Automating Directory Services

Is it possible to automate directory services? The average IT admin’s day involves many small tasks, and these can quickly snowball. So automating directory services and their associated identity management tasks can be a major time saver for IT.

Traditionally, this kind of automation has been a challenge with the on-prem, legacy Active Directory platform. As a directory service, AD is an identity provider that requires a great deal of upkeep and ongoing maintenance. When it first came around, AD was the solution for Identity and Access Management (IAM), but it also created many of its own operating pitfalls. At the end of the day, AD is a directory service built to manage traditional, Windows^®-based infrastructure.

Meanwhile, the cloud has opened up whole new worlds of opportunity for the forward-thinking IT admin. After all, 94% of enterprises use it now, and an estimated 83% of enterprise workloads will be in the cloud by 2020. Now more than ever, you can leverage cloud-based solutions to automate directory services, resource provisioning, and identity management.

Automation Through APIs

One of the foundational elements of automation are Application Program Interfaces. APIs enable different software systems to exchange information. A system leveraging APIs contains functions in code that another system can then carry, thereby enabling integration and automation.

Through the rise of Software-as-a-Service (SaaS) offerings, many admins have come to understand that it’s better to remotely control services through APIs and code rather than a user interface. For example, APIs within an identity management solution can manage:

• Account creation/modification/removal
• Controlling access
• Group membership management
• Deprovisioning and account elimination
• Collecting and analyzing usage statistics
• Software deployment
• Enforcing usage policies
• Patches and updates
• Reporting on performance

With APIs, you have the option to write programs, scripts, and commands, and then execute them automatically. Various tools can build on top of APIs as well, making it easy to work with your directory at scale and in bulk. 

The power and scope of these tools is hard to overestimate. To illustrate this point, consider the JumpCloud^® Active Directory Migration Utility. 

Case Study in Automation: APIs and The JumpCloud^® Active Directory Migration Utility (ADMU)

The ADMU is an API-based tool that can automate the process of migrating users from Active Directory to JumpCloud Directory-as-a-Service^®. When initiated, the ADMU takes in the migration parameters and JumpCloud system connect key, and is then able to start the migration process. 

The user accounts are then transferred to a migration folder using the Assessment and Deployment Kit. Using the migration folder and parameters, the ADMU creates the local account on the machine, installs the JumpCloud Agent, enables the Agent using the system connect key, and then adds the system to the JumpCloud platform.

Here’s where you’ll see how powerful an API-based tool can be, because at this point you have the option of unbinding the system from AD altogether. To separate a system — or a fleet of systems — from something as central and foundational as AD, that’s been an integral part of IT administration for two decades — automatically? Now that is an impressive feat. 

And with IT admins getting far more sophisticated about managing their infrastructure, as well as integrating that infrastructure with other IT management tools, one can see why it’s critical for vendors to have APIs into just about any function of their solution.

Directory services are no different. In fact, it may be more critical to automate your identity provider now than ever before. 

Provisioning and Deprovisioning 

Provisioning and deprovisioning users is an important sub-function of directory services. As such, it’s a prime example of the advantages you can reap from automating.

The automation could start with integration of a human capital management (HCM) solution like Workday^®, or by provisioning a user account to systems, applications, networks and servers. Another way to import users would be a .csv file import, which is also accomplished with APIs. 

These APIs (and the tools built on top of them) can enable control over admin rights on individual user machines. This gives the admin control over things like the login on an endpoint, which is extremely beneficial — especially concerning onboarding and offboarding.

Once established in the directory, you can assign a user to a group, which in turn grants automatic access to the resources that user needs. These include servers, LDAP-based apps, RADIUS for VPN/WiFi, and Just-in-Time (JIT) access for web applications. 

This essentially automates onboarding and provisioning, and saves an incredible amount of time for the admin. And for deprovisioning, the process is easily reversed by deleting the user in the directory, which will automatically revoke access from the resources as well. 

APIs, of course, aren’t the only level that IT admins can automate at. Depending on the size and scale of your business, your automation solution(s) could not only use them, but also command line interfaces like PowerShell.

Using PowerShell for Automation 

The PowerShell automation framework allows admins of all levels to automate tasks and manage configuration. Created by Microsoft^®, it consists of a command-line shell and associated scripting language. You can use it to enact commands or programs at scale automatically, as well as create tools that interact with APIs.

Admins can run PowerShell commands and group commands concurrently, which automates commonly implemented processes. A PowerShell module is a set of related commands, grouped together. This can, for example, automate the deployment of resources for provisioning new machines. 

Keep in mind that PowerShell is basically a Microsoft construct that allows for remote control over Microsoft resources. It’s a tool you can leverage to remotely control all types of Windows^®-related applications and resources. It works best with Windows products, but can be executed from other operating systems like Mac or Linux.

Case Study in Automation: The JumpCloud PowerShell Module

To illustrate what PowerShell can accomplish, let’s return to the aforementioned example of JumpCloud, which offers its own PowerShell module as part of its cloud-based Directory-as-a-Service. The JumpCloud PowerShell Module is a collection of commands that allow admins to communicate with their directory.

It does this by exchanging information with the JumpCloud API via the Invoke-Rest Method, a PowerShell command sent over HTTPS. The JumpCloud module is a very powerful tool that can automate and script most common admin tasks, such as: 

• Importing JumpCloud users from a .csv file
• Exporting user and system information to a .csv file
• Creating and removing users
• Resetting user passwords
• Unlocking or locking a user account
• Disabling and enabling user accounts
• Adding or removing members from JumpCloud Groups
• Triggering JumpCloud Commands
• Reading the output of JumpCloud Commands

Using this module, admins of all levels can enact commands or programs at scale automatically. The JumpCloud PowerShell Module is, essentially, a conduit between an admin’s ideas and the directory itself, without having to write directly to the APIs.

Using the JumpCloud PowerShell Module, IT admins can also automate system management tasks. These can also include things like full disk encryption, screen saver lock, disabling USB ports, and much more. 

Directory Services for the Automated Age

Every organization is different, but it’s likely that all can agree automation makes work more productive and life easier. Navigating the world of directory services can be complex and time-consuming, and the results can quickly tank your budget if you’re not careful.

But new solutions are making it easier and more affordable than ever to automate directory services and streamline Identity and Access Management. Between APIs and PowerShell tools, and the independent IdP solutions now available to manage and facilitate them, you can make the most of your time with solutions that fit your needs.

Learn More

To learn more about how JumpCloud can automate your directory services, or even replace your current directory altogether, feel free to contact us. You can also learn more about managing automation and directory services at our YouTube Channel, or you can sign up to check it out for yourself. Your first 10 users are free forever.