0 votes

We are currently a Google Apps shop and also have a number of other applications that we need to match the user in AD to. In addition, we have two forests that Adaxes manages and one of those forests is multi-domain. Right now, I want to add a unique ID to every user that will be used to connect them to every other system and maintain that connection even if their account is re-created in another domain or forest. What I want to know is what is the best way for Adaxes to create these unique IDs? We were thinking of using the serialnumber attribute to store these IDs?

I had considered to have powershell generate a 20 digit random number, verify that it is unique in the system and if so, assign it to the user. We maintain about 3000 users.

--The ID would never be changed once assigned to the user account and would always be associated with the user. (The payroll ID (employeeID) would not work here since HR does not create that until payroll which could be up to two weeks after the user is created)
--Later we would like to create custom commands in Adaxes that would help us move a user from one domain to another. (It would not be important that they maintain their domain identity, so taking the data from their current AD account and using it to create a new one would be perfect. They would need to keep the unique ID to maintain the link between all the systems)

So for example:
1. User account is created in Adaxes and provided a unique ID
2. A Google mailbox is created and an attribute is set with the unique ID from AD.
3. User accounts are also created in other applications and the unique ID is used to map them back to the user in AD

If later there is a need to move the user from one domain to another, the unique ID would be used to maintain their connection with the Google mailbox.

I am looking forward to recommendations on the best way to create and assign the unique IDs as well as any feedback on our idea.

Thanks in advance everyone

by (1.2k points)

1 Answer

0 votes
by (216k points)

Hello,

Actually, every user in Active Directory already has a unique ID. Once a user is created, Active Directory assigns the user account the Object GUID property, which is unique for every object and does not change throughout the life of the user account. If you are going to move users between domains located in the same forest, you can use the Move Object functionality. When an AD object is moved, its Object GUID property remains unchanged, so you can use it as a unique identifier of a specific user. For details on how to move objects, see Moving Objects.

The only issue that you can experience with the Object GUID property is that GUIDs are stored in the property in the binary format (as a sequence of bytes). If you need to use a user ID as a string, you can use a certain property of user accounts to store the Object GUID there in the string (text) format. We don't recommend using the serialNumber property for this purpose. We suggest using the User ID (uid) property.

So, you can create a Business Rule executed after creating a new user. In the Business Rule, you can copy Object GUID to the User ID property (in the string format), and access the User ID property from your applications. To create such a Business Rule:

  1. Create a new Business Rule.
  2. On the 2nd step of the Create Business Rule wizard, select User and After Creating a User.
  3. On the 3rd step, add the Update the User action and click Add.
  4. In the Property to modify field, select the User ID property.
  5. Type %objectGUID% in the New value field. %objectGUID% is a value reference that will be replaced with a string representation of the Object GUID property of the new user.
  6. Finish creation of the Business Rule.

Related questions

0 votes
1 answer

Hi, I am working on making a custom Approval Request notification E-mail, and I'd like to include the Approve and Deny buttons, but I haven't found a way to get ... awaiting-their-approval-s212.htm Do you have any suggestions on how to best generate the URLs?

asked Oct 29 by Martin (150 points)
0 votes
1 answer

Hi all, How can I add a user directly to an Entra ID group? I understand it might be possible via CLI e.g. Add-AzureADGroupMember - But is there a built-in GUI method via Business Rules? Thanks, David

asked Oct 2 by dshortall (80 points)
0 votes
1 answer

hello i'm new with Adaxes i'm try to creat schuadle task to import a spefice user list by thier username id after that just update City for them by bulk updating . kinly advise

asked Aug 29, 2023 by sudox (20 points)
0 votes
1 answer

We are trying to avoid the issue of deleting accounts and resting accounts, we want to implement disconnecting the account by setting the immutable id to null on accounts we want to keep.

asked Aug 16, 2023 by Carlos (40 points)
0 votes
1 answer

Hello. We need Adaxes to run a script every night that strips leading zeroes off of employee ID. Or better yet (each time the employee ID is set or changed?) Example: Tech puts ... ID. It will strip it down to 556 Would powershell be the way to do this? Thanks

asked Dec 20, 2021 by silicondt (60 points)
3,549 questions
3,240 answers
8,232 comments
547,814 users