ITAM – Employees

Employees are the actual user base. It is highly recommended to use the LDAP synchronization for this, as the users are automatically read and updated from the information stored in Active Directory.

Most fields in the employee’s module are write protected, as the information for those fields are read from Active Directory only. The department should be set manually or per checklist, as this is re-used in modules like purchasing.

The new button gives you a choice of options, depending on the system configuration in settings, so that you can create new employees in Active Directory via a PowerShell script (see sample below), force Active Directory synchronization now or add manual employee entries compensate for some special purposes. In general LDAP synchronization is highly recommended instead of manual entries.

The list allows you to actually see if the entry comes from LDAP or if it was manually created using the synchronized / Sync column. If it was synchronized, you further have a LDAP last seen column that indicates if the user was actually deleted in your Active Directory.

Even further is there a column # Wkst. that will show you how many workstations are assigned to the employee.

All of this information is useful to filter e.g. for all deleted users that have one or more workstation assigned, to accomplish this do the following:

• LDAP last seen = >=7/18/2018
• # Wkst. = >0

Setting those two filters would show you all deleted user accounts that still have workstations assigned.

Data field and reference overview

Most of the fields here aren’t editable because they are synchronized from Active Directory.

• Active (editable)
• LDAP Sync – see settings
• Employee Nr. (editable) – in the database
• Employee Number LDAP (synchronized)
• Employee Name (editable)
• Department (editable)
• User Account Control / UAC – current LDAP status of the user object
• Manager (LDAP)
• Status Notes (editable)
• Common LDAP attributes – all read only
  • Title
  • First Name
  • Middle Name
  • Last Name
  • User Name
  • EMail
  • Phone
  • Mobile
  • SID
  • Department
  • Department Number
• LDAP Attributes – all read only
  • Description
  • Info
  • Display Name
  • WWW Home Page
  • User Principal Name / UPN
  • Department
  • Department Number
  • Company
  • Distinguished Name / DN
  • Physical Delivery Office Name
  • Street Address
  • Post Office Box
  • City
  • State
  • Postal Code
  • Country
  • Country Code
  • Manager
  • Pager
  • Facsimile Telephone Number
  • IP Phone
  • Primary Group
  • Profile Path
  • Script Path
  • Home Drive
  • Home Directory
  • Home Phone
  • When Created
  • User Account Control (raw value)
  • Proxy Addresses
  • Removed Date (this shows when the account was last seen by the LDAP synchronization)
  • Account Expires
  • Disabled
• LDAP Groups – this is read only – you can see what LDAP groups the user is currently in
• Workstations – current and previously assigned Workstations
• Phones / DIDs assigned in the database
• Responsibility Matrix entries related to this employee / user account
• Software references
• Incidents
• Checklists
• TAGs
• Notes
• Created on and by
• Last edited on and by
• Record history

Example Script for adding new employees in LDAP

This PowerShell script can be executed directly from the employee’s module via the new button, you need to define it in the application settings.

This sample script is already rather complex and walks you through various options in order to create a new Active Directory user account. It eventually depends on your configuration and needs and remains an example only. You need adjustment it to your specific needs, besides the mandatory OU and Domain values that can be configured in the header section of the script.