UMRA Manages 100s of User Accounts Each Semester
|Problem||The need to efficiently create accounts for new students and employees, as well as deprovision accounts for terminated or retiring employees and graduating students without error, so that the Active Directory will accurately reflect the environment of the school.|
|Solution||Implement a process which would create or delete accounts based on a specific criteria set.|
|Products||User Managment Resource Administrator (UMRA)|
|Connectors||Google, Banner, Active Directory, PeopleSoft|
|Result||75% reduction in time spent on managing accounts as well as reduction in error of creating and deleting accounts|
Fitchburg State University, founded in 1894, was the first practical arts teacher training program in the country and has since grown to over 30 undergraduate and 22 master’s degree programs. Located in Fitchburg Massachusetts, the school has a population of over 6,500 students and 520 employees. Fitchburg State had 44,000 records in Active Directory, which in no way reflected their actual environment due to stale accounts that were no longer required. After several attempts to delete users based on inactivity and inadvertently deleting hundreds of active users, they realized they needed help. "We weren’t able to integrate Active Directory information and the student record system to accurately report information" said Sherry Horeanopoulos, Information Security Officer.
After realizing the methodology they were employing with user accounts was inefficient, the university began to look for help managing their accounts more reliably and cleaning up their directory. Most options they evaluated were very expensive and complicated. "UMRA from Tools4ever was a really easy solution and the support was phenomenal", stated Sherry. The school also decided they were switching from a local student email server to Gmail, and Tools4ever was one of the few companies who supported Gmail.
Efficiently creating new user accounts
At the beginning of the semester, online students frequently called saying they were starting classes, but did not have an account made for them. With UMRA in place, Fitchburg’s system is set up to create an account for a student who is registered, paid, and confirmed. With a variety of departments and people inputting information on the back end, never before had consistent conditions to automate account creation existed. Now, each time a creation occurs, Sherry receives an email notification of the new account. "It just works; it's in the background chugging away. Four times a day all the accounts get created and within a couple of hours, the users have their accounts ready to go."
In short, UMRA is configured to query Banner to look for new students, changes to existing records and records that exist in AD but not in the database. When a new record is present, the AD account is created along with a home directory, initial password, and group memberships and located in the appropriate OU. When a record is eliminated from Banner, the AD is automatically disabled and moved to a separate OU. After 18 months of being disabled, the accounts are purged from Active Directory. In the case of an account create or a delete, an email is sent to an appropriate party.
Reliably retiring people from the systems
Fitchburg also encountered problems when hundreds of students graduated every year and there was no accurate way to determine who should be deleted from AD. Fitchburg previously deleted all students who graduated but accidently removed students who shouldn’t have been removed. "We would be losing a subset because some students continued and some went on for graduate school and further education. We didn't want to take them out if they were truly continuing, but we didn’t want them lingering if they weren’t and there was no easy way to know, based on our student records, who should be taken out."
With UMRA in place, Fitchburg no longer needs to worry about these mistakes. "It's much more complicated to apply conditions to each of these events if you don’t have this tool; the tool just makes it so easy." With UMRA, if a terminated or graduated flag is set in the SIS application, the account is disabled, according to pre-defined rules. If something has changed since the last synchronization, the Active Directory account may be re-provisioned or specific attributes updated. Fitchburg can easily target each population of users with different conditions. For example, employees who are retiring keep their accounts for up to 18 months, but employees who are terminated are deleted immediately. “If your employment at FSU is terminated, with one click you are out of the system”, stated Sherry, significantly reducing security issues.
Fitchburg State frequently hires adjunct professors for off-site or online courses. Often these professors are concerned when they are about to begin classes and do to have a logon. This is a result of IT not being notified as this employee type may not be entered in the HR system. With the UMRA Web portal in the HR department, Fitchburg has the immediate ability to disable terminated employees and create accounts for adjunct professors and other non-traditional faculty members.
Overall, Fitchburg State is spending 75% less time dealing with account issues. Sherry stated, "All of the employees love UMRA because it frees them up to do other things," and "There is no other company that I deal with regularly that I like better."