UMRA – Get attribute (AD) Example Tips and Help

at 10:31 AM

If you have questions email me @ jjmusicpro@hotmail.com

If you haven’t already, please read my first post on where and how to download a trial version of User Management Resource Administrator, developed by tools4ever. UMRA

Download Trial Version of UMRA > http://www.tools4ever.com/download/
Download Trial Version of SSRPM > http://www.tools4ever.com/download/

UMRA – Get attribute (AD) Example Tips and Help

User Object -
This by default is set to %UserObject%. To bind to the user object, see the action Get User (AD) upon successful location of a user account ,it will bind to the user that it was passed, either by user dn, or user samaccountname.

Active Directory Object -
This by default is set to %ActiveDirectoryObject%. If you want to set the attribute of an active directory object such as a group, or ou, or computer account, you would remove the %UserObject% variable and use this on.

Active Directory object LDAP name –
Instead of using the action above, you can now pass the full LDAP path to the active directory object, instead of binding to the LDAP object first.

LDAP attribute display name -
This will be the active directory LDAP name such as cn, canonicalname, memberof, etc. A list of these can be found on the internet. If you do not see a attribute value name in the drop down, you can type in the attribute name into the text box.

Attribute value -
This will be the new value of the LDAP attribute you want to set. Now keep in mind that some attributes take specific data types, and store information in a specific format

Skip if new value empty –
Turn this flag to yes, if you want to skip the update, if the value you are passing to the active directory attribute is black or has no value, this will keep it from setting the attribute to %your_variable%.

Multi-value flag –
Turn this flag to yes, if you are going to update an attribute that has multi values being passed to it, such as the memberof attribute, you can now pass it a string of dn’s of groups.

Append versus update multi-value-flag –
Turn this flag on if you want to just update the group memberships of a person, or another active directory attribute, this property allows to just add to the current value, instead of over right anything that is in there.

So there you have it, as you can see the UMRA action Set attribute (AD) is one of the most widely used actions in most any project. If you have any questions feel free to email me.

UMRA – Generic Data Table For Each Loop

at 8:55 PM

UMRA – Generic Data Table For Each Loop

Now, I have yet to cover in dept the UMRA action For Each, we talked about it a bit in past blog in conjunction with other UMRA functions, however, in this blog we will talk about how and why you would use this For Each Loop on a Generic Data Table. If you’ve been messing around with UMRA some, and know your way around, you most likely have had to loop through a table of data, either containing users, groups, or any other set of active directory objects, that you need to check on, or run some other script on. Personally, the For Each Loop in UMRA actions, is the main action that I use to loop through and process records of data. This is the primary action used when running a student information system sync with Active Directory, or a HR system sync with Active Directory.

For Each Loop -
What a For Each does, is exactly what its name says “For Each”… So for each record in your table of data, it will “do something”, such as execute another project. So, you can have a table of data, of all users in a particular OU, and for each user, you want to move their home drive folder to another server, then update the active directory attribute. This is exactly what its used for, it will pass each record of the table over one by one, passing whatever data you’ve collected in the UMRA database. Now, your script you want to send “each set of data” to, will be like most UMRA scripts you’ve created that process users. Now keep in mind your “process script” will look like a script that is only going to be run on one user at a time, and it will with each pass of the UMRA For Each loop. In most cases you will have a UMRA get user action, that will get the attributes you want to check or verify, or you can pass these in your for each its up to you. Now, don’t forget to put some type of error logic on your “process” script, this will make it so if you run into any problems with your script, you can log out your user that threw an error etc.

So there you have it, the UMRA For Each Loop on a Generic table in a nutshell. Now, again this is one of the most useful actions in UMRA, so you will most likely use this procedure over and over again, as your UMRA projects grow. If you have any questions, please feel free to let me know.

UMRA – Web Based Portal Access Control Security Model

at 5:49 PM

Have Questions? Email Me: Email Me Click Here

Tools4Ever’s Product Downloads Below.
Download User Management Resource Administrator > Download
Download Self Service Password Reset Manager SSRPM > Download
Download Enterprise Single Sign On Manager > Download

If you want to learn the basics on how to connect to UMRA with its COM object, please see my original post on “Basics of UMRA COM”.

UMRA – Web Based Portal Access Control Security Model

Anytime you build a UMRA based portal, or we build a UMRA based portal for our clients, one of the biggest steps in development is the creation of the Security Model, or in other words your Role Based Access Types RBAC. These security / delegated permissions can range from just one type of RBAC type to access the portal, or it can be an array of RBAC types with different Roles in the portal. For example, some of our clients might use a UMRA based portal only for Password Resets that are delegated out to Secretaries of a school or business there for, the Security Model wont need to be that large, since only one type of user is entering the portal. However, if you have Secretaries being able to change active directory passwords, and you want managers, to have the ability to update active directory attributes, you will need to have multiple types of RBAC types, since you don’t want to delegate the ability to secretaries to change users active directory attributes. Now you’re most likely asking yourself, what is the best way to go abouts setting up a Security Model for your UMRA based portal? Almost 95% of the time when I develop portals for our clients, they use Group Based Access, so if someone is in GROUP X in active directory, we will consider this type of user “Admin” for example.

So this is one way of figuring what type of a Security Model is looking at the users active directory group memberships to determine what type of user they are, or what type of RBAC type they are. As I’ve mentioned above, you can search a users groups for “Group X” if a user has this ground in there memberof attribute (the memberof attribute contains all DN’s of groups in active directory), then we can label this user as Type X user. Now if a user has multiple Groups you have designated for RBAC types, you can either display a drop down to the user upon login, for them to select what type of ROLE they want to be in when they enter the portal.

