The IT Assets Database was replaced by the IT Admins CMDB and is EOL / End of Life, no further development will be done on this project.
The employees table is primarily fed by the LDAP synchronization but you can actually manually add employees. This is all due to the fact that the database respective application did grow throughout time. It started of with a manual table that then was fed by a simple user-synchronization and finally a complete LDAP change reporting was implemented. Please keep that in mind when looking in to it.
Further can you engage a script that allows you to add employees to your Active Directory from the database. You then only wait for the next synchronization and the employee will show up in the list. You find an example script for this further down on this page.
In any case, employees are used for workstations, software, phone DIDs and within the rights matrix. All those relations including LDAP Groups and even previous workstations etc. can be viewed and directly accessed from here. Additionally you can see detailed LDAP values, as they where last seen by the database.
Manual employee entries are possible and might help to compensate for some special purposes, while you in general and most cases should just rely on the LDAP synchronization process and the table being fed by LDAP / Active Directory.
Additionally it allows you to actually see if the entry comes from LDAP or if it was manually created using the synchronized / Sync column. If it was synchronized, you further have a LDAP last seen column that indicates if the user was actually deleted in your Active Directory.
Even further is there a column # Wkst. that will show you how many workstations are assigned to the employee.
All of this information is useful to filter e.g. for all deleted users that have one or more workstation assigned, to accomplish this do the following:
- LDAP last seen = >=7/18/2018
- # Wkst. = >0
Setting those two filters would show you all deleted user accounts that still have workstations assigned in you database. You could implement similar counter columns for software, phones and the rights matrix by just changing the qryEmployees in SQL and adding the columns in Sys Columns in just a few minor steps.
Data field and reference overview
Most of the fields here aren’t editable because they are synchronized from Active Directory.
- Employee Nr. (editable) and Employee Number (synchronized)
- Full Name (editable)
- Department (editable)
- Status Notes (editable)
- Software references (editable)
- Checklists, Notes and Tags (editable)
- References to the owner matrix, previous workstations and phones and what current workstations are assigned to this user
- LDAP Attributes (synchronized)
- Title, FirstName, MddleName, LastName
- Username, SID
- User Account Control
- description, info
- displayname, userPrincipalName, distinguishedName
- department, departmentnumber
- company, physicalDelivery, streetAddress, PostOffice, City, Street, postalCode, State, Country
- manager
- pager, facsimileTelphone, IPPhone, HomePhone, Mobile, Phone
- PrimaryGroupID, LDAP Group membership
- ProfilePaht, ScriptPath
- HomeDrive, HomeDirectory
- WhenCreated
- proxyAddresses – aka. SMTP addresses
- Disabled and userAccountControl (decimal)
- RemovedDate – this will be set when the system detects the account was removed
Example Script for adding new employees
This PowerShell script can be executed directly from the employees view in the database. You need to define it in the SysConfig – only if defined the button will appear at all. This script is already rather complex and walks you through various options in order to create a new account. It sure depends on your configuration and needs – it remains an example and might need adjustments to your specific needs, besides the mandatory OU and Domain values that need to be configured right.