Currently our users can have multiple AD accounts. There is the “normal” accounts, admin accounts, domain admin accounts, etc. Currently we only provision the normal account via ISC. The other accounts are created manually directly in AD after a service desk ticket is approved. Our business would like to automate the process of creating these other accounts using ISC.
I am aware that ISC can only manage the creation of one account on AD by design. I have some ideas how how to do this. I would like to get the communities idea of what the best approach might be. Ideally the least “customized” and easiest to manage.
I am considering doing it via:
forms and workflows
splitting the single AD source into multiple sources. One for each type of account.
If there is some other possibility please feel free to share!
You will hear this a lot when you talk about multiple accounts: “Create a new Source to manage these 2nd type of accounts“. that’s the only recommended way for creation process. Lets go ahead and extend that to accommodate you admin type accounts and have only one basic entitlement for that 2nd type of source. lets says domain user. since user can only request access not account. this will create an admin account. after next aggregation, the admin account should show up in your primary source and after that if they request for an access/entitlement, the request process will let the user chose which account the access needs to be assigned to or you can have an access profile set to pick the account. i know its not the most convenient way but its one way. and also, some might say why not have all entitlements bring for 2nd source too, thats works too but you just will have duplicate entitlements the system which, for some orgs, might be an issue with new terms on the acceptable terms of use for IDN which has limitations on number of entitlements. hope this helps.
Here are the steps I would recommend to get it done:
Create different source for admin accounts for AD and put a LDAP filter to pull only those admin accounts ((objectClass=User)(userPrincipalName=-adm))
Create a Role to provision the users to Admin accounts AD source with Domain User as ENT from that source
Filter out the admin account using LDAP filter in the source eg : (&(objectClass=User)(!(|(userPrincipalName=-adm))
This will make sure your admins accounts are not aggregated in your regular account source if your admin accounts have “-adm“ somewhere. You can manipulate it based on your requirement
Use emp number/id or unique emp reference probably in extensionattribute as correlation logic in admin accounts.
Now, you can define the AD Acc provisioning policy in AD admin source and create acc with only Domain user then, keep the privilege adding process to manual still.
Further, you can add multi-tier approval in Role to make sure relevant stakeholder approves the request to get admin accounts
Thank you both for your replies! Seems like splitting the sources is the preferred method. My biggest concern here is duplicating all of the entitlements from AD into each source. Perhaps I can find some context to filter those as well.
Hi Kyle,
If you have a privilege user in one OU in AD and you limit the Search DN to that OU under Account and Group Settings, then it should be manageable.