Essential Tasks to Automate in Active Directory Management

  • October 19, 2017
  • Feature
Essential Tasks to Automate in Active Directory Management
Essential Tasks to Automate in Active Directory Management

By Anton Pozdnyakov, CMO, Softerra

These days it’s obvious that automation is a must-have for any modern Active Directory environment. If your IT staff is buried under a load of simple but time-consuming manual tasks, this means that you’re also stuck business-wise and can’t move forward. That's something you can’t really afford in a world as dynamic as ours. So, you either slowly go down or you finally start automating.


Where to start

The hardest thing when implementing automation is knowing where to start. Every AD environment is different, so there can’t be a universal scenario that will satisfy everyone. The general advice would be something like ‘find the tasks that takes up most of the time → automate the task → repeat’.

However, there are some common things that most AD environments share. Let’s have a closer look at them.


User Provisioning

The first thing that happens with absolutely every user in Active Directory is the onboarding process. As a new account is created, there are a lot of things that need to happen straight after that. E.g. moving the account to a necessary OU, adding it to groups, creating a home folder, creating setting up an Exchange mailbox, assigning Office 365 licenses, etc. Doing it manually is a massive waste of time.

Ideally, it should be a one-step action, i.e. HR fill in the form with the new user’s personal info, click the Create button and all the other things happen automatically. Such approach brings several important benefits.

  • Minimizing the human factor. With automated onboarding, you can make sure there are no mistakes, e.g. nobody misses any steps or adds a user to a wrong security group.
  • Reducing the load on the IT department. When IT staff are overwhelmed with simple routine like user provisioning, they can’t find time for really important tasks.
  • Avoiding unwanted waiting. Instant user provisioning means that the new users can start working straight away with no time wasted. If you have a high employee flow rate, this alone can literally translate to tens of thousands of dollars in yearly savings.

Automation should also apply to user offboarding. In fact, this might be even more important that automating provisioning. In addition to all the benefits mentioned above, with automated deprovisioning you are securing your environment from any sort of access by your ex-employees. This is a major security concern that is relevant for a lot of people out there. The reports say that 42% of ex-employees have some sort of access to their previous work’s IT environment. I bet it’s much more than you think it is.


Group Membership Management

Adding and removing users to/from groups can take the majority of time of a typical IT staff’s day. Thus, automating it will have a pretty significant effect.

In addition to user provisioning procedures, which involve adding new users to groups, you can automate all membership changes that rely on certain rules, e.g. if you have Active Directory groups associated with a user’s department. In that case, every time a user is updated and the Department property is changed, a task can be triggered removing the user account from old groups and adding it to the new ones. You can apply similar logic to all other rules in your environment.


Maintaining OU Structure

Many companies have a complex OU structure. There are lots of models you can have implemented: flat structure, geo-based structure, function-based structure, type-based structure, etc. Whatever model you are using, it is essential to be sure that everything is in the same place all the time. Especially if your system relies on GPOs that are tied to OUs.

To do that you can have a scheduled task that periodically runs over your AD, checks the location of the objects and moves them if they are in a wrong place. So, if there are any unwanted movements in your Active Directory, either accidental or intentional, they will be undone.


AD Cleanup

Over time unused objects can accumulate in you Active Directory: stale user and computer accounts, empty OUs, unused groups, etc. Or it can be worse: they can accumulate without your IT department noticing it. Stale AD objects are bad because of two main reasons. Firstly, they create clutter that makes overall management inefficient. Secondly, they are often targeted by attacks.

Removing inactive objects is another thing that can be easily automated. Note though that simply removing such objects is probably not a good idea. It’s better to isolate them in a special OU or add some sort of human approval procedure. Machines are great, but don’t trust them too much.



As you can see, automating simple things in Active Directory can give huge returns. Apart from the obvious saving of time and effort, it enables your IT staff to get free from everyday routine and advance to more complex tasks. This way you can utilize the full potential of your IT department and enable your whole company to move forward.

So why wait? Automate!

Learn More

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..