However, little by little, I was able to finally get almost everything transfered over from the other blogs onto here.
So for any of you who have the old sites bookmarked, please bookmark this site, since the old ones wont be updated anymore.
As many of you know, or have been following. http://umratips.blogspot.com/ and http://activedirectoryadmin.blogspot.com/ are now combined into 1 easy webpage http://www.umrahelp.com. I've been meaning to combine both of the sites for awhile now, however, I've been just so busy with work and home life, that I haven't been able to get around to it.
However, little by little, I was able to finally get almost everything transfered over from the other blogs onto here.
So for any of you who have the old sites bookmarked, please bookmark this site, since the old ones wont be updated anymore.
However, little by little, I was able to finally get almost everything transfered over from the other blogs onto here.
So for any of you who have the old sites bookmarked, please bookmark this site, since the old ones wont be updated anymore.
Thursday, May 13, 2010
If you have questions email me @ jjmusicpro@hotmail.com
If you haven’t already, please read my first post on where and how to download a trial version of User Management Resource Administrator, developed by tools4ever. UMRA
Download Trial Version of UMRA > http://www.tools4ever.com/download/
Download Trial Version of SSRPM > http://www.tools4ever.com/download/
UMRA – Get attribute (AD) Example Tips and Help
If you have already read my blog about some of the basics on the Create User (AD) UMRA Action then please visit http://activedirectoryadmin.blogspot.com/2009/08/umra-create-user-ad-action-help.html that blog to catch up to speed on this post.Previous UMRA Action Topics.
-Move – Rename (AD)
-Remove User Group Membership
-Set User Group Memberships
-Edit User (AD)
-Get User (AD)
-Create User (AD)
-Create user (no AD)
-Edit user logon
In this blog we will be talking about the UMRA action Set attribute (AD). Now, this is one of the main actions other then Get User (AD) in the UMRA action list. The Set attribute (AD) is typically following some type of Get User (AD) or Get object (AD). If you haven’t already read about the Get attribute (AD) function, then this function is the exact opposite of that. The Set attribute (AD) action will allow you to set an attribute in active directory to your specific value, you can set almost any attribute if you have the right input for it, such as firstname, lastname, company, group memberships, memberof, password etc. Don’t forget, you can also set flags on accounts with this function, so you can set if a user needs to reset there password upon next successful login, or any other yes/no value etc. So below is a quick overview of some of the property values of the UMRA action Set attribute (AD).
User Object -
This by default is set to %UserObject%. To bind to the user object, see the action Get User (AD) upon successful location of a user account ,it will bind to the user that it was passed, either by user dn, or user samaccountname.
Active Directory Object -
This by default is set to %ActiveDirectoryObject%. If you want to set the attribute of an active directory object such as a group, or ou, or computer account, you would remove the %UserObject% variable and use this on.
Active Directory object LDAP name –
Instead of using the action above, you can now pass the full LDAP path to the active directory object, instead of binding to the LDAP object first.
LDAP attribute display name -
This will be the active directory LDAP name such as cn, canonicalname, memberof, etc. A list of these can be found on the internet. If you do not see a attribute value name in the drop down, you can type in the attribute name into the text box.
Attribute value -
This will be the new value of the LDAP attribute you want to set. Now keep in mind that some attributes take specific data types, and store information in a specific format
Skip if new value empty –
Turn this flag to yes, if you want to skip the update, if the value you are passing to the active directory attribute is black or has no value, this will keep it from setting the attribute to %your_variable%.
Multi-value flag –
Turn this flag to yes, if you are going to update an attribute that has multi values being passed to it, such as the memberof attribute, you can now pass it a string of dn’s of groups.
Append versus update multi-value-flag –
Turn this flag on if you want to just update the group memberships of a person, or another active directory attribute, this property allows to just add to the current value, instead of over right anything that is in there.
So there you have it, as you can see the UMRA action Set attribute (AD) is one of the most widely used actions in most any project. If you have any questions feel free to email me.