Now this is one way to setup a Security Model on your UMRA based portal. In my next blog I will talk about creating a METABASE for your figuring our your RBAC types. I hope this helps any of you out there with trying to do such a task, if you have questions feel free to ask.

UMRA – LDAP Power School Sync With Active Directory

at 8:16 PM

UMRA – LDAP Power School Sync With Active Directory

Now most of you out there have heard of the Student Information System SIS called Power School. This is a popular SIS that allows for school districts to manage students and faculty in active directory and other systems. However, one of the biggest drawbacks to these systems is the lack of LDPA connections for automation of data changes, and data creations. This is exactly where UMRA comes into play, since UMRA has the ability to connect to almost any ODBC complaint database, or even data from a CSV or network data, UMRA can take all this data and create the LDAP sync with Power Scholl that you’re looking for. Now, some of you might be asking what are the limitations of UMRA LDAP Power School Sync, the answers is really none. Yes, none. UMRA has the ability to take the SIS Power School SIS and sync it with Active Directory. UMRA can create, modify, or move any active directory object on an automated schedule. The days of spending countless weeks or hours moving students, updating students are over, UMRA can now link to Power School, compare all the current Student Records with those in active directory. Below is a quick overview of one of the many scenarios we automate for our Power School Clients.

End of the year “Round Up” -
This process is sometimes called that, or maybe something else your company might call it. What the “Round Up” is, is the process you have for when all your students move up a grade. In most cases our clients have to move students, update Active Attributes, move home drives, or even move exchange email accounts from one mail serve to the next. As we all know this is a very long process, that can take weeks, however with UMRA LDAP Power School Sync this process is done with ease, and all in the background. UMRA can take the data in Power School, sync it with Active Directory compare it against the Power School Data. If something is different such as Grade, Name, or anything else. UMRA can take that user object, and move them, reapply group memberships, move home drives to mapped servers, reapply security to those folders, all automated.

Now I hope this gives anyone out there a better idea of how flexible UMRA is in creating a UMRA LDAP Power School Sync. As you can see, the limitations are minimal; since UMRA can mimic any work flows you have now, and put those on an automated schedule. If you have any questions feel free to email me.

UMRA – Bulk Reset Active Directory User Password Last Set

at 8:23 PM

UMRA – Bulk Reset Active Directory User Password Last Set

Just recently I was tasked with resting eight thousand Active Directory Users Password Last Reset attribute. The issues came about after our client previously edited all these users, yes you heard right, manually edited these users for a 60 day password expiration. However, some of their project deadlines were pushed back, and if these users passwords expired, they would be locked out of multiple systems. So this is a perfect example of where to use UMRA bulk capabilities to manage all of this. The previous manual method took them over 3 days with 2 full time staff working on this, however, running this change with UMRA took me 20 minutes, and I even logged all my data to a text file for the client. So How did I change this Active Directory attribute, to set the Password Last Set to today’s date, so it would give them another 60 days of grace time? Easy, since UMRA has the ability to loop through a set of users, either from network data, a CSV, or a table of users in an OU, or multiple OU’s. I was able to quickly create a table of all users in a specific OU, then set the pwdlastSet value to 0, then after this was done, rerun the project and set the pwdlastSet attribute to 1, setting it to 1 will set it as the current date. Now, keep in mind, this was not a small company, and around 15 or so people were on the phone as I was doing this. I advised them, we will do 2 runs of this project, and also, I will log to a .CSV file all the users I edited, and what we set there pwdlastSet attribute to. After all was said and done, a 20 minute UMRA script did what took them over 300 man hours to do.

Now I hope this gives some of you out there an idea of just how fast UMRA can get or set attributes in Active Directory. But again, if you have any questions or comments, please feel free to email me, thanks again.

UMRA – Bulk Active Directory User Password Reset

at 6:06 PM

If you have questions email me @ jjmusicpro@hotmail.com

If you haven’t already, please read my first post on where and how to download a trial version of User Management Resource Administrator, developed by tools4ever. UMRA

Download Trial Version of UMRA > http://www.tools4ever.com/download/
Download Trial Version of SSRPM > http://www.tools4ever.com/download/

UMRA – Bulk Active Directory User Password Reset

After looking through some of my blog statics I see there is a real interest in some of the Bulk UMRA Password Resets on Active Directory users. So this blog will be about the different ways you can go about resting Active Directory Passwords either in bulk, or on a one of basis. So now if you haven’t already go download User Management Resource Administrator, developed by tools4ever. This will get you up to speed with the examples and other topics I am talking about. So lets start with the basics, and answers a few questions quickly. How, fast can UMRA rest passwords. It can reset about 10 a second if now a bit more, I’ve personally done a complete active directory password reset on 5k users, and it took about ten minutes. So, as you can see UMRA is a very fast tool, in completing the tasks you need to do on Active Directory. Now below is a quick way you can update some of users in active directory passwords.

Now, keep in mind there are hundreds of way you can reset your users passwords with UMRA, and this will just go over a typical way we’ve done it for our clients. So first thing is first, the “data” now when I say “data” what does this mean, it means the data we will use to figure out who we will reset. Now, depending on what UMRA module you have, you can use different types of data. For this example though, we will just use CSV data. Now, we will assume this CSV has the usernames of the users in Active Directory you want to update. Another big decision you will have to figure out is, what do you want to set the users password to, most likely you don’t want to change them all to the same thing, so some of the things you can do are… Take an Active Directory Attribute, such as employeeid, and maybe the users lastname combine those together, and use that as the user’s new password. But also, at the same time, flag the Active Directory account to be changed upon the next successful login. So once you have your script all ready with the work flow above, or your own flow, just run one user through, or run them all through, and in minutes you’ve completed your Bulk Active Directory Password Reset.

