SD-014 Active Directory User Account Standard-1

Active Directory User Account StandardUser Creation & Maintenance

October 29th 2014

Document Change log

Version Date Author Comments1.0 Jim Katoe Versions before ID2.0 October 27th Ryan Hudson Changed the standard to comply with

Office 365 requirements and Adaxes Based ID tool.

Active Directory User Account StandardFor Internal Use Only

1

http://www.groupm.com/

Contents1 Introduction.........................................................................................................................................4

2 To create a new user account..............................................................................................................4

2.1 General........................................................................................................................................6

2.1.1 First Name, Last Name, Full Name.......................................................................................6

2.1.2 Display Name.......................................................................................................................7

2.1.3 User Logon Name (SAM-Account-Name).............................................................................7

2.1.4 UPN Suffix............................................................................................................................7

2.1.5 User Logon Name (UserPrincipalName)...............................................................................7

2.1.6 On-Prem mailbox Required..................................................................................................7

2.1.7 Description...........................................................................................................................8

2.1.8 E-mail (mail).........................................................................................................................8

2.2 Organization................................................................................................................................9

2.2.1 Office....................................................................................................................................9

2.2.2 Company..............................................................................................................................9

2.2.3 GroupMCompany................................................................................................................9

2.2.4 Department.........................................................................................................................9

2.2.5 Job Title................................................................................................................................9

2.2.6 Manager and Assistant........................................................................................................9

2.2.7 EmployeeID........................................................................................................................10

2.2.8 Employee Type...................................................................................................................10

2.3 Account......................................................................................................................................10

2.3.1 Password............................................................................................................................10

2.4 Telephones................................................................................................................................11

2.4.1 Telephone Number............................................................................................................11

2.4.2 Mobile Phone.....................................................................................................................11

2.4.3 Fax......................................................................................................................................11

2.4.4 IP Phone.............................................................................................................................11

2.4.5 Pager..................................................................................................................................11

2.5 Audio Conferencing Options......................................................................................................12

2.5.1 Dial-Option.........................................................................................................................12


2


2.6 Profile........................................................................................................................................12

3 Finish Creating the User Account.......................................................................................................13

4 Modifying Advanced Parameters......................................................................................................14

4.1 Environment..............................................................................................................................14

4.2 Sessions.....................................................................................................................................14

4.3 Remote Control.........................................................................................................................15

4.4 Terminal Services Profile............................................................................................................15

4.4.1 Dial-In.................................................................................................................................15

5 Office 365 Licensing Options.............................................................................................................16

5.1 Office 365 Licensing...................................................................................................................16

6 Exchange Properties..........................................................................................................................18

6.1 General......................................................................................................................................18

6.1.1 Alias (MailNickName).........................................................................................................18

6.1.2 Display Name.....................................................................................................................18

6.2 Mailbox Usage...........................................................................................................................18

6.3 E-Mail Address...........................................................................................................................19

6.4 Mailbox Features.......................................................................................................................20

6.5 Calendar Settings.......................................................................................................................20

6.6 MailTip.......................................................................................................................................20

6.7 Delegation.................................................................................................................................20

6.8 Automatic Replies......................................................................................................................20


3


1 Introduction GroupM has implemented a web based user provisioning and management system using Softerra’s Adaxes framework. It has been named ID. ID is a proxy through to Active Directory which enforces GroupM’s Standards around Active Directory and helps facilitate automation. Access to create and modify user objects directly has been removed from Active Directory. ID has business rules configured which help automate a lot of the attributes and tasks which help ease administration efforts and allow a single tool to manage all aspects of a user account including their office 365 cloud resources.

Although a lot of rules and automation have been put in place within ID, IT is still responsible for keeping the data in the user object up to dat.

If any of the options within the forms of ID is inaccurate, please contact GroupM Global Operations. This may be from selectable “office” values within an OU, or address information which has changed.

If any of the data required below conflicts with any local privacy laws, please contact GroupM Global Operations.

2 To create a new user account1. From a supported web browser, go to https://id.insidemedia.net/servicedesk/2. Enter your admin account credentials and click Sign in.