Sunday, August 23, 2009
If you have questions email me @ jjmusicpro@hotmail.com
If you haven’t already, please read my first post on where and how to download a trial version of User Management Resource Administrator, developed by tools4ever. UMRA
Download Trial Version of UMRA > http://www.tools4ever.com/download/
Download Trial Version of SSRPM > http://www.tools4ever.com/download/
UMRA – Generic Data Table For Each Loop
Now, I have yet to cover in dept the UMRA action For Each, we talked about it a bit in past blog in conjunction with other UMRA functions, however, in this blog we will talk about how and why you would use this For Each Loop on a Generic Data Table. If you’ve been messing around with UMRA some, and know your way around, you most likely have had to loop through a table of data, either containing users, groups, or any other set of active directory objects, that you need to check on, or run some other script on. Personally, the For Each Loop in UMRA actions, is the main action that I use to loop through and process records of data. This is the primary action used when running a student information system sync with Active Directory, or a HR system sync with Active Directory.For Each Loop -
What a For Each does, is exactly what its name says “For Each”… So for each record in your table of data, it will “do something”, such as execute another project. So, you can have a table of data, of all users in a particular OU, and for each user, you want to move their home drive folder to another server, then update the active directory attribute. This is exactly what its used for, it will pass each record of the table over one by one, passing whatever data you’ve collected in the UMRA database. Now, your script you want to send “each set of data” to, will be like most UMRA scripts you’ve created that process users. Now keep in mind your “process script” will look like a script that is only going to be run on one user at a time, and it will with each pass of the UMRA For Each loop. In most cases you will have a UMRA get user action, that will get the attributes you want to check or verify, or you can pass these in your for each its up to you. Now, don’t forget to put some type of error logic on your “process” script, this will make it so if you run into any problems with your script, you can log out your user that threw an error etc.
So there you have it, the UMRA For Each Loop on a Generic table in a nutshell. Now, again this is one of the most useful actions in UMRA, so you will most likely use this procedure over and over again, as your UMRA projects grow. If you have any questions, please feel free to let me know.
Friday, August 21, 2009
Have Questions? Email Me: Email Me Click Here
Tools4Ever’s Product Downloads Below.
Download User Management Resource Administrator > Download
Download Self Service Password Reset Manager SSRPM > Download
Download Enterprise Single Sign On Manager > Download
If you want to learn the basics on how to connect to UMRA with its COM object, please see my original post on “Basics of UMRA COM”.
UMRA – Web Based Portal Access Control Security Model
Anytime you build a UMRA based portal, or we build a UMRA based portal for our clients, one of the biggest steps in development is the creation of the Security Model, or in other words your Role Based Access Types RBAC. These security / delegated permissions can range from just one type of RBAC type to access the portal, or it can be an array of RBAC types with different Roles in the portal. For example, some of our clients might use a UMRA based portal only for Password Resets that are delegated out to Secretaries of a school or business there for, the Security Model wont need to be that large, since only one type of user is entering the portal. However, if you have Secretaries being able to change active directory passwords, and you want managers, to have the ability to update active directory attributes, you will need to have multiple types of RBAC types, since you don’t want to delegate the ability to secretaries to change users active directory attributes. Now you’re most likely asking yourself, what is the best way to go abouts setting up a Security Model for your UMRA based portal? Almost 95% of the time when I develop portals for our clients, they use Group Based Access, so if someone is in GROUP X in active directory, we will consider this type of user “Admin” for example.So this is one way of figuring what type of a Security Model is looking at the users active directory group memberships to determine what type of user they are, or what type of RBAC type they are. As I’ve mentioned above, you can search a users groups for “Group X” if a user has this ground in there memberof attribute (the memberof attribute contains all DN’s of groups in active directory), then we can label this user as Type X user. Now if a user has multiple Groups you have designated for RBAC types, you can either display a drop down to the user upon login, for them to select what type of ROLE they want to be in when they enter the portal.
Now this is one way to setup a Security Model on your UMRA based portal. In my next blog I will talk about creating a METABASE for your figuring our your RBAC types. I hope this helps any of you out there with trying to do such a task, if you have questions feel free to ask.
Thursday, August 20, 2009
If you have questions email me @ jjmusicpro@hotmail.com
If you haven’t already, please read my first post on where and how to download a trial version of User Management Resource Administrator, developed by tools4ever. UMRA
Download Trial Version of UMRA > http://www.tools4ever.com/download/
Download Trial Version of SSRPM > http://www.tools4ever.com/download/
UMRA – LDAP Power School Sync With Active Directory
Now most of you out there have heard of the Student Information System SIS called Power School. This is a popular SIS that allows for school districts to manage students and faculty in active directory and other systems. However, one of the biggest drawbacks to these systems is the lack of LDPA connections for automation of data changes, and data creations. This is exactly where UMRA comes into play, since UMRA has the ability to connect to almost any ODBC complaint database, or even data from a CSV or network data, UMRA can take all this data and create the LDAP sync with Power Scholl that you’re looking for. Now, some of you might be asking what are the limitations of UMRA LDAP Power School Sync, the answers is really none. Yes, none. UMRA has the ability to take the SIS Power School SIS and sync it with Active Directory. UMRA can create, modify, or move any active directory object on an automated schedule. The days of spending countless weeks or hours moving students, updating students are over, UMRA can now link to Power School, compare all the current Student Records with those in active directory. Below is a quick overview of one of the many scenarios we automate for our Power School Clients.End of the year “Round Up” -
This process is sometimes called that, or maybe something else your company might call it. What the “Round Up” is, is the process you have for when all your students move up a grade. In most cases our clients have to move students, update Active Attributes, move home drives, or even move exchange email accounts from one mail serve to the next. As we all know this is a very long process, that can take weeks, however with UMRA LDAP Power School Sync this process is done with ease, and all in the background. UMRA can take the data in Power School, sync it with Active Directory compare it against the Power School Data. If something is different such as Grade, Name, or anything else. UMRA can take that user object, and move them, reapply group memberships, move home drives to mapped servers, reapply security to those folders, all automated.
