Directory Manager Advanced Mode

Configuration Basics

  • Install Directory Manager v3.1 or higher
  • Enable Advanced Mode in the AdvancedModeSettings.XML file

Enabling Advanced Mode

   Directory Manager Advanced Mode requires a different license key in order to permanently enable the Advanced Mode features. Ensure that you have purchased the Advanced Mode version of the product.

The configuration files for Advanced Mode are found in the following default folder:
C:\inetpub\wwwroot\DirectoryManager\AdvancedMode\Settings

To enable Advanced Mode Directory Manager, in the AdvancedModeSettings.XML file, set the enabled=”false” to enabled=”true”. The AdvancedModeSettings.XML file contains many of the Advanced Mode feature settings. There are 3 sections in this file:

  • User Creation
  • User Deletion
  • Group Management

Enabling User Creation

To enable Directory Manager to allow user account creation, in the AdvancedModeSettings.XML file, look for the userCreation section. In this section, set the visible=”false” to visible=”true”. Much of the rest of the options under userCreation are options for changing the labels on buttons and windows.

Enabling User Deletion

The Advanced Mode account deletion feature allows you to put a wall between “really deleted” and “disabled and hidden”. This feature saves many administrators from the task of recovering a user account that was accidentally deleted.

This does require some forethought as to what it means to your organization to “delete” a user account. Some decisions that you will need to make include:

  • Should the account be disabled from logon
  • Should the account be hidden from the Global Address List
  • Should the account be removed from all groups
  • What other text or attributes should be set
<softDeletion
  enabled="true"
  disableUser="true"
  hideFromExchangeGAL="true"
  removeFromAllGroups="true">
  <deletionNote enabled="true" attribute="description" text="User deleted on $date by $user" />
  <exchangeOutOfOfficeNote enabled="false" text="The employee is no longer with the company." />
  <additionalDeletionNote enabled="true" attribute="extensionAttribute11" text="deleted" />
  <moveToOu enabled="true" ouName="DMADemoSite/DisabledUsers" />
</softDeletion>

Enabling Group Management

When we designed the group management interface, one of our principle concerns was that a Directory Update Advanced Mode user might possible add an important or highly restricted group such as “Domain Admins” or “Access to the Secret Recipes”.

Restrict to only a single parent OU

<groupSearchBase enabled="true" organizationalUnit="DMADemoSite/Groups" />

Excluded Groups

<exclusions
  excludeCriticalSystemObject="true"
  excludeDomainLocal="true"
  excludeSecuriytGroups="false">
  <excludedGroups enabled="false">
    <group name="DnsUpdateProxy" />
  </excludedGroups>
</exclusions>

Administrative Groups

We restrict most of the default Windows and Active Directory admin groups by setting excludeCriticalSystemObject="true"

Use Only Authorized Groups

<permittedGroups enabled="false">
  <group name="#Accounting Email Group" />
  <group name="#Marketing Department Email Group" />
</permittedGroups>

Authorizing Advanced Mode Users

Each major function of Advanced Mode can be restricted to a different groups of users. This is done via group memberships and in that sections authorizedUserGroups section.

<authorizedUserGroups>
  <group name="Domain Admins" />
  <group name="Account Operators" />
  <group name="Administrators" />
  <group name="Directory Update Managers" />
</authorizedUserGroups>

Creating User Creation Templates

One of the keys to making Advanced Mode easy to use is to create account template that will define for you the different types of users that your organization has.

Templates that are used for account creation are found in this default folder:
C:\inetpub\wwwroot\DirectoryManager\AdvancedMode\UserCreationTemplates

By default, we provide a “NewUserTemplate.XML” template in the .\AdvancedMode\UserCreationTemplates folder. You may be happy with a single, default template or you may wish to create many.

Create the Template

The first step in defining a new user type template is to copy the default NewUserTemplate.XML file to a new file. In this example, I have an office in Denver that has sales people. So, I’m going to create a template for Sales users in Denver.

I’m going to copy the NewUserTemplate.XML to a new file called DenverSalesUser.XML.

A user template file has four sections:

  • Account Properties such as the organizational unit, if the user must change password on first logon, account expiration days, etc…
  • Fields that are required, such as first name, last name, and middle initial as well as other fields that you want to be filled in automatically.
  • Generated fields which are fields that are created based partially on your input and partially on the input provided when creating the account. For example, you can specify the rule for how the display name, user account UPN name, email address, etc… are created.
  • Groups to which the user account should be added

Let’s start with the general settings for the template. In this example, I have given the template a name, assigned the OU in which the users will be created, and set the account to never expire.

