. Automation for user onboarding and offboarding with workflow
  • 4. Help desk delegation
Previous User provisioning solution overview and architecture - ADManager Plus Next Alleviating IT admin burnout with automated user provisioning
 

Alleviating IT admin burnout with automated user provisioning

Organizations are reeling under the pressure of an escalating number of cybersecurity issues, record levels of employee turnover, and a tight job market for experienced IT staff. IT teams are under tremendous pressure on a daily basis to keep their IT infrastructure running smoothly. Due to this excessive workload, IT teams suffer from burnout, low morale, and high churn, each of which could be detrimental for an organization on their own, but combine to make a potentially disastrous scenario.

Some of the major causes of distress for the IT admins in their routine work are:

Repetitive manual tasks

Many organizations have not adopted the latest IT management tools. Most of their routine tasks like user provisioning are therefore executed manually by the IT team. This means that the IT staff have to allocate a great share of their work time on mundane time-intensive tasks like user creation, modification, deletion, permissions management, and more, all while having to deal with other time-critical work, like resolving network issues, which adds to their stress.

Code-heavy operations

As mentioned above, a lot of mundane tasks are executed manually in many organizations. This requires the IT staff to do a lot of PowerShell scripting and coding in other programming languages for any user management tasks to be performed in their environment. Writing code for even small tasks can be mentally draining and time-consuming for IT administrators.

Misaligned technology

Despite having the technology, in some organizations, IT admins are likely to be fast-tracked to burnout. This is due to the out-of-sync technology stack used for their IT management. Besides the lack of sync in the tech stack, the different priorities of various teams and lack of collaboration between them can also accelerate burnout.

Previous ADManager Plus implementation for user provisioning -Use cases Next How ADManager Plus helps alleviate IT admin burnout
 

How ADManager Plus helps alleviate IT admin burnout

ADManager Plus helps overcome the above challenges by helping organizations replace redundant manual user account provisioning processes with an end-to-end automated provisioning process. It also helps reduce the IT teams' burden with provisions for delegating some of the routine tasks to non-admin staff. Some of the important capabilities of ADManager Plus that help reduce IT admin burnout are:

Codeless or no-code automation

ADManager Plus helps IT teams automate routine AD tasks completely or in a controlled manner using workflows according to their organization's requirements. An IT admin can configure this automation just with a few clicks using an intuitive UI and it doesn't require them to write practically any code. This simplifies the job of an IT admin and takes out a great deal of stress from their routine.

Enhanced interoperability

The integration feature in ADManager Plus helps organizations operate multiple applications such as HCM solutions, databases, enterprise apps, etc. in conjunction with the user provisioning tool. This helps IT teams align the applications in their IT environment towards a common purpose rather than each application working in silos. This also improves the harmony between the various stakeholders involved in the provisioning process.

Delegation of tasks

ADManager Plus' help desk delegation capability allows IT teams to empower non-admin staff with the ability to perform routine AD tasks. This lets the IT team focus on more important administrative tasks, while reducing fatigue and the chances of them committing any critical errors.

Previous Alleviating IT admin burnout with automated user provisioning Next About ADManager Plus
 

About ADManager Plus

ManageEngine ADManager Plus is a web-based Windows AD management and reporting solution that helps AD administrators and help desk technicians efficiently accomplish their day-to-day activities. With an intuitive, easy-to-use interface, ADManager Plus handles a variety of complex tasks and generates a comprehensive list of AD reports, some of which are essential requirements to satisfy compliance audits. The solution also helps administrators manage and report on their Exchange Server, Microsoft 365, and Google Workspace environments, all from a single console.

Previous How ADManager Plus helps alleviate IT admin burnout

Zoho Corporation Pvt. Ltd. All rights reserved.

Zoho Corporation Pvt. Ltd. All rights reserved.

Kindly fill the form to access all chapters.
Welcome,  
×

Leaving in a hurry?

Just type in your e-mail ID and we’ll mail you the e-book right away.

  •  
  •  
  • By clicking "Submit", you agree to processing of personal data according to the Privacy Policy.

Chapters