Good afternoon! In this article, I would like to describe a practical solution I have applied to automate one routine task of the second line of technical support of one large enterprise.
We have two geographically distributed AD domains for 10,000 people, an applied solution for organizing Web access to remote desktops through RemoteApp applications with several integrated information systems and an actively growing database, up to 500 people per month. For ~ 24 per working day, for ~ 3 people per hour.
The first obvious conclusion from the input data is that one admin cannot cope with such a number of users, he should have the right to get sick / go on vacation without paralyzing the enterprise. And practice shows that even two do not cope.
The second problem is personal identification, for example, on the file resources of the enterprise, as is often the case, there is information that is not intended for prying eyes, and accordingly, it is necessary to check each person requesting access to be added to Active Directory and granting certain access groups. Unfortunately, it was not possible to do without bureaucracy in resolving this issue. The procedure is reduced to submitting a paper application in the form of the most standardized, signed (preferably electronic) by the head of the applicant and the approval of this document by persons who are personally familiar with the signer.
After the approval of the standardized application, it remains to do little, add people to AD, assign the necessary access groups, and add a plate to excel. The last point may seem a bit archaic, because AD itself quite supports the audit of changes, but my practice shows that this point is not superfluous on such a turnover, and even simplifies the process of finding a rake in the case of debriefing, which often arises, following from the first conclusion ...
But the process can be slightly automated by using a couple of simple scripts. The logic boils down to the reverse process:
- Approving the AD accounting standard in the enterprise
- We ask the user for data in a uniform format.
- We enter basic data into the table, for example:
- We export from Excel to a CSV file, an automatically generated page suitable for automatic entry into AD using scripts
- We export and voila! It remains to transfer the username and password to the user.
Perhaps the methods described by me cannot be called best practice, but they allow in practice to solve the existing problem without writing a separate information system and creating a large number of integrations.
Next, I will describe a couple of technical points and publish the scripts that I use:
This is how a table suitable for import into AD looks like:
For me, this table is generated automatically from the previous one, I attach an example .
It is necessary to save the table suitable for import in CSV format (comma delimited)
What do you think the delimiters will be if you open the generated file with notepad? Wrong. Such - ";"
Separately, in my implementation, I should dwell on the transliteration column. In the standard approved by us, some of the fields are filled with transliteration according to the approved sample, and in order not to do this every time I used a vba script, here it is:
Function TranslitText(RusText As String) As String
Dim RusAlphabet As Variant '
RusAlphabet = Array("-", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "")
Dim EngAlphabet As Variant '
EngAlphabet = Array("-", "a", "b", "v", "g", "d", "e", "yo", "zh", "z", "i", "y", "k", "l", "m", "n", "o", "p", "r", "s", "t", "u", "f", "kh", "ts", "ch", "sh", "sch", "", "y", "", "e", "yu", "ya", "A", "B", "V", "G", "D", "E", "Yo", "Zh", "Z", "I", "Y", "K", "L", "M", "N", "O", "P", "R", "S", "T", "U", "F", "Kh", "Ts", "Ch", "Sh", "Sch", "", "Y", "", "E", "Yu", "Ya")
Dim EngText As String, Letter As String, Flag As Boolean
For i = 1 To Len(RusText) '
Letter = Mid(RusText, i, 1)
Flag = 0
For j = 0 To 67 '
If RusAlphabet(j) = Letter Then ' ...
Flag = 1
If RusAlphabet(j) = Letter Then ' ( )
EngText = EngText & EngAlphabet(j) '...
Exit For
Else
EngText = EngText & UCase(EngAlphabet(j))
Exit For
End If
End If
Next j
If Flag = 0 Then EngText = EngText & Letter ' (, ..),
Next i
TranslitText = EngText
End Function
Don't do as I did, please use one of the existing transliteration standards from the link .
The next script placed in a file with the .ps1 extension will allow you to drop all accounts from the file generated in the previous step into AD in a couple of clicks, no matter how many there are. And at the same time to hang the ad-group group on all created UZ.
Import-Module activedirectory
Import-Csv "C:\generated.csv" -Encoding default -Delimiter ';'| ForEach-Object {
New-ADUser -Server DOMEN.RU -Name $_.FirstName `
-DisplayName $_.DisplayName `
-GivenName $_.GivenName `
-Surname $_.LastName `
-Initials $_.Initials `
-OfficePhone $_.Phone `
-Description $_.Description `
-UserPrincipalName $_.UserPrincipalName `
-SamAccountName $_.samAccountName `
-Email $_.mail `
-Path "OU=TEST_OU,OU=Guest,OU=Users,OU=DOMEN,DC=DOMEN,DC=RU" `
-AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -force) -Enabled $true
Set-ADuser $_.samAccountName -ChangePasswordAtLogon $True
Add-AdGroupMember -Identity ad-group -Members $_.samAccountName
}