Active Directory

What is Active Directory

Active Directory is a directory service by Microsoft that contains all the users, computers and groups of a network domain in a hierarchical structure.

For CSPD, Active Directory is a critical service that is necessary for the correct operation of many other systems and services. It is from here that staff and students get their logins for computers, access to Oscar, and much more.

Because of this Active Directory is a common point of troubleshooting for many issues, particularly those related to login and access to services.

How do I use it?

Active Directory is a complex technology that can take months of study to fully learn. This section will go through the most common basic functions that ICT support regularly performs.

Accessing the Directory

As trainees, the main point of access to Active Directory will be by using Password Safe (BeyondTrust)

To connect to AD via BeyondTrust please follow the following guide 

Directory Structure

Active Directory has a complex structure and may be daunting to use for the first time. It is best illustrated in the below screenshot:

Most commonly you will be using the portion of the directory under CEOPARR.LOCAL>>>PARRA-CEO (left pane of above image). Under this section is a list of every school's AGEID number as an identifier.

Under any particular school there are several standard containers for objects (centre of the above image):

Resetting Passwords

To reset the password of a staff or student, right-click their account in Active Directory and select Reset Password. You can then set a new password which complies with CSPD's Password Policy (which can be seen below). 

All staff passwords must comply with the below policy:

All student password resets must comply with the below policy:

If the password has been reset via Active Directory and does not comply with the above policy, users will receive an 'Authentication Error' error message when trying to login.

Note: It is important to keep in mind that password resets will take up to 15 minutes to propagate to most services.

Security Groups

To view which security groups a user is a member of, right-click their account in Active Directory and select Properties. Then select the Member Of tab to see a list of groups.

To add or remove a security group, simply click Add or Remove from this window. If you know the name of the group you are adding, you can input the name and click Check Names. Otherwise, you can input the school's AGEID number to do a search of all the security groups for that school. 

It is important to note that changes to security groups will take up to 15 minutes to propagate to most services. Changes to Google can take up to an hour.

Searches

You may find it necessary to do a search for an object (user, group or computer) that you are unable to find manually. To do so, click on Action in the toolbar at the top of the window and select Find. You will then be met with a search box (below). 

Only part of a name is required to do a search. Also take note of what type of object is being searched for, and what part of the directory is being searched. 


What if it doesn't work?

Access Denied

The most common issue likely to be encountered when using Active Directory is not having access to view or take an action on an object. If you believe that a lack of access to a function is a mistake, please create a ServiceNow log for your access rights.

Missing Staff User

If a staff member does not appear to have an account in the directory, double-check if they have recently changed their name or other personal details as their account may not have updated to reflect this.

Also ensure that their employment information has been sent through to Payroll by the school admin staff. Active Directory syncs with the Payroll system once per night to create accounts for new staff.

If the above does not assist in resolving the issue, please create a ServiceNow log for further support.

Missing Student User

If a student does not appear to have an account in the directory, double-check if they have recently changed their name or other personal details as their account may not have updated to reflect this. 

If the user is a student, ensure that they have been correctly entered into the FACES system. Active Directory syncs with the FACES system every hour to create accounts for new students.

If the above does not assist in resolving the issue, please create a ServiceNow log for further support. 

Misspelt Username

Ensure that the name is spelt correctly in Payroll (for staff) or FACES (for students). If the error is fixed in one of these systems it should roll over to Active Directory overnight.

If the name is spelt correctly in the respective system but does not resolve in Active Directory, please create a ServiceNow log for further support.

User In Wrong School

Ensure that the school is set correctly in Payroll (for staff) or FACES (for students).

Staff that work at multiple schools can only be assigned to two schools at any one time (depending on payroll's policy). It may not be possible to organise a change of schools, however it will still be possible to add the user to security groups for a school.

If the above does not assist in resolving the issue, please create a ServiceNow log for further support.


Other Issues

For any other issues related to Active Directory, please create a ServiceNow log for support.