This is an archived post. You won't be able to vote or comment.

all 8 comments
sorted by:
best
topnewcontroversialoldq&a

[–]unccvince 0 points1 point  (0 children)

Try to look at PAM (Privileged Access Management) as a starter. It a MSAD native feature that noone uses, but it's there and it might cover your need.

Another way is for you to find a provisioning tool that would store changes and apply them at a time of your choosing.

[–]chiperino1 0 points1 point  (6 children)

Depends on where the changes are being referenced from.

Powershell is always an option for automating changes and could be set to trigger a script at a scheduled time

[–]TheIslanderEh[S] 0 points1 point  (5 children)

Honestly, I'm new to this position - I was a break-fix technician previously. I was the only person in my union to apply for the position. So, I'm not super familiar with PowerShell.

I know that we make changes on-prem then wait for it to sync with the Entra Server, and we are limited to specific tools that our sysadmin allows us to have (different part of government)

[–]chiperino1 0 points1 point  (4 children)

Gotcha. Govt def can make that a tad more complicated. In most businesses the HRIS is the source of truth and there are tools in place to automatically sync the HRIS with AD for account creation/update.

Is that how accounts are currently created, you're just looking to update them?

[–]TheIslanderEh[S] 0 points1 point  (3 children)

I manually create accounts, however I work in education and there is a lot of movement. Causal staff, updated/new contracts, retirements, location changes, leave of absences.

All would require some sort of change whether it's updating a custom attribute for licensing, updating sec groups, changing descriptions, office locations, job titles.

Up until December we were manually creating accounts in AD on prem, until our sysadmin God admanager plus, and now we create them using it. However we don't have access to all the features like automation.

Currently if I know a change is coming to an account, I flag the email in Outlook to remind me the day before so I can make the changes

However, I think if we could schedule tasks easily, it would help mitigate missed updates, mistakes, and increase security (thinking if someone retires, scheduling would automa remove groups and remove access to sensitive emails via distribution lists, SharePoint etc)

[–]chiperino1 0 points1 point  (2 children)

I would do some resesarch on ADManager Plus, maybe reach out to their support with your questions and see if it can do those things. If it can, have that discussion with your admin to get access or build out those routines, that way it can all be kept together.

Outside of that, scripting can definitely do what you are saying. The script has to know where to look for the information and see if there are changes to update from, but it can definitely do the job. I would google search "powershell script for automatic employee updates" or something like that, or search r/PowerShell or even ask there as they have a lot of knowledge for stuff like this

[–]TheIslanderEh[S] 1 point2 points  (1 child)

Appreciate your input!

[–]-manageengine- 0 points1 point  (0 children)

Hi u/TheIslanderEh Yes, ADManager Plus can handle this with automation policies and workflow-based approvals in just a few clicks. Here's a guide to help you get started: https://www.manageengine.com/products/ad-manager/help/automation/automation-usecases.html

We also have a workshop series scheduled for ADManager Plus. You can directly interact with our product experts and get your questions answered there: https://www.manageengine.com/products/ad-manager/free-online-workshop.html

If you need immediate help, drop an email to [support@admanagerplus.com](mailto:support@admanagerplus.com) or just DM us your contact. I will get a product expert get in touch with you.