Events Medium Image

Handling Duplicates When Provisioning

Provisioning isn’t always about creating new things.  Handling duplicates when provisioning is an important part of a provisioning solution.  This is true no matter the kind of object that’s provisioned, what directory platform or platforms are involved, and whether the process is occurring as a one-off via a web form or thousands of records are being processed in a hands-free bulk process. Options for Duplicate Handling When Provisioning with PeopleProvision In PeopleProvision, you can configure what happens when a duplicate is encountered and what constitutes a duplicate.  You can configure this differently for different directory platforms which is important since multiple platforms might be involved in a single action. When a duplicate is found, most implementations we’ve found choose to perform an update.  Other options include always creating a new item (this involves the solution finding a unique name) and ignoring.  Ignoring it is a good option if duplicates are an anomaly; you could set the solution to notify you if this happened. PeopleProvision can be configured so that a small update by a user or automated bulk process can lead to more involved changes to your directory platform.  You can make this happen by pre-configuring business rules.  In addition to discussing duplicates, the video below contains a good example of this.

Finding Users with No Logon Script in Active Directory

Finding Users with No Logon Script or being alerted when one is created in real-time is an important part of sound maintenance of Active Directory. The quicker you know about users with this condition, the more calls to the helpdesk you can head off. Users created or configured without a logon script may be missing valuable application configuration information, may not have access to network drives and printers, and may also miss critcal updates and patches. This becomes a security and productivity problem. Find Users with No Logon Script Using PowerShell When you run the following scripts on a machine with RSAT installed, they will fetch users who are locked out on a particular domain. Method #1 import-module activedirectory Get-ADUser -LDAPFilter "(&(objectCategory=Person)(objectClass=User)(!scriptPath=*)(!isCriticalSystemObject=TRUE))" This first method uses an LDAP query on the “scriptPath” attribute in Active Directory. Method #2: import-module activedirectory Get-ADUser -filter {-not (scriptpath -like "*")} You might also want to use a service account (“-Credentials” on your PowerShell commands) to keep things more secure. There are several other methods that don’t require RSAT (and the “activedirectory” module).  These are some convenient techniques to start. Web Active Directory’s PeopleAudit Web Active Directory’s PeopleAudit allows you to run a report like this on demand. Also, you can delegate it safely to others in your organization to run via their web browser. Users can filter and sort the results on the fly, and with a single button press print the results or export to your clipboard, PDF, Excel, or CSV. Safely and securely specify the service account to use to perform the reporting tasks. Customize the report results and filters without scripting or coding. Schedule these reports for delivery to you or others in your organization via configurable emails.  This is especially important when you want to be notified that users are missing logon scripts without opening a browser to check.  You can also employ real-time monitoring to receive an alert if a user gets created without a logon script. Web Active Directory’s PeopleProvision can ensure that newly provisioned users always have a logon script if you want.

Reset Passwords Without Multi-Factor Authentication

The majority of time, when performing password resets, you want security measures in place so you know the person or persons receiving new passwords can be verified to be who they say they are.  With a self-service password reset solution like PeoplePassword, this verification involves a configurable process of multi-factor authentication.  This process is important whether the user is performing their own password reset or the help desk is walking a user through doing so.  In either instance it’s essential for the user to identify themselves.  Simply calling the helpdesk and saying “I’m Jane Doe, please reset my password” isn’t good enough these days.  To reset passwords without multi-factor authentication in most cases is a mistake. There are some instances, however, when you want to be able to delegate password reset functions where no factors of authentication are required.   One common example we see of this might be in a school or university environment where teachers and/or faculty need the ability to reset student’s passwords.  Burdening the IT helpdesk and delaying classroom productivity is not a good option.  In these cases multi-factor-authentication can be overkill since the student is there in person and can readily identify themselves.   New passwords are communicated safely on the spot. Password Resets on Multiple Platforms in Real-Time A further requirement is to be able to reset passwords on multiple platforms in real-time.  It’s not good enough to reset a password in on premise Active Directory (for example) and to have to wait some amount of time for a sync to occur with G Suite or Azure Active Directory in the cloud.  In some situations, waiting for a sync for a data update is palatable.  With password data, it’s just more lost productivity as a user has to wait some (usually unknown) amount of time before the sync happens. PeopleUpdate Password Resets With Secure Delegation In PeopleUpdate you can delegate such a function to reset passwords in multiple directory platforms in real-time. Reset user’s passwords in on premise Active Directory, Azure Active Directory, and G Suite all at once or selectively in real-time. As with all of PeopleUpdate’s management functionality, you can control who can access this functionality.   In the context of user password resets, you can also control the scope of an individual user’s search.  In the classroom example, that might mean only giving a faculty member the ability to reset passwords of students in his or her class but to no other user in the system. This functionality comes out of the box ready to configure if needed.  For example, you could give the option to force the affected user to change their password the next time they logon or to unlock their account if they tried too many times to access and became locked out. This password reset functionality can be configured to your liking on multiple platforms without scripting or coding.    

Sign in
classic
Forgot password?
×
Sign up

(*) Required fields

I agree with OptimaSales Terms & Privacy Policy

×