So I hope this helps some of you out there, who might be trying to create such a script. As you can see it’s a fairly simple script to create, and really quick and easy to run.

UMRA – Get attribute (AD) Example Tips and Help

at 6:18 PM

If you have questions email me @ jjmusicpro@hotmail.com

If you haven’t already, please read my first post on where and how to download a trial version of User Management Resource Administrator, developed by tools4ever. UMRA

Download Trial Version of UMRA > http://www.tools4ever.com/download/
Download Trial Version of SSRPM > http://www.tools4ever.com/download/

UMRA – Get attribute (AD) Example Tips and Help

If you have already read my blog about some of the basics on the Create User (AD) UMRA Action then please visit http://activedirectoryadmin.blogspot.com/2009/08/umra-create-user-ad-action-help.html that blog to catch up to speed on this post.

Previous UMRA Action Topics.
-Move – Rename (AD)
-Remove User Group Membership
-Set User Group Memberships
-Edit User (AD)
-Get User (AD)
-Create User (AD)
-Create user (no AD)
-Edit user logon

In this blog we will be talking about the UMRA action Get attribute (AD). Now, this is one of the main actions other then Get User (AD) in the UMRA action list. The Get attribute (AD) is typically following some type of Get User (AD) or Get object (AD). Both of these action will bind to the object, so any following actions after the bind will be taken on the searched user. The whole point of the get attribute (AD) is to get an active directory attribute; this can be anything such as, dn, group memberships, and or canonical name. To get a complete list of active directory attributes, either search on Google, or yahoo for some of the best results on lists of active directory attributes. So you can use the Get attribute (AD) to grab an active directory attribute, put that into a variable, and then do something with it later in your script. An example of this would be to grade the users display name attribute, then compare this against a student information system, or csv file of what it should be, if they are different change it in active directory, if they are the same, grab another active directory attribute and compare again. So below is a quick overview of the action properties in depth.

User Object -
This by default is set to %UserObject%. To bind to the user object, see the action Get User (AD) upon successful location of a user account ,it will bind to the user that it was passed, either by user dn, or user samaccountname.

Active Directory Object -
This will need to be set to %ActiveDirectoryObject% if you plan to grab an attribute out from a group, computer, etc. something other then a userobject. If you use this you will need to clear the %UserObject% property.

LDAP attribute displayname –
This will be the attribute name you want the value of, example would be cn, canonicalname, memberof, pwdlastset, etc.

Multi-value flag -
You want to set this if the value you are getting has multiple values stored in it, such as the active directory attribute memberof, this attribute has multiple group dn’s in it.

Convert to text flag -
If you set this flag to YES, it will take the value such as a number, and put it as text.

Error if no attribute found -
If set to YES your script action will throw an error, in most cases you can turn this OFF and check the value of the output variable.

Error if empty -
This works almost the same way as the above property, you can check to make sure the value is NOT empty, if set to YES, you can set your ERROR to hope to another part in your script.

Attribute value -
This is the storage container the attribute value is stored in, so if you were looking up the display name of an active directory user, it would store it in the %AttributeValue% variable. You can switch this variablename to something more useful that fits your needs, such as %User_Displayname%.

So there you have it, a quick overview of the Get attribute (AD) action. Again, as you can see its one of the most versatile actions in UMRA. If you have any questions please feel free to email me, or leave a comment, thanks again!

UMRA – Edit user logon Example Tips and Help

at 9:06 PM

If you have questions email me @ jjmusicpro@hotmail.com

If you haven’t already, please read my first post on where and how to download a trial version of User Management Resource Administrator, developed by tools4ever. UMRA

Download Trial Version of UMRA > http://www.tools4ever.com/download/
Download Trial Version of SSRPM > http://www.tools4ever.com/download/

UMRA – Edit user logon Example Tips and Help

Domain controller -
The variable or hard coded domain controller name. This value can be passed in with the standard %dc% variable if you have it set in Global Init File.

Password generator + password
You can create a new password for the user, and have it randomly generated based on your length, characters etc. on the fly, and it will place it in the %password% variable. Or you can just hard code a password into the password property, or make a composite password based on information passed into the script.

User must change password at next logon -
If set to YES, the user will need to change their password once they successfully login.
If set to NO, it will let the user login as normal.

User cannot change password -
If set to YES, it will not all the user to change there password.
If set to NO, user can change password.
** Note you can not have User must change password at next logon ON, and have User cannot change password set to NO.

Password never expires -
If set to YES, password for the user does not expire.
If set to NO, users password will expire if a GPO is placed on domain or OU.

Account disabled -
If set to YES, users Active Directory account is disabled.
If set to NO, users account is enabled / live in active directory

Unlock the Account -
If set to YES, it will unlock the account, if its locked because of to many failed logins.
If set to NO, it will not unlock the account in active directory

So there you have it, as you can see this UMRA action Edit user logon is very similar to other actions we’ve talked about in the past, but it combines most of the common “User Logon” features into 1 area. I hope this helps any of you out there with questions you might have had on this action.

UMRA – Create user (no AD) Example Tips and Help

at 8:35 PM

If you have questions email me @ mailto:jjmusicpro@hotmail?subject=UMRA%20Question

If you haven’t already, please read my first post on where and how to download a trial version of User Management Resource Administrator, developed by tools4ever. UMRA

Download Trial Version of UMRA > http://www.tools4ever.com/download/
Download Trial Version of SSRPM > http://www.tools4ever.com/download/

UMRA – Create user (no AD) Example Tips and Help

If you have already read my blog about some of the basics on the Create User (AD) UMRA Action then please visit http://activedirectoryadmin.blogspot.com/2009/08/umra-create-user-ad-action-help.html that blog to catch up to speed on this post.

