|
|
|
|
Testimonial:
|
|
| We started using UMRA in demo mode for the first days before we decided to purchase a license for 40k users, and even in the demo mode, I managed to setup scripts that would allow us to export user information from our student information system to csv and import them into the 3rd party software preformated for each software. Even with the demo, we created scripts reduced our student data imports ... Georges Khairallah
Chino Valley Unified School District
http://www.chino.k12.ca.us/ | | read more... |
|
|
|
|
Updating Active Directory through delegation |
| Why does the IT department in most organizations also manage user related data such as group memberships, password, login name and home town? The answer is that administrative rights are required for tools giving access to this kind of mutations. Only systems administrators are allowed such access rights. Microsoft Active Directory does have a (native) option for delegation, allowing non-administrative users to reset passwords for instance. In practice however, this option is not very appealing. If the delegation needs to be reverted, ACL entries have to be edited which is simply too cumbersome for even the most ardent system administrator. With the Microsoft method, a user can get priviliges to reset the password of all users in a specific organizational unit through delegation on an OU. Using UMRA, delegation can be performed on task level and much more elegantly. It makes it all the more surprising that this kind of functionality is not standard available on Windows Server 2003. |
| |
UMRA forms - Active Direcory and delegation |
| Delegation forms allow non-administrative users (such as helpdesk employees) to manage only a certain task (e.g. resetting a password or creating a new user). They do not get access to any other parts of Active Directory.UMRA forms is the front end application for the delegate user (Helpdesk employees and all other non-administrators who have been autorized to make certain changes in Active Directory). A delegate user could also be a personnel officer with access to UMRA forms to safely make changes in Active Directory without the need for any technical knowledge. |
| A delegate form project can be made part of the standard HR procedures, relieving the IT department from any non-core tasks. The delegation client software, UMRA Forms, connects to the UMRA service using a predefined TCP/IP port. UMRA has been developed as a 32 bits Windows application, but Tools4ever has announced a web interface by the end of 2005. |
| In the UMRA console, form projects are created in the same way as mass projects (File menu > New form). The resulting form projects can then be used by employees who have been authorized to run the form. Somewhere in your network, the UMRA service must be running which can be realised using the console software. You can also specify the TCP/IP port which should communicate with the UMRA service (e.g. 56814). The UMRA service will be running under a newly created account which must be a member of the domain admins group in Active Directory. In the next section we will show you how to create a simple form. The most common implementation is a form to reset passwords for users who have lost their password. Upon request, reception desk employees are allowed to issue a new password. The interface for creating form projects is similar to the one for MASS projects. Figure 3 shows the forms project with the form lay-out defined in window 1 (tables, buttons, input boxes, etc.). |
 |
| Figure 3 - Example of a Forms project |
| |
Designing a form |
| The top window in Fig. 3 now displays the layout for a form project instead of the content of a CSV file. In the window below, the visual script can be found with the corresponding properties for each action on the right hand side.The most important form elements are tables and buttons. In a table, a selection can be made of a certain part of Active Directory. For instance, a table can be based on an LDAP query which only retrieves the users in the “Headquarters” OU Active Directory. Defining such queries is simply a matter of doubleclicking and adjusting the table properties. It is also possible to link a table to a database (e.g. MS Access, SQL server, ODBC), allowing for more complex procedures. Table data can be prepared in the correct structure before applying the changes to AD. When you finally press the (OK) button, the project script is executed. In this case it means that the selected users will receive a new password. Figure 4 shows the form as it is presented to the reception desk. |
 |
| Figure 4 - A delegation form for resetting passwords. A user can be selected from a predefined OU. |
| |
|
|
