none
Linking 2 different AD Account

    Question

  • Let me explain the scenario.

    My company got 2 types of user accounts.

    1> Standard Account for domain login purpose and routine activity. ( for all end users )

    2> If somebody request admin permissions, then we don't add DOMAIN ADMIN group to their standard accounts. We create a separate new AD account is a different naming conversion and provide that account with Domain Admin rights.

    My Query :

    I would like to create some link between these 2 accounts, with which these 2 different types of accounts (for same person) are inter-related. I mean is, if somebody disables the standard accounts, then I should get some notifications / events about disabling the corresponding person's admin account also.

    I am thinking of using extension attributes, and then write a script (and put it in scheduled task ), which will check the idea. But, Anybody having any wildest idea is welcome. Everybody can share what they think would the best way. Third

    party tools are welcome !!!!! Please suggest me.


    Naeem Gadkari. Support Engineer. O365 Team,

    Sunday, April 30, 2017 7:38 PM

Answers

  • Look at the seealso attribute, this is a multi field accepting attribute and can be populated with the other accounts that are linked like the secondary accounts. This is what we use when we disable/delete accounts. 

    https://msdn.microsoft.com/en-us/library/ms679769(v=vs.85).aspx

    Sunday, April 30, 2017 7:52 PM

  • I am thinking of using extension attributes, and then write a script (and put it in scheduled task ), which will check the idea. But, Anybody having any wildest idea is welcome. Everybody can share what they think would the best way. Third

    You can have a good naming convention for both your account and use an attribute between them to work as an index. Something like employeenumber. Then have a PS script to run regularly and check each user status, if it is enabled, continue; else disable the corresponding admin account using that index.

    Mahdi Tehrani | | www.mahditehrani.ir
    Make sure to download my free PowerShell scripts:

    Sunday, April 30, 2017 8:05 PM
    Moderator
  • Look at the seealso attribute, this is a multi field accepting attribute and can be populated with the other accounts that are linked like the secondary accounts. This is what we use when we disable/delete accounts. 

    https://msdn.microsoft.com/en-us/library/ms679769(v=vs.85).aspx

    we use a similar approach, but we use the 'manager' attribute instead.

    https://msdn.microsoft.com/en-us/library/ms676859(v=vs.85).aspx


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Sunday, April 30, 2017 10:23 PM

All replies

  • Look at the seealso attribute, this is a multi field accepting attribute and can be populated with the other accounts that are linked like the secondary accounts. This is what we use when we disable/delete accounts. 

    https://msdn.microsoft.com/en-us/library/ms679769(v=vs.85).aspx

    Sunday, April 30, 2017 7:52 PM

  • I am thinking of using extension attributes, and then write a script (and put it in scheduled task ), which will check the idea. But, Anybody having any wildest idea is welcome. Everybody can share what they think would the best way. Third

    You can have a good naming convention for both your account and use an attribute between them to work as an index. Something like employeenumber. Then have a PS script to run regularly and check each user status, if it is enabled, continue; else disable the corresponding admin account using that index.

    Mahdi Tehrani | | www.mahditehrani.ir
    Make sure to download my free PowerShell scripts:

    Sunday, April 30, 2017 8:05 PM
    Moderator
  • Look at the seealso attribute, this is a multi field accepting attribute and can be populated with the other accounts that are linked like the secondary accounts. This is what we use when we disable/delete accounts. 

    https://msdn.microsoft.com/en-us/library/ms679769(v=vs.85).aspx

    we use a similar approach, but we use the 'manager' attribute instead.

    https://msdn.microsoft.com/en-us/library/ms676859(v=vs.85).aspx


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Sunday, April 30, 2017 10:23 PM