Previous UMRA Action Topics.
-Move – Rename (AD)
-Remove User Group Membership
-Set User Group Memberships
-Edit User (AD)
-Get User (AD)
-Create User (AD)

In this blog we will be talking about the UMRA action Create User (no AD). Now this action is very similar to the action Create User (AD) however, this action will create accounts on a local computer, comparison to Active Directory. Now this action does have the ability to create an account in Active Directory, however if you leave the %domain% variable cleared out, then it will create it on the targeted computer account, here is the quick tip in the action in UMRA.

“The name of the domain (NT4 style, e.g. PLANETS, not planets.tools4ever.com) where the account will be created. If no domain or computer is specified, the account is created on the local computer”

Now, this is a very handy tip to remember per the notes on the UMRA action Create User (no AD). Now, some of you might be asking, why would you want to create a local computer account. Simple, if you don’t have active directory, or even want to give special access to a group of users to a user base, this is a perfect way to do this in BULK, or mange those accounts on a local computer. We haven’t talked about the Edit user (no AD), and Delete user (no AD) yet, however these will help manage these type of non AD accounts. So lets get to it, below is a quick over view of some of the properties of the UMRA action Create User (no AD).

Domain -
This by default is set to %domain%, please note the quote above from this action. Setting this property can change this action completely.

Computer -
This is the computer name where the account will be created.

Name generation algorithm + Username + Full name
Now all these functions can work together, or separate, however in most cases our clients will use the Name generation algorithm to match what there current business naming algorithm is. Or example, you can take the first initial of the firstname, then lastname and combine those to make a complete username so Joe Fox, would be jfox. Now if the username is already in use, we can move to your naming iterater, such as a number on the end of the username, example would be if jfox was taken, it will now try jfox1, and jfox2…. It will keep on iterating until it finds a username that is not in use in Active Directory.

Password generator + password
Very similar to the above action, these are mostly used in conjunction with each other, if you want to create a unique password from the generator you can, and then have that pass back the %password% variable to your other functions. Or you can use a composite password comprised of info passed to the script.

These are the most properties that are used when using the UMRA action Create User (no AD). So I hope this helps some of you out there with any questions you might have had when trying to use this.

UMRA – Move – Rename (AD) Example Tips and Help

at 9:21 PM

Download Trial Version of UMRA > http://www.tools4ever.com/download/
Download Trial Version of SSRPM > http://www.tools4ever.com/download/

UMRA – Remove User Group Memberships Example Tips and Help

If you have already read my blog about some of the basics on the Create User (AD) UMRA Action then please visit http://activedirectoryadmin.blogspot.com/2009/08/umra-create-user-ad-action-help.html that blog to catch up to speed on this post.

In this blog we will be talking about the UMRA action Move - rename (AD). This action is another very handy action, that doesn’t get used as often as some other UMRA actions, but does quite a bit. In most cases we typically see this action used if a user moves locations such as, moving from department to department, and you have your Active Directory setup by departments. Or, most of the time we see this used in Student Information System Syncs with Active Directory. If a user moves schools, or changes grades, you can now move the student from school to school, or to another OU grade etc. Now this action is almost always used in with some form of a UMRA action Get User (AD) actions, since you will need to bind to your user first, that you want to move, or rename etc. Now keep in mind this actions is a dual purpose action, unlike some of the previous actions that we’ve talked about where they are for one active directory action, this one can move a user from OU to OU, or rename an active directory account. So below is a quick breakdown on some of the properties of the UMRA action Move - rename (AD).

User Object -
By default this is set to %UserObject%, as stated above you will need to connect or bind to an active directory user first, before you can use this action. In most cases you can use the UMRA action Get User (AD) to accomplish this.

Active Directory Object –
An %ActiveDirectory% object is almost the same as an %UserObject% except it’s based on an Active Directory object, such as group, computer etc. You can bind to an %ActiveDirectory% object by using the Get Object(AD), however we haven’t covered this in previous topics yet. However, if you take a look at the action, you see you can bind to it by the LDAP name of the object.

Organizational Unit-Container -
This will be the canonicalname path of the OU you want to place the user in, so for example WestHighSchool/Students/2011. Now keep in mind you can also move the user by the DN of the OU you want to move them to with the next below action.

OU-Container LDAP name –
Unlink moving a user by Organizational Unit-Container you can now move them with the DN of the OU, so for example OU=WestHighSchool,OU=Students,OU=……

Domain Controller -
This will be the name of your domain controller you want this action to be performed on, most of the time you will have a main INIT project with all your global variables in such as %domain%, and %dc%.

New Name –
Unlike previous actions, this one rename the account, that you are binded to. This will change the Common Name of the user account. This is the value you see when your in Active Directory searching through OU’s.

So there you have it, a quick break down of UMRA action Move - rename (AD). I hope this helps any of you out there with any questions you might have had.

UMRA – Remove User Group Memberships Example Tips and Help

at 9:20 PM

If you have questions email me @ jjmusicpro@hotmail.com

If you haven’t already, please read my first post on where and how to download a trial version of User Management Resource Administrator, developed by tools4ever. UMRA

Download Trial Version of UMRA > http://www.tools4ever.com/download/
Download Trial Version of SSRPM > http://www.tools4ever.com/download/

UMRA – Remove User Group Memberships Example Tips and Help

Remove from universal groups -
This flag can be turned off/on. If the flag is on, it will remove any universal groups from the user in 1 pass.

