Lifecycle Manager mangages the Active Directory user account lifecycle. It can do the following tasks:
- Create a new user account (Create-Account)
- Update relevant properties (Update-Account)
- Delete a user account (Delete-Account)
- Set/remove expiration date (Expire-Account/Unexpire-Account)
- Move a user account to a different OU (Move-Account)
- Instruct Resource Manager to remove or restore an Office 365 license (Remove-MsolLicense/Restore-MsolLicense).
Information on what tasks to perform is read from the MetaDirectory database and processed by the dispatcher.
- Assemblies: Kungsbacka.DS, Kungsbacka.AccountTasks, Kungsbacka.CommonExtensions, EPPlus and Newtonsoft Json
- Databases: MetaDirectory and ADEvents (logging)
- Create a service account (preferably a Managed Service Account) with the appropriate permissions (see below)
- Create a folder on a server and copy/clone LifecycleManager to the folder
- Create a subfolder called lib and copy DLLs for the assemblies above to the folder (Kungsbacka.DS.dll, Kungsbacka.AccountTasks.dll, Kungsbacka.CommonExtensions.dll, EPPlus.dll and Newtonsoft.Json.dll).
- Rename Config.example.ps1 to Config.ps1 and update it with settings for your environment.
- Register a new event source on the server: [System.Diagnostics.EventLog]::CreateEventSource('LifecycleManager', 'Application')
- Register a scheduled task (see below)
This is a template script for creating a scheduled task that runs Lifecycle Manager
Register-ScheduledTask `
-TaskName 'LifecycleManager' `
-TaskPath '\' `
-Description 'Creates, deletes and updates user accounts in Active Directory.' `
-Principal (New-ScheduledTaskPrincipal -UserId '<service account>' -LogonType Password) `
-Trigger (New-ScheduledTaskTrigger -At 02:00 -Daily) `
-Action (New-ScheduledTaskAction `
-Execute 'powershell.exe' `
-Argument '-Command "<path to Dispatcher.ps1>"' `
-WorkingDirectory '<script folder path>') `
-Settings (New-ScheduledTaskSettingsSet -StartWhenAvailable)
The following permissions are needed for the account running the script:
- Read/write in script folder. Reports are created temporarily in this folder before they are sent.
- Manage users in Active Directory (create, uppdate and remove)
- Read/write in databases MetaDirectory and ADEvents
- Start SQL Agent job for Active Directory import
This solution is tailored specifically for Kungsbacka municipality. Schema for the two databases are not included here, but may get published later.