You are on page 1of 23

Active Directory User Account

Standard
User Creation & Maintenance
October 29th 2014

Document Change log


Versi
on
1.0
2.0

Date

Author

Comments

October 27th

Jim Katoe
Ryan Hudson

Versions before ID
Changed the standard to comply
with Office 365 requirements and
Adaxes Based ID tool.

Active Directory User Account Standard


For Internal Use Only
1

Contents
1

Introduction.......................................................................................................... 4

To create a new user account...............................................................................4


2.1

General.......................................................................................................... 6

2.1.1

First Name, Last Name, Full Name...........................................................6

2.1.2

Display Name.......................................................................................... 7

2.1.3

User Logon Name (SAM-Account-Name)..................................................7

2.1.4

UPN Suffix................................................................................................ 7

2.1.5

User Logon Name (UserPrincipalName)...................................................7

2.1.6

On-Prem mailbox Required......................................................................7

2.1.7

Description.............................................................................................. 8

2.1.8

E-mail (mail)............................................................................................ 8

2.2

Organization.................................................................................................. 9

2.2.1

Office....................................................................................................... 9

2.2.2

Company................................................................................................. 9

2.2.3

GroupMCompany..................................................................................... 9

2.2.4

Department............................................................................................. 9

2.2.5

Job Title.................................................................................................... 9

2.2.6

Manager and Assistant............................................................................9

2.2.7

EmployeeID........................................................................................... 10

2.2.8

Employee Type...................................................................................... 10

2.3

Account........................................................................................................ 10

2.3.1
2.4

Password................................................................................................ 10

Telephones................................................................................................... 11

2.4.1

Telephone Number.................................................................................11

2.4.2

Mobile Phone......................................................................................... 11

2.4.3

Fax......................................................................................................... 11

2.4.4

IP Phone................................................................................................. 11

2.4.5

Pager..................................................................................................... 11

2.5

Audio Conferencing Options.........................................................................12

2.5.1
2.6

Dial-Option............................................................................................ 12

Profile........................................................................................................... 12
Active Directory User Account Standard
For Internal Use Only
2

Finish Creating the User Account.......................................................................13

Modifying Advanced Parameters........................................................................14


4.1

Environment................................................................................................ 14

4.2

Sessions....................................................................................................... 14

4.3

Remote Control............................................................................................ 15

4.4

Terminal Services Profile.............................................................................. 15

4.4.1
5

Office 365 Licensing Options.............................................................................. 16


5.1

Dial-In.................................................................................................... 15

Office 365 Licensing..................................................................................... 16

Exchange Properties........................................................................................... 18
6.1

General........................................................................................................ 18

6.1.1

Alias (MailNickName)............................................................................. 18

6.1.2

Display Name........................................................................................ 18

6.2

Mailbox Usage.............................................................................................. 18

6.3

E-Mail Address............................................................................................. 19

6.4

Mailbox Features.......................................................................................... 20

6.5

Calendar Settings........................................................................................ 20

6.6

MailTip......................................................................................................... 20

6.7

Delegation................................................................................................... 20

6.8

Automatic Replies........................................................................................ 20

Active Directory User Account Standard


For Internal Use Only
3

1 Introduction
GroupM has implemented a web based user provisioning and management system
using Softerras Adaxes framework. It has been named ID. ID is a proxy through to
Active Directory which enforces GroupMs Standards around Active Directory and
helps facilitate automation. Access to create and modify user objects directly has
been removed from Active Directory. ID has business rules configured which help
automate a lot of the attributes and tasks which help ease administration efforts
and allow a single tool to manage all aspects of a user account including their office
365 cloud resources.
Although a lot of rules and automation have been put in place within ID, IT is still
responsible for keeping the data in the user object up to dat.
If any of the options within the forms of ID is inaccurate, please contact GroupM
Global Operations. This may be from selectable office values within an OU, or
address information which has changed.
If any of the data required below conflicts with any local privacy laws, please
contact GroupM Global Operations.

2 To create a new user account


1. From a supported web browser, go to https://id.insidemedia.net/servicedesk/
2. Enter your admin account credentials and click Sign in.