Remove from security groups -
This flag can be turned off/on. If the flag is on, it will remove any security groups from the user in 1 pass.

Remove from distribution groups -
This flag can be turned off/on. If the flag is on, it will remove any distribution groups from the user in 1 pass.

Now keep in mind that you don’t have to turn off these off except one, you can mix and match these depending on what groups you want to remove from a user. In most cases that we see, the UMRA action Remove User Group Memberships (AD) will be used in some type of active directory user disable / decommission process. So I hope this helps any of you out there trying to get a little more information on how to use the UMRA action Remove User Group Memberships (AD).

UMRA Remove User Group Memberships Active Directory

UMRA – Set User Group Memberships Example Tips and Help

at 8:48 PM

If you have questions email me @ jjmusicpro@hotmail.com

If you haven’t already, please read my first post on where and how to download a trial version of User Management Resource Administrator, developed by tools4ever. UMRA

Download Trial Version of UMRA > http://www.tools4ever.com/download/
Download Trial Version of SSRPM > http://www.tools4ever.com/download/

UMRA – Set User Group Memberships Example Tips and Help

User Object -
This should be set to %UserObject% by default. So you will need to bind to a user with UMRA action Get User (AD), and then place this script somewhere after the user bind has been established.

Group names (LDAP) -
Here one of the main Properties you will be using with this action. Here you can select your groups you want to add to the user account. Now there are 2 ways to do this, one is by setting the groups and then leaving the list as is. However, these lists can also be dynamic. So for example, say everyone who is created in your active directory, always get 2 groups, a security Group, and a Distribution Group. If you were to just select these in the selection tool, they will be hard coded, but if you select them, and edit the DN of the group to add variables, you can now make them dynamic. So if you have a group called Seattle Security, and Baltimore Security, you can pass in a variable called “%City%” into your UMRA action Set User Group Memberships (AD) table, and have it set the group on the fly. So your group dn in your table would be something like CN=%City% Security, OU=…… This is a very handy tip when trying to make your code as small, and stream lined as possible.

Group names (Pre-W2K name) –
This works almost as similar to Group names(LDAP), but as you will notice the inner table only will hold the group name, and not the group name and dn, like the previous action. Here also, you can manipulate the group names so they are dynamic, and not hardcoded.

So I hope this helps some of you out there with any questions you might have had with the UMRA action Set User Group Memberships (AD).

UMRA Group Managment User Management Resource Administrator

UMRA – Edit User (AD) Example Tips and Help

at 9:10 PM

If you have questions email me @ jjmusicpro@hotmail

If you haven’t already, please read my first post on where and how to download a trial version of User Management Resource Administrator, developed by tools4ever. UMRA

Download Trial Version of UMRA > http://www.tools4ever.com/download/
Download Trial Version of SSRPM > http://www.tools4ever.com/download/

UMRA – Edit User (AD) Example Tips and Help

If you have already read my blog about some of the basics on the Create User (AD) UMRA Action then please visit http://activedirectoryadmin.blogspot.com/2009/08/umra-create-user-ad-action-help.html that blog to catch up to speed on this post.

In this blog post we are going to talk about the UMRA action Edit User (AD). This action is very similar to the UMRA action Create User (AD) in a sense that you can edit and configure many of the user objects attributes in Active Directory. But unlike the UMRA action Create User (AD) that creates a user, and then updates its attributes in Active Directory. The UMRA action Edit User (AD) Edits almost all the attributes of an existing user in Active Directory. In most scenarios you would use this action if you wanted to update a lot of attributes at once, you can use this action if you just want to set one attribute, however, it might be a little over kill since you can just use the “Set Attribute” function in UMRA. So lets get down to it and talk about some of these Property values and what they do in the UMRA action Edit User (AD).

Password generator -
If you wanted to regenerate a password for you’re the user object your binded to you can, you can also have these then sent out to the users email address to advise of new email.
More Info Can be found here > http://activedirectoryadmin.blogspot.com/2009/08/umra-create-user-ad-password-generation.html

User must change password at next logon –
This one is self explanatory. However, if you don’t know what it does, what It does its flag the user account to be prompted to change their password upon the next successful login. This is one of the most widely used features for this UMRA action.

Account disabled -
This function if selected as “Yes” the user account will be disabled in Active Directory. If the function is selected as “No” the account will be Active in Active Directory. Now if a user Account is disabled, and you select “Yes” is will readable the account in Active Directory, and vice versa for an active account.

Account Expiration -
This function allows you to set a date, either by a generated date with UMRA or a hard coded date to know when the account will be expired in Active Directory.

The rest of the functions are your basic User Object attributes, such as email, description, phone number etc. I hope this helps some of you out there get a better idea of what the UMRA action Edit User (AD) does, and some of its features.

UMRA – Get User (AD) Example Tips and Help

at 7:50 PM

If you have questions email me @ jjmusicpro@hotmail

If you haven’t already, please read my first post on where and how to download a trial version of User Management Resource Administrator, developed by tools4ever.

Download Trial Version of UMRA > http://www.tools4ever.com/download/
Download Trial Version of SSRPM > http://www.tools4ever.com/download/

UMRA – Get User (AD) Example Tips and Help

If you have already read my blog about some of the basics on the Create User (AD) UMRA Action then please visit http://activedirectoryadmin.blogspot.com/2009/08/umra-create-user-ad-action-help.html that blog to catch up to speed on this post.

