While most software is able to directly use accounts from Microsoft Active Directory or another directory service, IT Store is a bit different. It uses its own list of users which in turn can originate from a couple of different sources.
These sources are CSV files, ODBC data source and Microsoft Active Directory. IT Store uses the information from the source and creates the users while using this information. While this is called synchronization in the IT Store, it really has more in common with a database query (but be honest, synchronization sounds way cooler).
In this blogpost I would like to focus on the synchronization (let’s just keep calling it that) with Microsoft Active Directory. The way this works is that you provide the name of your Active Directory domain, the security context for the domain (optional), the mount point and the object type.
The security context is the account which will be used to connect to the specified domain. Usually the server hosting the IT Store is a member of the domain in question, so the account is not needed. However, in some instances you might want to synchronize with another domain in which case you would need to provide a security context.
The mount point is the same as a Base DN (Distinguished Name). It defines the location in the Active Directory tree from which the synchronization will take place.
The object type specifies what you would like to synchronize (users, groups, organizational units or group memberships).
A default synchronization with a Microsoft Active Directory domain will create IT Store people (Yes, it’s called that) for every user account it finds. So this includes service accounts, shared (functional) mailbox accounts, administration accounts, etc. Since every account will checkout one IT Store license this might not be the best solution. Usually you only want to create an account in IT Store for regular Active Directory users. A service account for example will never be used to login to the IT Store (well maybe almost never). So it’s pointless to create a IT Store person for it. Or maybe you just want a small set of users to use the IT Store (because of specific functional requirements or to limit the license costs).
Which ways are there to work around this issue?
Of course you can use the mount points to only synchronize a specific organizational unit, but your Active Directory structure might not be set up for this.
The second option might be to implement filters. For example you could filter all accounts which names begin with svc (service) or adm (administrator). Although with this you are making the assumption that the naming of every Active Directory user is consistent. Sadly, this rarely is the case.
I do however recommend to create these kind of filters just in case. Along with it it might also be a good idea to create a filter that drops all disabled users.
While the previous options might work for some organizations, they are not foolproof. That’s why I will describe an alternative in this blogpost. Rather than filtering the users that you don’t want to be synchronized, do the opposite (RES-style if you will). Only synchronize the users that you do want. The first way that comes to mind in these situations is group membership. Only synchronize users that belong to a specific Active Directory group. Seems like an easy thing to configure. However, IT Store doesn’t support this. So together with the excellent RES Software Support we tried to come up with a solution. And we did.
Ever checked out all the available Active Directory attributes in a user account (with ADSI edit for example)? A lot of these are not being used. So why not use one of them for the IT Store?
Choose one of them (e.g. EmployeeType) and think of a specific value (e.g. RES-IT-Store). Create a filter in the IT Store users Data Source for the chosen attribute and it’s value. All you need to do next is to make sure the users that require IT Store have the attribute set to the correct value.
You could set the value by a Powershell script or even do it manually. But the better option would be to use the IT Store itself. This way, you can delegate the access management to human resources or management.
The building blocks and the instructions provided below will configure just this.
There are two building blocks provided in the zip file. One has to be imported in Automation Manager. The other has to be imported in IT Store.
Make sure the Automation Manager integration in IT Store is configured! Without it the run book can’t be invoked.
When importing into AM it will ask for the values of various parameters. Every parameter has a detailed description about the value that is needed and it’s format. The building block will create two modules and one run book.
The building block for IT Store won’t ask for the values. So you need to edit them manually.
Open the service ‘Inform users about provided access to IT Store (ITStore-Guru)’ and edit the following attributes:
@NoReply -> Provide the e-mail address that should be used as ‘sender address’.
SMTP Server -> Provide a SMTP server that can be used to send e-mail.
If credentials are required for using the specified SMTP server you need to edit the Send message action in the workflow to provide them (E-mail tab).
The second step is to activate the workflow. To do this select the first action in the workflow and edit it. Make sure the Enabled option is selected.
The services are now configured accordingly.
Finally you need to modify your IT Store Data Source for users. Open it from the IT Store Console (Setup -> Data Sources) and select the users Data Source. It is created during the installation of IT Store. Select the Columns tab and click Add. Make sure the option Show all advanced properties is selected. Find the Employee-Type attribute, select it and press OK.
Select the Filter tab and click Add. Specify the Employee-Type¬ attribute in the column field, set the equality sign (=) as operator and as value type RES-IT-Store. Click OK and OK once more.
And you are done. But don’t forget to check the qualification tab of the Add users to IT Store (ITStore-Guru) service. You might not want every IT Store user be given the option to add more users.
Feel free to make your own adjustments to these modules/services. In my personal experience, no IT Store service is perfect for every organization. And naturally, suggestions for improvements are always welcome.
Personally I’m not happy with providing the username to add the user. A manager might not know the correct username for his colleagues. But providing the complete name is also not exactly practical. If I think of a better solution I will add it to the website.
Thanks for reading and till next time.