Active Directory User Account Standard


For Internal Use Only
4

3. From the home screen, click on browse and drill down to the OU which you
wish to create the user in.

4. Click on the Create new User Button as shown below

Active Directory User Account Standard


For Internal Use Only
5

2.1 General

2.1.1 First Name, Last Name, Full Name


The First and Last name fields should correspond to the users official business
identity. Only Alphanumeric characters in the Lower ASCII Character set can be
used. The only exceptions being a space , dash - and underscore _.
Characters containing accents or an apostrophe cannot be used. They can however
be used in the display name. The names used here must be consistent through the
e-mail address and logon names.
Note that the Full name is automatically filled in after you enter the First and Last
names. This must be a unique value within an OU.

Compound Names
If the user has multiple first names or multiple last names, and they are part of the
email address, then they should be included in the appropriate field. For example,
Billy Bob Thornton would have Billy Bob in the first name field (notice the space).
Ernest van den Haag would have Ernest in the first name field, and van den
Haag in the last name field. Spaces will automatically be removed by ID when
Active Directory User Account Standard
For Internal Use Only
6

generating the SamAccountName and UserPrincipalName as they are not supported


in Office 365.

2.1.2 Display Name


The Display Name is also automatically populated using the First Name and Last
Name values. This is how the user will display in applications such as the Exchange
GAL, SharePoint etc. The display Name field can be used to display accented letters
for users which have them or for names with an apostrophe. The following
Characters are not allowed as they are not supported by office 365: ? @ \ +
2.1.3 User Logon Name (SAM-Account-Name)
The SAM-Account-Name is automatically populated by the First Name and Last
Name attributes. This attribute must be unique within the domain.
The user logon name (SAM-Account-Name) should be:
Firstname.Lastname
There is a 20 character limit for this attribute so if the name is longer than 20
characters it will be truncated.
Conflicts will be handled by using a unique number as the last or 20th character.
e.g. jim.katoe1. Alternatively a middle initial can be used.
2.1.4 UPN Suffix
The UPN suffix is a Virtual Attribute which is only stored in Adaxes. It does not exist
within Active Directory and is only used to compute the users UserPrincipalName.
The UserPrincipalName must match the users primary E-mail address so choose the
appropriate domain from the list. The domain name must match the company they
are assigned to. This is used for determining access to certain company resources.
2.1.5 User Logon Name (UserPrincipalName)
The User Principal Name or UPN is the logon name that began to be used with
Active Directory and is the only logon support for Office 365. The older SAMAccount-Name format is still required by some legacy systems and is thus still
supported.
The UPN is not to be set directly via ID. It is automatically generated using the
users First Name, Last Name and UPN Suffix. If either of these 3 attributes change,
ID will update the UPN accordingly.
The User Logon Name (UserPrincipalName will be:
Firstname.Lastname@UPNSuffx
The user principal name must be unique within Active Directory and Office 365.
Active Directory User Account Standard
For Internal Use Only
7

2.1.6 On-Prem mailbox Required


This is another Virtual Attribute which only exists in ID. It is only used as a trigger
when creating a user.
Select YES if the user requires a Mailbox AND the office that the user
resides has not been migrated to Exchange Online/Office 365. This will
create an exchange Mailbox on a GroupM Mail server.
Select NO if the user does NOT require a mailbox OR the office that the user
resides has been fully migrated to Exchange Online/Office 365. A mailbox
will be created in a later step.
Once the Migration to Exchange online is complete, this attribute will no longer be
used.
2.1.7 Description
This field is free to be updated as you like.
There is however an automated process that cleans up AD as shown below.
If a user account that has not had its password changed within 80 days (29 days
past our requirement) it will be disabled.
If a user account that has not had its password changed within 110 days it will be
deleted.
There may be a valid business reason to circumvent this policy. If you choose to
circumvent this process please understand you may be required to explain or
provide documentation for why you are circumventing a security process that your
company is depending on for regulatory purposes. Circumventing the process would
be understandable if the user is on extended leave for Maternity, sabbatical, etc.
Enter the following string EXACTLY within the string- |nodisable| , including the
reason for not disabling/deleting the user.
2.1.8 E-mail (mail)
The E-mail address field will not be directly editable. This field will be set
automatically by ID and will be set to match the UPN of the user. If the UPN
changes, the E-mail address field will also change.