In this blog post we will be coving the UMRA action Get User (AD). We will talk about some of the features, and tips of using the action, plus talk about how it’s one of the main actions you will be using in most of your UMRA scripts. So, first I will talk about what this action does. The Get User (AD) action binds to a user object in Active Directory. Bind you ask? Yes, when I say bind, it means that any actions in your script that are executed against the %userobject% variable, will happen to the user you binded to. How do you set the %userobject% variable? This is simple, as long as you bind to a user object either by full name example (Joe Fox), username example (joefox67), or user dn example (CN=Joe Fox,OU=High School,OU=…) you can set the %userobject% variable within your UMRA script script.

So here is a quick tip on how to really bring out true functionally in your UMRA Get User (AD) action. In most cases you can bind right to the user object with there username, or samaccountname. However, in some cases you might have to do a search in Active Directory for an employeeID, or some other unique identifier, since you might not know the user objects username. So you can use the “Search Object (AD)” UMRA action to search for a user with an Active Directory attribute that equals some criteria, if it finds a user that meets your criteria, then it will store the users dn, in %searchresults% variable, this variable can then be passed to your Get User (AD) action. This is just one of the many ways you can daisy chain your UMRA actions to work for you.

So I hope this helps any of you out there trying to figure out some of the ways to use the UMRA action Get User(AD).

UMRA – Create User (AD) Password Generation Example

at 11:36 AM

If you have questions email me @ jjmusicpro@hotmail

If you haven’t already, please read my first post on where and how to download a trial version of User Management Resource Administrator, developed by tools4ever. UMRA

Download Trial Version of UMRA > http://www.tools4ever.com/download/
Download Trial Version of SSRPM > http://www.tools4ever.com/download/

UMRA – Create User (AD) Password Generation Example

If you have already read my blog about some of the basics on the Create User (AD) UMRA Action then please visit http://activedirectoryadmin.blogspot.com/2009/08/umra-create-user-ad-action-help.html that blog to catch up to speed on this post.

So if you’ve been following along since my last blog, you will know that we are going over some to the Property values in the Create User (AD) UMRA action. We have already covered ways to set the user creation point, and also the UMRA naming algorithm that you can set to whatever you like. So in this post we will be covering on the Password Generation action in the properties menu. What is the password generation property you ask? Well, it allows for passwords to be randomly on the fly, based on the length, input that you put in. Now there are a few ways that you can set a new users password in active directory upon creation, one way is to take a combination of data, such as there lastname, and there employee or student id, combine this data, and have that as their initial password, and then flag there account to change it upon the next successful login. The other method we will talk about below.

So if you want to set your password as something randomly created on the fly, that meets your active directory password complexity, then use the password generation property within the create user action. With this tool, you can now create passwords on the fly, when you open up the property, you can set the length of the randomly created password, and you can set how much lowercase letters you need, uppercase, numbers, special characters etc. Once you’ve set everything, you can hit the text button, and see the passwords that is creating. As you can see this process is very simple, but yet one of the most powerful tools within the create user action. Now some of you might be asking, “once we create the account, how will I know what the password is?” There are a few ways of doing this, within UMRA there are some actions that allow you to write data to a text file, update a database, or even send an email with this data. In most cases of UMRA Automation projects we do, our clients will have us email the username and password that was used with creating the account, this way they will always have this on hand when a new user is created.

So I hope these last 2 blogs have helped some of you out there with the UMRA action Create User (AD). In later posts we will talk more about the different actions with UMRA at an deeper glance to help you further understand UMRA a bit better.

UMRA – Create User (AD) Action Help Examples and Tips

at 11:21 AM

UMRA – Create User (AD) Action Help Examples and Tips

So we are going to be getting back to the basics of UMRA and how some of the drag/drop items work. I will be coving at first some of the basics such as Create User, Get User, and other User Tree actions in UMRA. Now, most of you will be using the “Create User” action in your UMRA scripts but might need a little explanation of some of the property values you can set when creating a user. The “Create User” action is one of the most widely used, and one of the most versatile actions on the list, so with that said let’s get into the details of this action.

So for the sake of time, I will only cover some of the Property values in the Create User action that really have a lot of weight on the Creation of the User, and have the most flexibility in integration into your script.

Now when creating a user there are two ways you can set where the user is created, by the DistiniguistedName or canonicalname of the OU they need to go in.

Organization Unit-Container –
Here you will need to define the DistinguishedName of the OU, so for example OU=2012,OU=Students,OU=East HighSchool,… etc.

LDAP Container -
Here you can specific the canonicalname of the container so for example mydomain.local/Schools/East HighSchool/Students/2012

For me I prefer to use the LDAP Container method since it’s easier to understand, and allows for less errors due to having to create a full dn for placement.

Right now I would assume you use some type of naming convention for your students, or staff, or any type of active directory user such as jfox, of 23424. With UMRA you have the Name Generation Algorithm method available to you, IF you want to use it. If you don’t want to use it, and you know that your ID’s will be unique, then you can bypass this feature, however if you want to use this, you will see there are a ton of options for this.

Name Generation Algorithm -
There are a few ways you can do this, for example if you want to take the firstname and lastname from a CSV or from a database, and combine those to make the username you can, but sometimes you might find that you have a jsmith already in use in your Active Directory, so what do you do? You can use the Name Generation Algorithm within your UMRA Create User action. This feature is very handy since it will check to make sure the name you’ve created is already in use, and if it is, do some type of iteration. This iteration can be adding a number at the end of the username, or getting the middle initial of the user, and add that to there username.

So as you can see these are just 2 of the over 40 actions and properties you can set when you are using the Create user (AD) action in UMRA. In my next post I will talk about other features of this action.

