I came across a blog posting from a few years back at the Helping the Helpdesk blog and I thought it was worth reposting. Little has changed and we are still inundated with calls from school districts struggling to find a way to manage users accounts before the start of the new year. The approach described below follows Tools4ever's method for synchronizing student information systems such as PowerSchool, Infinite Campus, and Aeries with your Active Directory and other resources like Google Apps, Live@edu, Destiny and so on.  I hope you find the post helpful!

Summer Fun

The summer time means vacations, no school, hitting the beach, and all kinds of great fun. Unless of course, you are a system administrator for a school district. The summer then means you are squeezing in every major project that you can before school starts up again in August or September, depending on the region in which you reside. As such, the last thing you have time for is dealing with student active directory accounts.

Yet, you will have an influx of new students. And depending on your organizational unit structure, you may need to roll over these accounts into new OU’s based on graduation year or grade level. Maybe these grad year or grade level OU’s are within a higher level OU for each school in the district. Perhaps each grad year or grade level has a specific share somewhere, on which the user’s home directories must reside. These home directories need to move with the student throughout his or her career in the district.Then, of course, there are group memberships, which most likely created within the same design as the OU structure.

Manually provisioning all of this can take weeks. Scripting these tasks in visual basic is slow and tedious as well. With User Management Resource Administrator’s Automation module, you can streamline these tasks, and have them occur on a scheduled basis. Here is a high level overview of such a process:

• UMRA queries the SIS system, or csv export of student information
• This data is compared to AD
• New accounts are created based upon existence in the SIS system and not AD
• Updates to accounts occur based upon existence of the user in the SIS and AD
• Account disables are based upon either an inactive flag in the SIS, or the lack of the account existing in the SIS when it exists in AD

Processes for group and home directory provisioning can be based up a graduation year or grade level, even if this information is not necessarily provided (to be detailed in a coming post). Automation can be scheduled nightly, or more or less frequently as needed. All actions against AD accounts and their resources are logged for auditing and troubleshooting purposes. It can even generate email alerts for you.

You are now free to (not) enjoy your summer break doing other tasks.

You’re welcome. ;)

For more information, please visit Tools4ever

School districts these days are facing serious challenges that require balancing increased technology demands and a suprisingly tech savvy user base, with reduced budgets and staff cuts. Recently though, I was approached by a school district that has decided a new user provisioning process could help them address these issues. 

Their current situation:

• 12,000+ students/staff with network accounts
• PowerSchool Student Information Sytsem
• Google Apps for students, Exchange 2007 for staff
• 9 IT Staff (3 admins)
• Scripts create Active Directory from provided data file, run usually at beginning an end of semesters
• Sysadmin who wrote the scripts left district two years ago
• User accounts also created in about 6 other systems including library, e-learning, etc.

This scenario is not at all uncommon, but what amazed was the amount time this district spent each year managing user accounts.  The scripts really were only run about once a year but still involved manual updating due to a new naming convention that was implemented.   Because, no one could figure out the process the previous admin had scripted, so hours upon hours were spent making these updates.  Updating and removing users from the system, again, was a manual process and often neglected.  Active accounts remained on the network for past users and most updates were never made until someone was calling IT, unable to work. Needless to say, this process created a lot wasted time and resources and also opened up the door to some serious access issues.

This district thought, and I agreed that a more automated approach to user management would really help them free up this time and close some current security holes.  With a school district, implementing an automated system, via a connector to PowerSchool for example, doesn't have to be difficult if proper planning and data is available.  Tools4ever's User Management Resource Administrator really makes this planning and data synchronization a much more manageable process.

The solution proposed was the UMRA suite, and outlines a two-step phased approach as follows:

Phase 1: creating a link with the PowerSchool system and Google Apps

• Information on new student/employee, transfers and graduations/departures can be retrieved from their current status in PowerSchool, then compared with Active Directory and Google Apps
• Accounts created or updated as required multiple times a day, with any changes to information or status updates performed consistently and timely. Notifications and information can be sent to IT, end users, or any other appropriate party
• Phased departures; user accounts are disabled on the last day of service. The account with resources will be deleted after x number of days.

Phase 2: linking third-party applications

• Phased creation of automatic links with each application and provisioning process as appropriate depending on user role and system
• The application manager is notified via e-mail of any changes

To learn more about how a phased UMRA solution can benefit your organization, visit our website: www.tools4ever.com