3. From the home screen, click on browse and drill down to the OU which you wish to create the user in.


4

https://id.insidemedia.net/servicedesk/


4. Click on the Create new User Button as shown below


5


2.1 General

2.1.1 First Name, Last Name, Full Name The First and Last name fields should correspond to the user’s official business identity. Only Alphanumeric characters in the Lower ASCII Character set can be used. The only exceptions being a space “ “, dash “-“ and underscore “_”. Characters containing accents or an apostrophe cannot be used. They can however be used in the display name. The names used here must be consistent through the e-mail address and logon names.

Note that the Full name is automatically filled in after you enter the First and Last names. This must be a unique value within an OU.

Compound Names

If the user has multiple first names or multiple last names, and they are part of the email address, then they should be included in the appropriate field. For example, Billy Bob Thornton would have “Billy Bob” in the first name field (notice the space). Ernest van den Haag would have “Ernest” in the first


6


name field, and “van den Haag” in the last name field. Spaces will automatically be removed by ID when generating the SamAccountName and UserPrincipalName as they are not supported in Office 365.

2.1.2 Display NameThe Display Name is also automatically populated using the First Name and Last Name values. This is how the user will display in applications such as the Exchange GAL, SharePoint etc. The display Name field can be used to display accented letters for users which have them or for names with an apostrophe. The following Characters are not allowed as they are not supported by office 365: ? @ \ +

2.1.3 User Logon Name (SAM-Account-Name)The SAM-Account-Name is automatically populated by the First Name and Last Name attributes. This attribute must be unique within the domain.

The user logon name (SAM-Account-Name) should be:

Firstname.Lastname

There is a 20 character limit for this attribute so if the name is longer than 20 characters it will be truncated.

Conflicts will be handled by using a unique number as the last or 20th character. e.g. jim.katoe1. Alternatively a middle initial can be used.

2.1.4 UPN SuffixThe UPN suffix is a Virtual Attribute which is only stored in Adaxes. It does not exist within Active Directory and is only used to compute the user’s UserPrincipalName. The UserPrincipalName must match the user’s primary E-mail address so choose the appropriate domain from the list. The domain name must match the company they are assigned to. This is used for determining access to certain company resources.

2.1.5 User Logon Name (UserPrincipalName)The User Principal Name or UPN is the logon name that began to be used with Active Directory and is the only logon support for Office 365. The older SAM-Account-Name format is still required by some legacy systems and is thus still supported.

The UPN is not to be set directly via ID. It is automatically generated using the user’s First Name, Last Name and UPN Suffix. If either of these 3 attributes change, ID will update the UPN accordingly.

The User Logon Name (UserPrincipalName will be:

Firstname.Lastname@UPNSuffx

The user principal name must be unique within Active Directory and Office 365.


7


2.1.6 On-Prem mailbox RequiredThis is another Virtual Attribute which only exists in ID. It is only used as a trigger when creating a user.

Select YES if the user requires a Mailbox AND the office that the user resides has not been migrated to Exchange Online/Office 365. This will create an exchange Mailbox on a GroupM Mail server.

Select NO if the user does NOT require a mailbox OR the office that the user resides has been fully migrated to Exchange Online/Office 365. A mailbox will be created in a later step.

Once the Migration to Exchange online is complete, this attribute will no longer be used.

2.1.7 DescriptionThis field is free to be updated as you like.

There is however an automated process that cleans up AD as shown below.

If a user account that has not had its password changed within 80 days (29 days past our requirement) it will be disabled.If a user account that has not had its password changed within 110 days it will be deleted.

There may be a valid business reason to circumvent this policy. If you choose to circumvent this process please understand you may be required to explain or provide documentation for why you are circumventing a security process that your company is depending on for regulatory purposes. Circumventing the process would be understandable if the user is on extended leave for Maternity, sabbatical, etc.

Enter the following string EXACTLY within the string- “|nodisable|” , including the reason for not disabling/deleting the user.

2.1.8 E-mail (mail)The E-mail address field will not be directly editable. This field will be set automatically by ID and will be set to match the UPN of the user. If the UPN changes, the E-mail address field will also change.