UMRA – Automation MASS Forms and Delegation

at 10:14 AM

If you have questions email me @ mailto:jjmusicpro@hotmail?subject=UMRA%20Question

If you haven’t already, please read my first post on where and how to download a trial version of User Management Resource Administrator, developed by tools4ever. UMRA

Download Trial Version of UMRA > http://www.tools4ever.com/download/
Download Trial Version of SSRPM > http://www.tools4ever.com/download/

UMRA – Automation MASS Forms and Delegation

In most of my blogs I talk about ways you can do different tasks in your Active Directory environment with UMRA. These different tasks actually can be completed in many different ways within the UMRA software however, in this blog I am going to break down the different modules in UMRA to give you a better idea of what it is that will fit and work with your project a little better. Now, in most of my blogs, my example projects consist of those of you who use UMRA Automation or UMRA MASS. Most of my examples for UMRA Forms and Delegation I like to do on the web, instead of using the built in Forms and Delegation client within UMRA. So below I will break down at a very high level of what each of the different modules do.

UMRA – Automation Module

UMRA Automation is very similar to the UMRA MASS module however UMRA Automation you have the ability to put your scripts on a schedule. Schedule you might be asking? Yes, you can have your script run on a specific interval, example would be to have your script run every hour, day, or week. This is extremely helpful when you’re doing a sync with your student information system SIS to active directory. You can now read your SIS every hour, and make sure new users are created, or status changes reflected down to Active Directory. Also, when you get the UMRA Automation you get full use of the UMRA COM Object. The UMRA COM Object is a .dll file that is packed with methods and functions to call UMRA from a remote application such as a web page. Form more information on this, please see my other blog: http://umratips.blogspot.com/

UMRA – MASS Module

UMRA MASS is very similar to the UMRA Automation module however instead of being able to schedule your UMRA projects to run on an hourly, daily, monthly basis etc. Your scripts are now executed on a “one by one” basis, so you will have to manually go in and execute a your script when you want it to run. That is the biggest difference between the two, there are a few other differences, but that is the biggest one.

UMRA – Forms and Delegation Module

UMRA Forms and Delegation module is very different from the UMRA MASS and UMRA Automation modules, they however use the same drag/drop script logic for behind the screens processing, but now allow for a user form to be created for imput. So for example you can make a simple form that the end user types in a firstname, lastname, and maybe picks a location from a list, and hits a “Create User” button. This button would take those inputs from the client and use those values for your UMRA script.

So as you can see UMRA is a very handy tool when it comes to handing your Active Directory needs, and no matter what you need to do, it can handle it with one of the available modules.

UMRA – TIES SIS Active Directory Student Automation

at 9:19 PM

If you haven’t already, please read my first post on where and how to download a trial version of User Management Resource Administrator, developed by tools4ever. UMRA

Download Trial Version of UMRA > http://www.tools4ever.com/download/
Download Trial Version of SSRPM > http://www.tools4ever.com/download/

UMRA – TIES SIS Active Directory Student Automation

TIES, is another popular Student Information System (SIS) our clients want to get an automatic sync with UMRA Automation to Active Directory (AD). Sync you ask? Yes, UMRA Automation can connect to the TIES Student Information System in multiple ways. In most cases, we are able to do a direct ODBC database connection, and either through a view, or custom query string, we can get all students, and there information. From this information, we are able to compare this data agsinsts whats in Active Directory. This process can be put on automated schedule, to run every hour, day, week etc. in most cases we see our clients run this nightly to make sure the data in Active Directory is in sync with TIES Now, in some cases you might not have your TIES SIS hosted on your network, it might be hosted somewhere else. This is ok, most of the time, these companies will create you a view in the TIES SIS you can call from within UMRA Automation project, with read only access. Or, they can provide you with a nightly CSV data dump. Either way, UMRA Automation can handle all of these different type of data retrieval types. So what can you sync, I bet is the next question you might be asking. UMRA Automation can really sync up any data that is provided in your database view, check student graduation years, student locations, student first name, last name, group memberships etc. Below is a quick overview of how a typical TIES Student Information Sync works.

Step 1
Get your data. As stated above this can be multiple ways, CSV, View from the database, etc. In most cases if your TIES SIS is hosted with you, you can connect directly to the database, and create yourself a view, or combine a bunch of tables together with joins until you get the data you need.

Step 2
With a UMRA Automation project, create a loop to check all the users in your data source checking for only new accounts. You can do this by checking for the student ID, or your identifier, if that is in AD go to the next record, if it’s a new record that needs to be in AD, create the account, create a home folder, create a profile path, create an email account, etc.

Step 3
With another UMRA Automation project, get all the student accounts in Active Directory and run them against the data source of students. If a user is in AD and in your SIS, then run a compare, check firstname, lastname, location etc. If a user is not in the right location, or grade move the account. Strip group membership; reapply group memberships based on new location, move home drives, and email mail stores if needed.

Step 4
Now that you have your main projects done, you can now go back and add logging / auditing into your scripts. Most of the time I will save these until last, however you can also do these while creating your other scripts to speed up the process. Why would you need logging you might ask? Anytime your script edits an object in AD, it could be a create user, move user, updating / changing an attribute, you will want to keep a history of this, that way you can go back a few months from now, and see the history of changes etc. to your users and objects in active directory.

Step 5
Now that you have all your processes really, create 1 main UMRA Automation project to call your smaller projects in succession. Dont forget to take out any starter projects such as INIT projects that have global variables in them, since you wont need to call these projects except for 1 time in the begginging of ryour run.

I hope this gives some of you out there an idea of how to get your students from TIES into Active Directory.

