Events Medium Image

Reset Passwords in G Suite and Multiple Platforms

Google’s administrative interface isn’t as friendly as desired to find sets of users and reset passwords in G Suite.  With directories of even only a few hundred users, it can be difficult to use.  There isn’t the sufficient granularity for role-based security to perform administrative functions. Admins get the ability to do everything (including delete objects or wreck all sorts of havoc) or nothing.  Talking to customers and prospects, we see frustrations from administrators trying to keep their user’s G Suite passwords in sync with other directory platforms such as Azure Active Directory and/or Active Directory. In PeopleUpdate, part of our PeoplePlatform set of Identity Management Solutions, we fill the gap to solve these problems.  You can selectively delegate to admins the ability to find users in G Suite and reset their passwords.  Multiple users can be selected and affected at once.  Even better, your admins can find users in G Suite but reset passwords simultaneously in multiple platforms. These kinds of password resets are performed without using multi-factor authentication to help identify the users being affected.  This process is useful in situations where such authentication isn’t needed or in a situation where authority is resetting a user’s password who is there in person who can be readily identified. This functionality comes out of the box ready to configure if needed.  For example, you could give admins the option to force the affected user to change their password the next time they logon.    

Deleting Users in Azure Active Directory (Office365)

Deleting users in Azure Active Directory (Office365) is a more radical action than deprovisioning them.  Everybody’s deprovisioning process often differs in at least some small way.  It’s usually something like disabling users and moving them to a special area in your directory.  Then your deprovisioned users are “out of the way” and can be more easily purged later.  Still, deleting can be a handy function even if you only delegate the function for yourself to use or other administrators.  It can also be used to purge those deprovisioned users who have been hanging out in your directory for a while. Deleting Users in Azure Active Directory Using PowerShell The following is an example of a script that deletes a user in Azure Active Directory.  It doesn’t use the old “Msol” PowerShell libraries which are now superseded by what Microsoft calls the “V2” PowerShell libraries.  (See https://docs.microsoft.com/en-us/powershell/module/msonline/?view=azureadps-1.0).  The script below assumes a valid service account username/password. Import-Module -Name AzureAD $yourusername = "admin@yourtenant.onmicrosoft.com" $yourpassword = "Passw0rd1" $yourtenant = "yourtenant.onmicrosoft.com" $Office365PasswordEncrypted = ConvertTo-SecureString $yourpassword -AsPlainText -Force $O365UserCredentials = New-Object System.Management.Automation.PSCredential ($yourusername, $Office365PasswordEncrypted) $null = Connect-AzureAD -Tenant $yourtenant -Credential $O365UserCredentials $htfilters = @{"userprincipalname" = "user@yourtenant.onmicrosoft.com"} $htDuplicateCompare.GetEnumerator() | ForEach-Object { $ExtensibleParams = "{0}({1} eq '{2}') and " -f $ExtensibleParams,$_.Key,$_.Value } $ExtensibleParams = $ExtensibleParams.Substring(0, $ExtensibleParams.Length-5) Write-Output "Checking for user. Filter: $ExtensibleParams" $existingobj = Get-AzureADuser -Filter $ExtensibleParams if ($existingobj -ne $null) { Remove-AzureAdUser -ObjectId $existingobj.ObjectId } The neat part of this script is the “htfilters” hashtable can be constructed dynamically to find the user to delete.  One of the main limitations of this script is the ability to gather user input to make it work dynamically.  Delegating execution via a web interface to get input there involves writing a lot of other kinds of code.  Scripts are notoriously difficult to maintain.  Distributing them and trusting others to use them is an entirely different subject. Deleting Users in Azure Active Directory with Web Active Directory’s PeopleUpdate The web interface, safe delegation, and more are taken care of by PeopleUpdate.  PeopleUpdate is part of PeoplePlatform, a comprehensive identity management solution that works across multiple directory platforms. For this example, you can construct and configure (without scripting) a user interface to find users on Azure Active Directory and select one or more for deletion.  A history is kept of these actions.  You also have the option of simultaneously deleting users in other systems such as G Suite or Active Directory in real-time without the burden of a sync.  This simultaneous deleting saves a lot of keystrokes. You can also configure notifications that get sent when these actions are taken.  That way, if you did delegate such a powerful function to someone else you’d know exactly when and how it was being used.

Bulk Provisioning Users in Active Directory

Bulk provisioning users in Active Directory is an important task for new employee onboarding.  It’s also a common practice if you have a system of record that has to stay in sync with your directory.  This practice is common for schools.  Students have their own inherent turnover as they progress through the system.  Most schools have a Student Information System as their system of record. Provisioning isn’t always about creating new users.  A good provisioning solution should give options if a duplicate is found.  It’s common, for example, to allow for updates if a user already exists. Bulk Provisioning Users in Active Directory Using PowerShell The following is an example of a user import script in PowerShell.  It shows how such a script can create a new user if they do not exist in your directory and update them if they do. Import-Module ActiveDirectory $users = Import-Csv -Path "C:\userimport.csv" foreach ($u in $users) { $OU = $u.'OU' $Password = $u.'Password' $dispname = $u.'Firstname' + " " + $u.'Lastname' $existing = Get-AdUser -LDAPFilter "(Samaccountname=$($u.SAM))" $splat = @{ "DisplayName" = $dispname; "GivenName" = $u.'Firstname'; "Surname" = $u.'Lastname'; "Description" = $u.'Description'} if (!$existing) { $splat.Add( "SamAccountName",$u.SAM) $splat.Add("UserPrincipalName", $u.'Firstname' + "." + $u.'Lastname' + "@" + $u.'Maildomain') $splat.Add("Name",$dispname) New-ADUser @splat -AccountPassword (ConvertTo-SecureString $Password -AsPlainText -Force) -Enabled $true -Path "$OU" -ChangePasswordAtLogon $false –PasswordNeverExpires $true Write-Output "Created user $($u.SAM)." } else { Set-AdUser -Identity $existing.SamAccountName @splat Write-Output "Updated user $($existing.SamAccountName)." } } This script is meant to process a file that looks like this: Firstname,Lastname,Maildomain,SAM,OU,Password,Description “Bobby”,”Gilkey”,”vrad.org”,”bgilkey”,”OU=Elementary,OU=StudentOU,DC=vrad,DC=org”,”Passw0rd1″,”Description here” You can enhance the script in many ways.  More comprehensive output indicating what attributes have changed, notifications, a less fixed file format would all be good first enhancements to try.  In addition, this doesn’t start to tackle the concept of business rules where differing input data could affect the users OU, group membership, etc. Web Active Directory’s PeopleNexus Perform bulk provisioning actions in a scheduled fashion or on demand with Web Active Directory’s PeopleNexus.  PeopleNexus is part of PeoplePlatform, a comprehensive identity management solution which works across multiple directory platforms.  Define multiple data sources and completely control how users are created in Active Directory.  Preconfigure business rules to dynamically determine group membership, the user’s OU, and much more based on your input data.  You can control how duplicates are handled and what constitutes duplicate records. Safely and securely specify the service account to use to perform the user creation tasks. Customize the import process without scripting or coding.  You can also simultaneously provision users in other systems like Azure Active Directory or G Suite in real-time without the burden of a sync.  This simultaneous provisioning insures good experiences for your users across platforms. Configure notifications that are different depending on the recipient.  For example, when a new user is created, administrators might receive one email while the new user might receive a welcome email with their new password.  You can also have notifications to administrators be completely exception based– to only be notified if there is a problem or anomaly in the data.

Sign in
classic
Forgot password?
×
Sign up

(*) Required fields

I agree with OptimaSales Terms & Privacy Policy

×