8


2.2 Organization

2.2.1 Office The Office field is important for the Office Directory and GroupM’s software licensing procedures. It is also used by ID to automate all of the address attributes of the user within the directory. This attribute is mandatory and the list of available offices is restricted based on the OU that the user will be in.

If an Office is missing from the form or has changed, please contact GroupM Global Operations.

2.2.2 CompanySelect the Company which the user is part of.

2.2.3 GroupMCompanySelect a GroupMCompany only if the user is part of that Sub Brand.

2.2.4 DepartmentThere is no global standard around department. Set this attribute based upon local standards.

2.2.5 Job TitleThis is where you would enter the user’s Job Title

2.2.6 Manager and AssistantThese are currently optional. Set these if required.


9


2.2.7 EmployeeIDCertain countries are using the EmployeeID for use with applications. If required, this should be the 2 letter ISO-3166-1 code of the country where the user resides, followed by local HR number.

E.g. for a user residing in the United States with an HR number of 000001, there employee id would be US00001.

Do NOT use this field if the HR number cannot be publicly known, because this value will be available to anyone with access to the directory.

2.2.8 Employee TypeThe Employee Type is a new attribute we are requiring to help track the type of employees we have. This will help with licensing and budget preparation as WPP headcount and actual headcount differ largely in some regions.

2.3 Account

2.3.1 PasswordEnter a password and then Re-Enter the Password. Alternatively you can click on Generate to generate a Complex Password.

If you are unsure of the password policy, click on View Password Policy

The ability to set a user object to “Password never expires” have been removed from ID to conform with GroupM’s security policy


10


2.4 Telephones

2.4.1 Telephone NumberThe telephone number field is Crucial for GroupM’s Global Directory. The value in this field must be the user’s direct office telephone number. The number format used by this field is the E.164 telephone number standard. This means it must begin with the + sign, followed by the 1, 2 or 3 digit country code, followed by the phone number. Any international phone should be able to dial this number. Even if you are not on the Cisco IPT solution it is essential for your number to follow this format so that you can be dialed by users which are. It will also be used by other systems such as SharePoint, Jive and Unified Communications. The number must not contain spaces, brackets or hyphens. A valid number would be +442079693400.

+44 20 7969-3400 or +44 (0) 20 7969 3400 are not valid values. ID will validate the number and won’t allow you to save an invalid number.

2.4.2 Mobile PhoneThe Mobile Phone attribute can be edited at the discretion of the local administrator, however please keep in mind two issues. The mobile phone number must also be in the E.164 format. Be sensitive to our employee’s privacy concerns and the local government and work council requirements.

2.4.3 FaxIf required, the user’s fax number can be entered here. The Fax number must also be in the E.164 format.

2.4.4 IP PhoneThis can be used and edited at the discretion of local IT.

2.4.5 PagerThis can be used and edited at the discretion of local IT. There is no global standard around this attribute.


11

http://www.itu.int/rec/T-REC-E.164/en




2.5 Audio Conferencing Options

2.5.1 Dial-OptionThis option is used to select the audio options for Web Conferencing. This maps back to the extensionAttribute15 in Active Directory.

VOIP (default) : Integrated VOIP is an audio feature that sends the audio from your meeting over the internet, instead of through the telephone. A laptop or desktop with integrated microphone and speakers or headphones are required to utilize this service option.

Limited : Toll & Toll free and Integrated VOIP. This option adds Toll and Toll free services to the users account. This option provides the ability for the host and the participants to dial into a toll free or toll number from a home, office or mobile phone.

ALL : Call-back, Toll & Toll free, Integrated VOIP. This option adds call-back functionality to the users account. The Call Back feature allows attendees to enter their phone numbers and immediately receive a call with prompts to join the meeting.

Please note: There are charge back costs associated with the Limited and ALL options.

2.6 Profile

These tabs can be edited at the discretion of the local administrator. Please read the GroupM Server Implementation Guide for requirements for scripts.