UMRA – Powerschool Database Data Export to Active Directory

at 8:11 PM

Contact Me: mailto:jjmusicpro@hotmail.com?subject=UMRA Question

If you haven’t already, please read my first post on where and how to download a trial version of User Management Resource Administrator, developed by tools4ever. UMRA

Download Trial Version of UMRA > http://www.tools4ever.com/download/
Download Trial Version of SSRPM > http://www.tools4ever.com/download/

PowerSchool Student Information System SIS To Active Directory
http://activedirectoryadmin.blogspot.com/2009/07/umra-powercampus-erp-active-directory.html

Destiny Student Information System SIS To Active Directory
http://activedirectoryadmin.blogspot.com/2009/07/umra-destiny-sis-active-directory.html

Zangle Student Information System SIS To Active Directory
http://activedirectoryadmin.blogspot.com/2009/07/umra-zangle-sis-active-directory.html

Aeires Student Information System SIS To Active Directory
http://activedirectoryadmin.blogspot.com/2009/07/umra-aeries-sis-active-directory.html

UMRA – Powerschool Database Data Export to Active Directory

I’ve been taking a glance over some of my key words for my blog and I see of my major traffic is based on the Popular Student Information System SIS PowerSchool. Digging deep, I see that my users are very interested in getting the data from the PowerSchool Database to Active Directory. So in this blog post I will give you a quick rundown on the different ways of getting this process started.

So first thing is first, if you haven’t already you will need to download UMRA since this will be our main SIS automation tool. This will allow us to connect to the PowerSchool SIS Database, or allow you to get a CSV data dump of PowerSchool Students, and import that into Active Directory. Now, depending on if your PowerSchool SIS database is hosted internally within your network and you have control of it, or if your PowerSchool SIS database is hosted with a hosting company, the below methods will change.

If you can Connect Directly or Remotly to PowerSchool Database -
Create a UMRA Automation Project and within this project, you will need to drag/drop 1 “Generate Generic Table” action to your main script, this will be your main connector to your PowerSchool Database. Now go through the normal database connection steps as you’ve done before when creating a generic table. For the SQL query, you can either create a view to only grab the information you need from PowerSchool, or you can write a complex SQL statement to join together all the tables needed.

If you can’t Connect Directly to PowerSchool Database -
In this case you will need to create a UMRA MASS Project, since you will most likely be getting a CSV of data from the PowerSchool DB.

Ok now that we have our connect setup, the next step will be very the same, since each script weather its an UMRA Automation Project or UMRA MASS Project. So now that you have your data, you now need to create your script for student creation. Now keep in mind that UMRA has the ability to create OU’s Groups etc. So if needed you can create these on the fly, the same time you are creating your students. So first thing is first, you will need to make sure the student is not in Active Directory already, you can do a “search object AD” for this. If they are not in Active Directory lets create the account. After you’ve created the account, you can now move them to the correct location, or create the student account in the correct OU right when you create them, this is the most typical approach. After you have created the account, now you can create email accounts, home folders etc. And that’s it, a quick way to get connected to your PowerSchool Database or CSV and get those users in Active Directory.

UMRA – MASS CSV Create User Data to Active Directory

at 8:09 PM

If you haven’t already, please read my first post on where and how to download a trial version of User Management Resource Administrator, developed by tools4ever. UMRA

Download Trial Version of UMRA > http://www.tools4ever.com/download/
Download Trial Version of SSRPM > http://www.tools4ever.com/download/

UMRA – MASS CSV Create User Data to Active Directory

This blog is going to be a different approach on how to use UMRA to do a UMRA MASS Create User from a Microsoft Excel CSV file. As you know, most of the topics I’ve covered are using the UMRA Automation module to automate user creation, user comparison, etc. So if you haven’t already taken a look at how to automate your student information system such as PowerSchool, Destiny, Zangle, Aeries etc. see the below blogs>

PowerSchool Student Information System SIS To Active Directory
http://activedirectoryadmin.blogspot.com/2009/07/umra-powercampus-erp-active-directory.html

Destiny Student Information System SIS To Active Directory
http://activedirectoryadmin.blogspot.com/2009/07/umra-destiny-sis-active-directory.html

Zangle Student Information System SIS To Active Directory
http://activedirectoryadmin.blogspot.com/2009/07/umra-zangle-sis-active-directory.html

Aeires Student Information System SIS To Active Directory
http://activedirectoryadmin.blogspot.com/2009/07/umra-aeries-sis-active-directory.html

So again, if you haven’t already checked out the above blogs, you should so you can get an idea of how you go about using UMRA Automation to automate your Student Information Sync to Active Directory. Ok, so back to the topic of doing a UMRA MASS import of users from a CSV to Active Directory. So below I will give you some tips of how you can achieve this process with your CSV of userdata.

Step 1
The more information the better. So the more userdata you can get in your CSV, the more flexible your script can be.

Step 2
Before you start working on your script, think about what is your trying to accomplish, are you only creating user accounts, or will you be creating home/profile folders, email, group permission etc. If you’re going to just create student accounts, then you can do more than just putting all the account into one OU then sorting them later. With UMRA MASS you have the ability to create users in specific OU’s if you have data the corresponds to where they should be in Active Directory.

Example
CSV Data might have School and Grade columns, so you can map where you create the user like this. OU=%Grade%,OU=%School%,OU=….
This can be placed into your create user, so for each record it will take the CSV data and dynamically place your records data into those variables, and create the user in that OU dynamically!

Step 3
After your users are created, you can now take any other steps needed when you provision your accounts in Active Directory. This can vary from group membership, home folder creation, email create etc.

So I hope this helps some of you out there who might be trying to look for a way to do a UMRA MASS import of users into your Active Directory Environment. The steps above only really cover just a fraction of what UMRA can do, for more information on more functions see my other blogs, or visit the tools4ever.com website.

UMRA – Bulk Active Directory User Password Reset

Archive

Key UMRA Articles