Active Directory New User Workflow

Question

I work in a small organization that uses a single file & print server with an Active Directory domain for user management.

The office admin who inducts new people is non-technical and generally creates the AD user account because there is no permanent IT support on-site and users need their accounts immediately. However, there is follow-up work that needs to be done after that (creating an extension on the PBX, setting up voicemail, form filling, etc, etc) which needs to be farmed out to various different people.

The manual process we have works for the most part, but has gaps and things sometimes get forgotten. I am not in any position to re-architect these business processes, such as they are, so for the purposes of this question, please can we take it as read that the business process is immutable. My solution needs to mesh with the existing process.

Essentially what I think I need is a way to generate email notifications upon manual creation of a new user in Active Directory - a sort of lightweight workflow engine that just emails people and/or my ticketing system with the follow-up tasks that need doing. Yes, I know it's not best practice, yes I know its not cool, but given my situation, I think that's the most pragmatic solution.

Is there a simple, lightweight way to do this? I'm thinking along the lines of a PowerShell script or something like that (there's no budget for a proper IDM system and, as I mentioned, the business process is immutable).

warm lead: I found a VBScript that interrogates AD for new users and computers: http://blog.netnerds.net/2007/02/active-directory-newly-added-users-and-computers-notification-via-e-mail/ — Tim Long, May 18 '11 at 20:02

score 3 · Answer 1 · answered May 18 '11 at 17:13

3

To help a little with the email from Powershell. I've used System.Net.Mail.SmtpClient to send from powershell.

$Mail = New-Object System.Net.Mail.MailMessage($Sender,$Recipient)
$Mail.IsBodyHTML = $True

## Setup SMTP Mail Server info
$MailClient = New-Object System.Net.Mail.SmtpClient
$MailClient.Host = $Mailserver


$Mail.Subject = "Subject"
$Mail.Body = "blah blah blah"

# Send the message
$MailClient.Send($Mail)
}

You would need to specify the $Sender, $recipient, and $mailserver.

answered May 18 '11 at 17:13

HostBits

11,776
1
24
39

while a fine script to send email this doesn't help with detecting a new user in AD – Jim B May 18 '11 at 18:34
I think it's kinda harsh to downvote when this is clearly helpful to part of the question. The OP wants a way to email out on creation of an AD account. This helps accomplish that task. – HostBits May 18 '11 at 18:46
really? this kind of answer is kind of like asking for a cake recipe and getting back 1. buy frosting – Jim B May 18 '11 at 19:01
+1 partial solution - source code always good :) – Tim Long May 18 '11 at 19:09
@JimB Well if I asked for a cake recipe and got back 1.Buy Frosting that would be completely unhelpful, seeing as frosting isn't an ingredient to make a cake. :P – HostBits May 18 '11 at 19:15

score 2 · Answer 2 · answered May 18 '11 at 16:59

2

So this is more of a process issue than a technological issue. It seems to me that you don't have some sort of ticketing system. I would highly suggest putting one in place as it will help other areas too. Decent systems will let you setup a workflow that lets you "push" the ticket to the next person in line once your piece is done.

As a worse case, you would be able to manually create the flow by pushing the ticket around and having an "owner" who it gets pushed back to to be moved to the next person.

To answer your direct question, yep you can create a Powershell script that will create an AD user, then you can send mail - haven't had to do this in Powershell v2 yet, but in V1 you had to dive into the .Net objects to send the mail, but it isn't that hard (get-object is your friend)

answered May 18 '11 at 16:59

Zypher

36,995
5
52
95

Well, it is really both a process and technological issue. The process is largely manual but error-prone, I'm trying to introduce a bit of lightweight automation to 'prod' the right people into action. We do in fact have a ticketing system, and the simplest way to get a ticket created is to send an email to it. I can't mandate that people use the ticketing system to request new users accounts - it's a complicated arrangement for a variety of valid reasons, and I'm not in a position to re-work the existing processes, so my solution needs to layer on top of the manual processes already in place. – Tim Long May 18 '11 at 17:04
Also please note, I don;t want to CREATE the AD user. The user account will be created manually. I want that to trigger my script/workflow. Essentially, at the simplest level, I want an email notification upon new AD user creation. – Tim Long May 18 '11 at 17:06
2

Well, yes this is really not a tech issue. It's a process issue. What you are really going to do is add an error prone script to just send an email a person can ignore? I'm sorry but if you can't mandate that the ticketing system needs to be used for _all_ tech things including user creation something is fundamentally broken at this place. – Zypher May 18 '11 at 20:48
that's just not very helpful, sorry. I came here for help, not to be told my organization is broken. In an ideal world you may be correct, but I am not the CEO of the organization and I just don't get to set the policy. Sometimes one has to do the best they can with what they've got. – Tim Long May 18 '11 at 22:57

score 1 · Answer 3 · answered May 18 '11 at 21:24

Based on the dicussion that has occured so far and your comments on them, I would suggest a scheduled task that runs once an hour to catch any new users, which sends an email containing any new users in that last hour.

If you format the email nicely, including all the steps in your workflow then the first person who gets it can comment on their task (or strikethrough the text) and then forward the email on.

While not effective in immediately communicating new hires, it is:

Simple
Effective in communicating for your small business size
Very low on resources

Here is the PowerShell you can use to find the names of users created in the last hour:

$date = [datetime]::UtcNow.addhours(-1)
$lasthour = "{0:0000}{1:00}{2:00}{3:00}{4:00}{5:00}.0Z" -f $date.year,$date.month,$date.day,$date.hour,$date.minute,$date.second

$strFilter = "(&(objectCategory=User)(whenCreated>=$lasthour))"


$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter

$colProplist = "name"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults)
    {$objItem = $objResult.Properties; $objItem.name}

Alternatively, you could write something up in powershell to facilitate the creation of a user based on staff input, and then continue on with an email at the end of that process.

Overall if you have a ticket system in place already, I'd suggest that as the best option, because it is something that can be used to track in a detailed manner. What I have typed above is really just an informal ticket with a lot of room for error.

OK, this is the right stuff. Now I have a bit of PowerShell to get my AD users, and another bit to send an email. I can probably figure out how to glue them together. Thanks Jeff. — Tim Long, May 18 '11 at 22:52

score 0 · Answer 4 · answered May 18 '11 at 18:46

0

What you are really asking for is a new AD admin. While technically possible to create a script to poll for AD changes, look for new user objects and send you a list, the effort involved in even verifying the new user needs the next step in your workflow done that you have a new email about (what about accounts that get re-created due to a mistake?) would be more than simply getting the admin to follow the process you've outlined. It’s the admin that should be asking for a way to automate his email, rather than you looking for a way to see that he's done it. You need to resolve your process issues before you can think about automating them

answered May 18 '11 at 18:46

Jim B

23,938
4
35
58

So what you're saying is that I'm asking the wrong question. I know you're trying to be helpful and in principle I agree with you - but I am practicing the art of the possible in a real-world situation here. I can't fix the world; sometimes politics and resource constraints dictate suboptimal solutions. – Tim Long May 18 '11 at 19:14
@tim, it's not about fixing the world, its about being realistic. all the automation in the world will not fix a broken process. I'm shocked to hear that you can't get the non-technical person to use either a script or webform to create the account (which should be simpler for a non-techincal person to use since it can be automated and prettier than ADUC). I've not come across a non-technical person that doesn't jump at the chance at doing things simpler. – Jim B May 18 '11 at 22:08

Active Directory New User Workflow

4 Answers4