12


3 Finish Creating the User Account1. Verify that all the settings are correct and click Create.2. If “On-Prem Mailbox required” was set to Yes, you will see the business rules kick in which

would set the Address information, Create an On-Prem Exchange Mailbox, set the Email addresses and set the default Email options.

If “On-Prem Mailbox required” was set to No, you will see the business rules kick in for Address


13


Automation

4 Modifying Advanced ParametersThere are some settings that can only be set after the user is created via Advanced Parameters.

4.1 Environment

These settings can be edited at the discretion of Local IT, however generally these are not used.


14


4.2 Sessions

These settings can be edited at the discretion of local IT, but generally it is better to manage this on the Terminal Server where the settings can be uniformly applied to all users.

4.3 Remote Control

These settings can be edited at the discretion of local IT, but generally it is better to manage this on the Terminal Server where the settings can be uniformly applied to all users.

4.4 Terminal Services Profile


15


These settings can be edited at the discretion of Local IT, however generally these are not used.

4.4.1 Dial-InThese settings are not used.


16


5 Office 365 Licensing OptionsBelow will describe the options to license a user for Office 365.

5.1 Office 365 Licensing

After creating the user, Office 365 licensing should be set. Licensing options for these are accessed via Custom Commands with ID. These are access via the Other Tab.

The Option chosen depends on whether or not the user has an existing On-Prem Mailbox.

If the user DOES NOT have an On-prem Mailbox and requires a new mailbox within Office 365, select the option “Enable New User for Office 365”

This option will license the user for Office 365, create a mailbox in Office 365, create a remote Mailbox On-Prem, populate the Mail attribute with the email address of the user and set the default mailbox options.


17


If the user DOES have an On-prem Mailbox and requires licensing to activate Office 365 Pro Plus, select “license user for Office Pro Plus 365” (This option is temporary and will be removed after all user mailboxes have been migrated to Office 365.)

This option will license the User for Office 365. As they already have an On-Prem mailbox, the mailbox will be skipped and will be created when the user’s Mailbox is migrated.

If the user DOES NOT have an On-prem Mailbox and a Mailbox is NOT required, select License User for Office Pro Plus without a mailbox

This option will license the user for Office 365 but not allow a mailbox to be created. This can be used in select markets where temporary employees need a license for Office Pro Plus, but not required to have e-mail.

You can see the status of the office 365 license on the View Object page of the user.


18


6 Exchange PropertiesThe exchange properties can be found on the View Object page of the user. This will work if the mailbox is On-Prem or in Office 365. You can find out where it is located by looking at the Mailbox Location. If it says “Office 365”, it is in the cloud. If it says anything else, it is located On-Prem.

6.1 General

6.1.1 Alias (MailNickName)This is automatically set when the mailbox is created. It is set to the same value as the user’s:

Sam-Account-Name.

This attribute would only need to be changed if the user had a name change.

6.1.2 Display NameThis is the exact same attribute as the Display Name set on the user account.

6.2 Mailbox Usage

This displays the Last Logon for the Mailbox and storage Quota information. This tab is just informational.


19


6.3 E-Mail Address

Here you can View/Modify the email addresses of the user. This would be where you would add secondary e-mail addresses.

The primary e-mail address will automatically update after a user’s UPN is changed. Please be aware that if the mailbox is in the cloud, the information here is being pulled from office 365. If a change is made to an e-mail address, it is changed locally in Active Directory. If a recent change was made to the user’s e-mail addresses/s, it will reflect here until the next Directory Sync.

The option to “Automatically update e-mail addresses based on policy” is set to No by default and should not be changed unless there is an email policy set on Office 365 that the account abides by .


20


6.4 Mailbox Features

Settings here are managed by Office 365 and Exchange Admins. Changes should not be made.

Forwarding Mail to an external address requires GroupM Global CIO approval.

IMAP and POP3 are not allowed and are disabled by default.

6.5 Calendar Settings

This can be used and edited at the discretion of local IT.

6.6 MailTip


6.7 Delegation

Send As, Send ob Behalf of and Full Access delegation can be set here.

6.8 Automatic Replies



21


Documents

SD-014 Active Directory User Account Standard-1