Now I hope this gives anyone out there a better idea of how flexible UMRA is in creating a UMRA LDAP Power School Sync. As you can see, the limitations are minimal; since UMRA can mimic any work flows you have now, and put those on an automated schedule. If you have any questions feel free to email me.
Wednesday, August 19, 2009
If you have questions email me @ jjmusicpro@hotmail.com
If you haven’t already, please read my first post on where and how to download a trial version of User Management Resource Administrator, developed by tools4ever. UMRA
Download Trial Version of UMRA > http://www.tools4ever.com/download/
Download Trial Version of SSRPM > http://www.tools4ever.com/download/
UMRA – Bulk Reset Active Directory User Password Last Set
Just recently I was tasked with resting eight thousand Active Directory Users Password Last Reset attribute. The issues came about after our client previously edited all these users, yes you heard right, manually edited these users for a 60 day password expiration. However, some of their project deadlines were pushed back, and if these users passwords expired, they would be locked out of multiple systems. So this is a perfect example of where to use UMRA bulk capabilities to manage all of this. The previous manual method took them over 3 days with 2 full time staff working on this, however, running this change with UMRA took me 20 minutes, and I even logged all my data to a text file for the client. So How did I change this Active Directory attribute, to set the Password Last Set to today’s date, so it would give them another 60 days of grace time? Easy, since UMRA has the ability to loop through a set of users, either from network data, a CSV, or a table of users in an OU, or multiple OU’s. I was able to quickly create a table of all users in a specific OU, then set the pwdlastSet value to 0, then after this was done, rerun the project and set the pwdlastSet attribute to 1, setting it to 1 will set it as the current date. Now, keep in mind, this was not a small company, and around 15 or so people were on the phone as I was doing this. I advised them, we will do 2 runs of this project, and also, I will log to a .CSV file all the users I edited, and what we set there pwdlastSet attribute to. After all was said and done, a 20 minute UMRA script did what took them over 300 man hours to do.Now I hope this gives some of you out there an idea of just how fast UMRA can get or set attributes in Active Directory. But again, if you have any questions or comments, please feel free to email me, thanks again.
Tuesday, August 18, 2009
If you have questions email me @ jjmusicpro@hotmail.com
If you haven’t already, please read my first post on where and how to download a trial version of User Management Resource Administrator, developed by tools4ever. UMRA
Download Trial Version of UMRA > http://www.tools4ever.com/download/
Download Trial Version of SSRPM > http://www.tools4ever.com/download/
UMRA – Bulk Active Directory User Password Reset
After looking through some of my blog statics I see there is a real interest in some of the Bulk UMRA Password Resets on Active Directory users. So this blog will be about the different ways you can go about resting Active Directory Passwords either in bulk, or on a one of basis. So now if you haven’t already go download User Management Resource Administrator, developed by tools4ever. This will get you up to speed with the examples and other topics I am talking about. So lets start with the basics, and answers a few questions quickly. How, fast can UMRA rest passwords. It can reset about 10 a second if now a bit more, I’ve personally done a complete active directory password reset on 5k users, and it took about ten minutes. So, as you can see UMRA is a very fast tool, in completing the tasks you need to do on Active Directory. Now below is a quick way you can update some of users in active directory passwords.Now, keep in mind there are hundreds of way you can reset your users passwords with UMRA, and this will just go over a typical way we’ve done it for our clients. So first thing is first, the “data” now when I say “data” what does this mean, it means the data we will use to figure out who we will reset. Now, depending on what UMRA module you have, you can use different types of data. For this example though, we will just use CSV data. Now, we will assume this CSV has the usernames of the users in Active Directory you want to update. Another big decision you will have to figure out is, what do you want to set the users password to, most likely you don’t want to change them all to the same thing, so some of the things you can do are… Take an Active Directory Attribute, such as employeeid, and maybe the users lastname combine those together, and use that as the user’s new password. But also, at the same time, flag the Active Directory account to be changed upon the next successful login. So once you have your script all ready with the work flow above, or your own flow, just run one user through, or run them all through, and in minutes you’ve completed your Bulk Active Directory Password Reset.
So I hope this helps some of you out there, who might be trying to create such a script. As you can see it’s a fairly simple script to create, and really quick and easy to run.
Thursday, August 13, 2009
Subscribe to:
Posts (Atom)