Active Directory User Account Standard


For Internal Use Only
8

2.2 Organization

2.2.1 Office
The Office field is important for the Office Directory and GroupMs software licensing
procedures. It is also used by ID to automate all of the address attributes of the
user within the directory. This attribute is mandatory and the list of available offices
is restricted based on the OU that the user will be in.
If an Office is missing from the form or has changed, please contact GroupM Global
Operations.
2.2.2 Company
Select the Company which the user is part of.
2.2.3 GroupMCompany
Select a GroupMCompany only if the user is part of that Sub Brand.
2.2.4 Department
There is no global standard around department. Set this attribute based upon local
standards.
2.2.5 Job Title
This is where you would enter the users Job Title
2.2.6 Manager and Assistant
These are currently optional. Set these if required.
Active Directory User Account Standard
For Internal Use Only
9

2.2.7 EmployeeID
Certain countries are using the EmployeeID for use with applications. If required,
this should be the 2 letter ISO-3166-1 code of the country where the user resides,
followed by local HR number.
E.g. for a user residing in the United States with an HR number of 000001, there
employee id would be US00001.
Do NOT use this field if the HR number cannot be publicly known, because this
value will be available to anyone with access to the directory.
2.2.8 Employee Type
The Employee Type is a new attribute we are requiring to help track the type of
employees we have. This will help with licensing and budget preparation as WPP
headcount and actual headcount differ largely in some regions.
2.3 Account

2.3.1 Password
Enter a password and then Re-Enter the Password. Alternatively you can click on
Generate to generate a Complex Password.
If you are unsure of the password policy, click on View Password Policy
The ability to set a user object to Password never expires have been removed
from ID to conform with GroupMs security policy

Active Directory User Account Standard


For Internal Use Only
10

2.4 Telephones

2.4.1 Telephone Number


The telephone number field is Crucial for GroupMs Global Directory. The value in
this field must be the users direct office telephone number. The number format
used by this field is the E.164 telephone number standard. This means it must
begin with the + sign, followed by the 1, 2 or 3 digit country code, followed by the
phone number. Any international phone should be able to dial this number. Even if
you are not on the Cisco IPT solution it is essential for your number to follow this
format so that you can be dialed by users which are. It will also be used by other
systems such as SharePoint, Jive and Unified Communications. The number must
not contain spaces, brackets or hyphens. A valid number would be +442079693400.
+44 20 7969-3400 or +44 (0) 20 7969 3400 are not valid values. ID will validate the
number and wont allow you to save an invalid number.
2.4.2 Mobile Phone
The Mobile Phone attribute can be edited at the discretion of the local administrator,
however please keep in mind two issues. The mobile phone number must also be in
the E.164 format. Be sensitive to our employees privacy concerns and the local
government and work council requirements.
2.4.3 Fax
If required, the users fax number can be entered here. The Fax number must also
be in the E.164 format.
2.4.4 IP Phone
This can be used and edited at the discretion of local IT.
2.4.5 Pager
This can be used and edited at the discretion of local IT. There is no global standard
around this attribute.
Active Directory User Account Standard
For Internal Use Only
11

2.5 Audio Conferencing Options

2.5.1 Dial-Option
This option is used to select the audio options for Web Conferencing. This maps
back to the extensionAttribute15 in Active Directory.
VOIP (default) : Integrated VOIP is an audio feature that sends the audio from your
meeting over the internet, instead of through the telephone. A laptop or desktop
with integrated microphone and speakers or headphones are required to utilize this
service option.
Limited : Toll & Toll free and Integrated VOIP. This option adds Toll and Toll free
services to the users account. This option provides the ability for the host and the
participants to dial into a toll free or toll number from a home, office or mobile
phone.
ALL : Call-back, Toll & Toll free, Integrated VOIP. This option adds call-back
functionality to the users account. The Call Back feature allows attendees to enter
their phone numbers and immediately receive a call with prompts to join the
meeting.
Please note: There are charge back costs associated with the Limited and ALL
options.
2.6 Profile

These tabs can be edited at the discretion of the local administrator. Please read
the GroupM Server Implementation Guide for requirements for scripts.
Active Directory User Account Standard
For Internal Use Only
12

3 Finish Creating the User Account


1. Verify that all the settings are correct and click Create.
2. If On-Prem Mailbox required was set to Yes, you will see the business
rules kick in which would set the Address information, Create an On-Prem
Exchange Mailbox, set the Email addresses and set the default Email options.

If On-Prem Mailbox required was set to No, you will see the business

Active Directory User Account Standard


For Internal Use Only
13

rules kick in for Address Automation

4 Modifying Advanced Parameters


There are some settings that can only be set after the user is created via Advanced
Parameters.

