Problem solve Get help with specific problems with your technologies, process and projects.

Utilizing Active Directory to automate provisioning

This article focuses on utilizing Active Directory and Group Policy to automate provisioning.

This article is part of the Identity and Access Management Security School lesson on automated provisioning. Visit the Automated provisioning lesson page for more learning resources.

Provisioning simply means to make available. When you need to provide user accounts for a new employee or a contract...

consultant, the number of accounts the user might need and the hardware they require is all part of the provisioning process. There are two issues that any administrator will confront during the account provisioning process: how to ensure that it is consistent and make what is usually a tedious process as simple as possible.

As an element to achieving federated identity in an enterprise, automating account provisioning is a basic first step in the identity and access management process.

The challenge of account provisioning

When determining a strategy for automated account provisioning for a particular environment, there are a number of factors to consider, both conceptual as well as technical. Account provisioning can be a critical part of an identity management strategy for a small- to mid-sized organization, but for larger organizations it is practically mandatory.

Even in a small organization, you may need to configure user accounts in Active Directory as well as a CRM system like SAP or Peoplesoft, or perhaps you're part of a large, heterogeneous network in which your users have accounts in an Active Directory domain as well as a Novell or Unix-based network. Account provisioning and identity management serve a number of functions in organizations of all sizes – they allow your users to approach or achieve single-sign-on, even in a mixed environment, and they help to close the gap on security issues that can be caused by accounts being created or deleted inconsistently across multiple identity stores.

Identity management is also necessary when you're talking about group memberships that control access to your company's resources. This is important because you want a new user to have the access that they need as soon as they begin working, rather than sitting on their hands for their first three days on the job or making dozens of help-desk calls to access each system that they need. This process continues as time goes on and people leave the organization or their responsibilities change; you want to have a process in place to provide access to new resources and remove old access that's no longer required.


As you're planning for the creation of an account provisioning process, you should also give some thought to how you are going to handle account de-provisioning as well; you'll sometimes hear this referred to as "on-boarding" and "off-boarding" or "cradle-to-the-grave account management." Whatever terminology you use, it's important to take an active role in managing all stages of a user account's lifecycle on your network.

The security considerations in play here should be obvious -- if a user has an account in two or three different locations, it's not just inefficient to have to manually delete three separate accounts. Rather, leaving an active account on one of your account stores for a user who should no longer have access can leave your organization wide open to unauthorized access attempts. In some cases this can be as much a procedural issue as a technical one. I know of many administrators in smaller environments who complain that there isn't a good handshake from the human resources side of the house for provisioning OR de-provisioning. Either you get a phone call at 9 a.m. saying that Jim Jones started as a new employee 30 minutes ago and needs an account, or you hear on the rumor mill that James Anderson left the company six months ago, but nobody informed the IT department, so all of his accounts are still active.

Even if you have a procedure in place with HR where they inform you of every employee who's leaving the company, there's still more to the story than just clicking on a user's account in AD Users & Computers and hitting 'Delete'. Does the user have a home directory, and if so, what should happen to the files contained in it? Do they have an Exchange mailbox associated with their account that should be forwarded or deleted? What about their SAP account or their access to your company's Oracle databases? When an employee leaves your company or even just moves from one role to another, you need to have a procedure in place to deal with any lingering resources associated with that user's role in the organization.

Active Directory strategies

Depending on the size of your network and the budget that you want to allot to creating an identity management process, you have a number of tools available to you, including the account management capabilities that are built right into Active Directory, as well as Microsoft add-ons and third-party tools. The built-in MMC snap-ins such as AD Users & Computers aren't able to enforce business rules by default, for example, the ADUC MMC snap-in wouldn't be able to enforce a requirement that each user created in your domain needs to have its Title field populated. However, you can write custom scripts and applications using the Active Directory Services Interface (ADSI) and command-line tools like dsadd and dsmod.

If the built-in AD utilities are insufficient for your needs, one free option that's available for you to set up account provisioning in a small environment is the Identity Integration Feature Pack (IIFP). This is a free download from the Microsoft Web site which allows you to synchronize user and password information between Active Directory, ADAM, and Exchange 2000 and 2003. IIFP is a free download; however, it requires a Windows Server 2003 computer and an instance of SQL Server in order to function in your environment.

The next step up from IIFP is Microsoft's Identity Integration Server (MIIS). Instead of being a free download like IIFP, MIIS is a paid add-on. The significant benefit of MIIS is that you have a much larger number of Management Agents that you can synchronize across. In addition to AD, ADAM, and Exchange 2000 and 2003, you can use MIIS to synchronize data in Windows NT 4, Sun's ONE Directory, SQL 7 and SQL 2000, Oracle 8i and 9i, Lotus Notes, Novell's eDirectory, CSV and fixed-width text files, and LDIF files. And because MIIS uses SQL Server as its back-end, you can use SQL's Data Transformation Services to pull from other data sources like dBase, Excel spreadsheets and OLE DB data providers. Third-party vendors also have the option to create their own Management Agents to use with MIIS. You can download a trial version of MIIS from Microsoft's Identity Integration Server page.

We've obviously only started to scratch the surface of the different options available to set up account provisioning in your environment, whether you stick with built-in Active Directory tools or step up to MIIS or a third-party tool. Just like anything else, you've got a wide range of resources available to you out on the Web, including Web sites, blogs and user communities. An excellent starting point is the MIIS homepage, as well as the Identity and Directory Services homepage.

About the author
Laura E. Hunter, CISSP, MCSE: Security, MCDBA, Microsoft MVP, is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valuable Professional" award in the area of Windows Server-Networking. She is the author of the (APress Publishing).


Active Directory Field Guide
This was last published in July 2006

Dig Deeper on Active Directory security