Feeling generic?

Each company has external contractors that they employ only for a fixed period of time.
Some of these workers are given a corporate account with a laptop, a phone, … .
Others are not so lucky but are still required to use some of our corporate applications.
For these contractors, we offer them a generic account. This allows them to connect and use a particular app and only that app.

In the past, a generic account was created by a Service Desk employee. Manual work isn’t fun and it is prone to mistakes.
Service Desk employee 1 would use CAPS in the name, others would not.
Some employees respected the naming conventions whereas others would get more “creative”.

A contractor is by definition only with us for a set period of time. This is managed by the AccountExpirationDate in Active Directory.
In the past when a contract was extended, a new ticket was created and Service Desk needed to manually extend the account.
If the ticket got created at the very last minute (rarely happens … ) , then there was an issue because the account wasn’t extended in time.

I was asked to automate and “smoothen the process” as much as possible.
The project ended up with 3 PowerShell scripts and one small GUI i made in Powershell Studio by Sapien.

  • New-GenericAccount.ps1
  • Get-GenericExpiredAccounts.ps1
  • Set-ExtendedExpirationDate.ps1

New-GenericAccount.ps1

The first script that was written, contains a function New-GenericAccount and can be used as follows:

New-ADGenericAccount -GivenName My -Surname Name -mail my.name@mypersonalmail.com -Application JIRA -mananger 12345

Upon account creation, an email is send to the manager, informing them the account was created and the worker can start.
The username and password (randomly generated by a different function), are sent to the personal email address of the contractor in two seperate emails for security reasons.

Get-GenericExpiredAccounts.ps1

This script is triggered by a scheduled task on a daily basis. It looks for all generic accounts matching a certain prefix.
It checks the accounts expiration dates. IF the account is set to expire in exactly 15 or 30 days, the manager will receive an email to inform them.
When there was no data to be processed, only our team will receive an email.
This way, we are informed that the task has run succesfully.

Account Extension Manager (GUI)

At this point, the manager has received a notification of an about to expire generic account.
In case the contractor will remain with the company just a bit longer, the manager can ask for an account extension via the GUI.
Once the manager clicks the button, the request is exported into a CSV-file. The manager only sees the generic accounts he/she is a manager of. The UI works with the directorysearcher and requires no installation of the ActiveDirectory module.

Set-ExtendedExpirationDate.ps1

This brings us to the final script. This is also scheduled to run on a daily basis.
It picks up the CSV that was created by the managers request and extends the accounts in Active Directory.
Both the manager aswell as our team (Infrastructure Windows Server Engineers) will get an email notifying them the extension was succesfull.
When there was no data to be processed, only our team will receive an email. This way, we are informed that the task has run succesfully.

Pester

I took this project as an opportunity to dip my toe into the world of Pester testing.
In the repository you’ll also find a file named New-GenericAccount.Tests.ps1.

I mainly sticked to writing IntegrationTests. I am happy i gave this a shot as i did find value to writing these tests.
The downside is that it requires more time, but the upside is that once you write them, it saves you time.
If project time allows for it, i’d like to start using these a bit more in the future.

Anyway, that was it for now.

K.

Updated:

Leave a Comment