4.1 Environment
These settings can be edited at the discretion of Local IT, however generally these
are not used.

Active Directory User Account Standard


For Internal Use Only
14

4.2 Sessions
These settings can be edited at the discretion of local IT, but generally it is better to
manage this on the Terminal Server where the settings can be uniformly applied to

all users.
4.3 Remote Control
These settings can be edited at the discretion of local IT, but generally it is better to
manage this on the Terminal Server where the settings can be uniformly applied to
all users.

Active Directory User Account Standard


For Internal Use Only
15

4.4 Terminal Services Profile


These settings can be edited at the discretion of Local IT, however generally these
are not used.

4.4.1 Dial-In
These settings are not used.

Active Directory User Account Standard


For Internal Use Only
16

5 Office 365 Licensing Options


Below will describe the options to license a user for Office 365.
5.1 Office 365 Licensing
After creating the user, Office 365 licensing should be set. Licensing options for
these are accessed via Custom Commands with ID. These are access via the Other
Tab.

The Option chosen depends on whether or not the user has an existing On-Prem
Mailbox.
If the user DOES NOT have an On-prem Mailbox and requires a new mailbox within
Office 365, select the option Enable New User for Office 365

This option will license the user for Office 365, create a mailbox in Office 365,
create a remote Mailbox On-Prem, populate the Mail attribute with the email
address of the user and set the default mailbox options.

Active Directory User Account Standard


For Internal Use Only
17

If the user DOES have an On-prem Mailbox and requires licensing to activate Office
365 Pro Plus, select license user for Office Pro Plus 365 (This option is temporary
and will be removed after all user mailboxes have been migrated to Office 365.)

This option will license the User for Office 365. As they already have an OnPrem mailbox, the mailbox will be skipped and will be created when the
users Mailbox is migrated.

If the user DOES NOT have an On-prem Mailbox and a Mailbox is NOT required,
select License User for Office Pro Plus without a mailbox

This option will license the user for Office 365 but not allow a mailbox to be
created. This can be used in select markets where temporary employees
need a license for Office Pro Plus, but not required to have e-mail.

You can see the status of the office 365 license on the View Object page of the user.
Active Directory User Account Standard
For Internal Use Only
18

Active Directory User Account Standard


For Internal Use Only
19

6 Exchange Properties
The exchange properties can be found on the View Object page of the user. This
will work if the mailbox is On-Prem or in Office 365. You can find out where it is
located by looking at the Mailbox Location. If it says Office 365, it is in the cloud. If
it says anything else, it is located On-Prem.
6.1 General

6.1.1 Alias (MailNickName)


This is automatically set when the mailbox is created. It is set to the same value as
the users:
Sam-Account-Name.
This attribute would only need to be changed if the user had a name change.
6.1.2 Display Name
This is the exact same attribute as the Display Name set on the user account.
6.2 Mailbox Usage
This displays the Last Logon for the Mailbox and storage Quota information. This tab
is just informational.

Active Directory User Account Standard


For Internal Use Only
20

6.3 E-Mail Address


Here you can View/Modify the email addresses of the user. This would be where you
would add secondary e-mail addresses.
The primary e-mail address will automatically update after a users UPN is changed.
Please be aware that if the mailbox is in the cloud, the information here is being
pulled from office 365. If a change is made to an e-mail address, it is changed
locally in Active Directory. If a recent change was made to the users e-mail
addresses/s, it will reflect here until the next Directory Sync.
The option to Automatically update e-mail addresses based on policy is set to No
by default and should not be changed unless there is an email policy set on Office

Active Directory User Account Standard


For Internal Use Only
21

365 that the account abides by .

6.4 Mailbox Features


Settings here are managed by Office 365 and Exchange Admins. Changes should
not be made.
Forwarding Mail to an external address requires GroupM Global CIO approval.
IMAP and POP3 are not allowed and are disabled by default.
6.5 Calendar Settings
This can be used and edited at the discretion of local IT.
6.6 MailTip
This can be used and edited at the discretion of local IT.
6.7 Delegation
Send As, Send ob Behalf of and Full Access delegation can be set here.

Active Directory User Account Standard


For Internal Use Only
22

6.8 Automatic Replies


This can be used and edited at the discretion of local IT.

Active Directory User Account Standard


For Internal Use Only
23