<template
  name="Dallas Sales User"
  organizationalUnit="Accounts/CorporateUsers/Dallas"
  objectType="user"
  accountEnabled="true"
  accountExpires="0"
  userMustChangePassword="false"
  office365="false">

The next section is the fields or attributes that are either required or that you want to pre-populate with data. The field id maps directly to the field id you will find in the DirectorySettings.XML file. The field id does not always equate to the LDAP attribute name, so validate that you are using the correct field id by looking in the DirectorySettings.XML file.

If you include a field but do not provide a value, the authorized user of Directory Manager Advanced Mode can update the field before saving the user value.

<fields>
  <field id="firstName" required="true" />
  <field id="initials" required="false" />
  <field id="lastName" required="true" />
  <field id="department" required="false" value="Sales" />
  <field id="office" required="false" value="Dallas" />
  <field id="manager" required="false" />
  <field id="officePhone" required="true" value="972-548-1000" />
  <field id="streetAddress" required="true" value="101 San Jacinto St, #1800" />
  <field id="city" required="true" value="Dallas" />
  <field id="stateOrProvince" required="true" value="Texas" />
  <field id="zipOrPostalCode" required="true" value="75270-4811" />
  <field id="country" required="true" value="US" />
  <field id="homeDrive" required="true" value="H:" />
</fields>

Adding New Template to the Menu Selection

Once you have created your new template file, now you need to add it to the AdvancedModeSettings.XML file so that it will be included as a template option. This file is found in the c:\inetpub\wwwroot\DirectoryManager\AdvancedMode\Settings folder. In the AdvancedModeSettings.XML file, look for the templates section. In the example below I have added a new template called “Denver Sales Team” and that maps to the DenverSalesUser.XML template file.

<templates title="Please select a new user template" label="Template">
  <template name="Breckenridge Sales Team" file="BreckSalesTeamTemplate.xml" />
  <template name="Denver Office Engineers" file="DenverOfficeEngineersTemplate.xml" />
  <template name="Denver Sales Team" file="DenverSalesUser.xml" />
  <template name="Product Testing Group" file="ProductTestingGroup.xml" />
  <template name="Temps and Short Term Contractors" file="ShortTermAccounts-60days.xml" />
</templates>

Specifying Rules for Generated Fields

You can specify some rules for how some attributes are populated. Most common are attributes like the user account, UPN name, email address, etc.., These are called generated fields. Below is an example of the generated fields section from a user template.

<generatedFields>
    <field id="commonName" label="Full Name" attribute="cn" required="true" format="[firstname] [initials{1}(. )][lastName]" />
    <field id="displayName" label="Display Name" attribute="displayName" required="true" format="[firstName] [lastName]" />
    <field id="userName" label="User Name" attribute="sAMAccountName" required="true" format="[firstName{1}][lastName]" lowerCase="true" />
    <field id="userPrincipalName" label="User Principal Name" attribute="userPrincipalName" required="true" format="[firstname].[lastname]@village.local" lowerCase="true" />
    <field id="email" label="Email Address" attribute="mail" required="true" format="[firstname].[lastname]@village.local" lowerCase="true" />
    <field id="homeDirectory" label="Home Directory" attribute="homeDirectory" required="false" format="\\dev2012.wentwood.local\Home\[userName]" />
    <field id="userProfile" label="User Profile" attribute="profilePath" required="false" format="\\dev2012.wentwood.local\profiles\[userName]" />
</generatedFields>

You can use a number of different attributes, but remember that they must be attributes that would be entered when the user is created. Here are some examples of using generated fields:

Rule Example
[firstname].[lastname] John.Snow
[firstname{1}][lastname] JSnow
[firstname] [lastname] (Ithicos Sales) John Snow (Ithicos Sales)

Executing PowerShell Scripts

Directory Manager Advanced has the option to allow you to execute a PowerShell script after the creation of a user account or a contact object. This allows the administrator to take additional actions after the creation of the user account.

There are two scripts included, they are the UserCreation.ps1 and ContactCreation.ps1 scripts. They are found in this folder:

c:\inetpub\wwwroot\directorymanager\AdvancedMode\PowerShell

The scripts are quite simple. Directory Manager Advanced passes two parameters to the script. The Active Directory distinguished name of the object just created and an admin credential object.