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 | Import-Module ActiveDirectory $DomainController = "" #leave empty if any $UPNDomain = "@domain.local" #include the @ if you use this option $DefaultPassword = "Abcd123!" $ChangePasswordAtFirstLogon = $false #$false or $true $UserIsEnabled = $true #$false or $true $PasswordNeverExpires = $false #$false or $true - this is the default - Service Accounts are handled differently $OUUsers = "OU=Users,OU=Company,DC=domain,DC=local" $OUAdmins = "OU=Admins,OU=Company,DC=domain,DC=local" $OUServices = "OU=Service Accounts,OU=Company,DC=domain,DC=local" $ErrorColor = "Red" $WarningColor = "Yellow" Write-Host "" Write-Host "" Write-Host "New User Script" Write-Host "===============" Write-Host "" $UserName = (Read-Host -Prompt "Please enter desired UserName") $FirstName = (Read-Host -Prompt "Please enter desired FirstName") $LastName = (Read-Host -Prompt "Please enter desired LastName") $Password = (Read-Host -Prompt "Please enter desired Password (obey length and complexity rules) [$DefaultPassword]") Write-Host "" Write-Host "" If ($UserName.Trim().Length -eq 0) { Write-Host "UserName invalid, exiting script..." -ForegroundColor $ErrorColor Pause Exit } Else { $ADUser = "" Try{ If ($DomainController.Length -gt 0) { $ADUser = Get-ADUser -Identity "$UserName" -Server "$DomainController" -ErrorAction SilentlyContinue } Else { $ADUser = Get-ADUser -Identity "$UserName" -ErrorAction SilentlyContinue } } Catch {} If ($ADUser.SID.Value.Length -gt 0) { Write-Host "" Write-Host "" $ADUser Write-Host "" Write-Host "" Write-Host "UserName exists already, exiting script..." -ForegroundColor $ErrorColor Pause Exit } } If ($FirstName.Trim().Length -eq 0) { Write-Host "FirstName invalid, exiting script..." -ForegroundColor $ErrorColor Pause Exit } If ($LastName.Trim().Length -eq 0) { $LastName = (Read-Host -Prompt "LastName was empty - please confirm or enter a valid LastName") } If ($Password.Trim().Length -eq 0) { Write-Host "Using default password: $DefaultPassword" -ForegroundColor $WarningColor Write-Host "" Write-Host "" $Password = ConvertTo-SecureString "$DefaultPassword" -AsPlainText -force } Else { $Password = ConvertTo-SecureString "$Password" -AsPlainText -force } Write-Host "" Write-Host "" Write-Host "Please choose from the following options:" Write-Host "=========================================" Write-Host "1 `t Regular user / employee" Write-Host "2 `t Administrative account" Write-Host "3 `t Service account" Write-Host "" Write-Host "" $Option = (Read-Host -Prompt "Please enter the number of the desired option [1]") If ($Option.Trim().Length -eq 0) { $Option = 1; } $TargetOU = ""; Switch ($Option){ "1" { $TargetOU = $OUUsers; break; } "2" { $TargetOU = $OUAdmins; break; } "3" { $TargetOU = $OUServices; $PasswordExpiresAnswer = (Read-Host "Should this password NEVER EXPIRE [y]?") If ($PasswordExpiresAnswer.Length -eq 0){ $PasswordNeverExpires = $true } ElseIf ($PasswordExpiresAnswer.ToLower().Trim() -eq "y") { $PasswordNeverExpires = $true } ElseIf ($PasswordExpiresAnswer.ToLower().Trim() -eq "yes") { $PasswordNeverExpires = $true } Else { $PasswordNeverExpires = $false Write-Host "" Write-Host "" Write-Host "The password will be set to expire..." -ForegroundColor $WarningColor Write-Host "" Write-Host "" pause } break; } default { Write-Host "Option invalid, exiting script..." -ForegroundColor $ErrorColor Pause Exit break; } } Write-Host "" Write-Host "" Write-Host "Attempting to create the new user account..." Write-Host "" Write-Host "" Try { If ($DomainController.Length -gt 0) { New-ADUser -Server "$DomainController" -PasswordNeverExpires $PasswordNeverExpires -Name "$FirstName $LastName" -GivenName "$FirstName" -Surname "$LastName" -SamAccountName "$UserName" -UserPrincipalName "$UserName$UPNDomain" -Path "$TargetOU" -Enabled $UserIsEnabled -ChangePasswordAtLogon $ChangePasswordAtFirstLogon -AccountPassword $Password } Else { New-ADUser -PasswordNeverExpires $PasswordNeverExpires -Name "$FirstName $LastName" -GivenName "$FirstName" -Surname "$LastName" -SamAccountName "$UserName" -UserPrincipalName "$UserName$UPNDomain" -Path "$TargetOU" -Enabled $UserIsEnabled -ChangePasswordAtLogon $ChangePasswordAtFirstLogon -AccountPassword $Password } Write-Host "" Write-Host "" Write-Host "The new user was created successfully..." If ($DomainController.Length -gt 0) { Get-AdUser -Identity $UserName -Server $DomainController } Else { Get-AdUser -Identity $UserName } } Catch { $_.Exception.Message Write-Host "" Write-Host "" Write-Host "An error occurred while attempting to create the new user. Please see above Error-Message for details. Exiting script." -ForegroundColor $ErrorColor Pause Exit } Write-Host "" Write-Host "" Write-Host "Script finished..." Pause |