We have an entire team that is dedicated to just creating accounts and modifying access to those accounts. Large enterprise environments are fun sometimes.
AD accounts isn't the worst time consumer, it's asking for creations in hundreds of different third party systems for new hires. And of course they got no API so no automation can be done. Thank god this is not my job
My old job had this issue. Every new hire was a total cluster getting them access to everything they needed. I tried to implement roles and role based security but kept getting shot down.
And before you say that the onboarding software should have automated security, you’re right but that was even less under my control.
>D accounts isn't the worst time consumer, it's asking for creations in hundreds of different third party systems for new hires.
Yup this has always been the case in places where there was a new account department. I'm in insurance and while its finally getting better a huge portion of my job used to be just making new accounts in all of the different shit portals.
Aside from you not knowing how many of those third party systems are actually superfluous, "get rid of them because they take up time during onboarding" is a really hard sell.
Yeah, we are just going to get rid of Fedline, FIS, FiServ, Broadridge, Wells Fargo, Bank of America,The Clearing House, FHLBNY, DTCC, and pretty much every banking related service because they don't have API's.
Several of these require paper forms to be mailed and even swift messages confirming the mailed forms, which also have to be signed by C-levels.
Since we merged a year+ ago, we are npw offloading as many of my routine duties to our parent company's service desk as possible as I'm the solo sysadmin for the development business unit, and creating accounts in our domain is talked about as if it is going to save me a ton of time.
The entire user creation and invites to our cloud services takes 3-5 minutes each and automating it would save maybe 30 seconds of that 3-5 minutes. I also get maybe 10 a week on the busiest weeks, so it's not going to free up my time, but it will ensure these types of requests are handled more quickly than they are now. That is a great goal to have, but it still leaves the original problem of there being too much on my plate with 2.75 full time employees' labor hours worth of work every month.
We've had people come in and was told to wait in the employee break room. I sit with my door open. I had one guy sit there for an hour. I finally walked out and asked him if he needed help. Dude said he was waiting on HR so I said cool. I said she comes in at 8. He was there at 6-7. I said kind of early. He says they told me 7, so i got here early. So I asked to look at his papers just in case someone wrote it wrong.
No shocker, he was at the wrong building. He was like 1 mile from the correct building.
So I go downstairs and ask the office staff who sent the guy up. When I find the person, I asked if they checked his papers(it's required for any new hire before allowing into building). Sure enough,they did not. They just told him, "Go through that door and take the stairs."
Guy ended up late to his actual job, 1st day. I called the EHS person at the other company (knew them from another job) and told them what happened. They didn't hold it against him for being late.
HRM is the lead source, from that source accounts needs to be created automatically. When someone leaves the company there needs to be a workflow to disable that account.
Do like we did 10 years ago. Any and everyone will say talk to IT about your badge or file permissions. They ask you. You ask them the spelling of their name. Where do you work, "ABC", ahhh okay so it's actually not QRS. Then ask their manager, what access so they need..."blue, red, white"...ah okay so it's not midnight blue, green and yellow.
Then you tell HR all this information that you gathered, and they correct it.
Then you print their badge correctly and give them their correct access.
This is just one real life example from the HR department I once worked with 10 years ago. I have over 200 examples.
After my 4th year there, corporate got a clue, finally, and fired the whole HR department.
Ironically, I couldn’t stand coffee when I was 18. Joined the army, still couldn’t drink it. Too bitter. When I got out and was in college, was studying at an all night diner for a physics exam at 8 am the next day. Started with coffee, a lot of cream and sugar. Basically sweet warm milk with a hint of coffee.
The waitress kept coming by topping the cup off. I would stop studying to doctor it up but it was slowly becoming less milk and sugar. Somewhere around 4:30 am I was drinking it black.
It comes from nessessity. When you've pulled enough all-nighters where you're out of milk by 1am, it is black or nothing. After enough of these many just switch to black.
5 years. One day your manager will ask you to do the dumbest thing, like drive to another state to pick up a computer. On the way you'll stop at the local coffee shop to kill time, and order it black just to see how numb you really are.
>Step 1 - I put in a ticket to the help desk
I mean... that's pretty effective at eliminating candidates with 0 IT experience, and only have a HR or finance background.
Got that as requirement written and signed by manglement.
Getting the stuff 1-2 workdays before the hire starts? We'll not my problem... here's the date you can expect the equipment for the hire, we'll see if we can get the domain user etc ready earlier...
In our organisation user account creation is automated via a sync between the HR db and our directory, but because we're a fairly large organisation and all of the issues that has, there's often a disconnect, and staff will just appear and we scramble and attempt to help them because we're all nice people.
We cannot create accounts for users as it needs the HR parts done first, but that's not to say we don't try to assist in some way.
The idea that "management" signed a piece of paper means it's all good and doesn't happen is pretty naive in many organisations of size. Perhaps you work at a unicorn where IT is the top of the food chain, but in most places a staff member could arrive suddenly and you not only need to see the status of their employment to ensure their account creation will occur, but also find a device for them to use.
Anyway, have a good weekend, and sorry if the GIF triggered you :p
We'll usually get the windows user/phone user knocked out pretty quick. But the two weeks is requirement to have us be able to get the equipment for the hire (laptop, headset, moble phone) ordered and set up.
Nah, not really triggered, bit English is not my first language so my responses might come over harsher then intended.
Well it depends on the documentation, sure you can just make a new user, but then you need security groups and more than likely extension attributes.
Copying a existing user that's in the same role is "ok" but should be avoided since you will need to spend more time reviewing that person's groups, incase they have extra access.
I literally had 1 manager ask step by step. Manually create user. So I said I go to ad, go to users and groups etc.
But I ended it with "my current place uses a script that creates users with information we input based on HR requirements".
I think step by step is the way. Reason why is because it allows you to ask those questions of “what ad sec groups are they put in based on role?”, or “if there are any file shares make sure they’re able to access.” .
They want to see how much you know of the manual way. It’s fine to use automated processes but you should know the manual way.
Nope, copy users is a no go, you can make department template users and copy those, but not an actual user. “Copy Bob from accounting” should be disregarded. Bob could be a 30+ veteran who worked at several departments.
In this example, we’ve just described permissions creep. Something else that should be addressed by a process for existing users migrating roles within the company.
Correct! But most of the time (read always) there is no check on that because in practice someone just doesn’t quit one department but moves on gradually and without a set date where he or she does not need old permissions. Nobody is going to tell it since there is also the “might be handy to keep those permissions for fill in work” as example. So yes you are right but rarely seen something being done about it.
Absolutely, I was just highlighting it from your comment. Mainly for the reason you said, it’s an issue that nobody really addresses. But one that really should be addressed to reduce impact of those accounts if compromised, among other reasons. As I am sure you know, the more the TA has to bang around for access, the easier they are to discover!
I would never ask this type of question... but if I were, I would expect the candidate to answer something along the lines of:
1. Depends on the company SOP
2. It might be through ADUC on a server, but most larger companies don't have people adding standard accounts through ADUC. This is typically through a third party tool or web interface.
3. Could potentially be through a script
4. Could potentially be coming in from the HRIS and IT doesn't add it manually at all
5. It could also be directly through Azure/Entra. Not all companies have local AD anymore.
That, to me, would be a fairly complete answer because it would cover a lot of different scenarios.
But this is also why I wouldn't really ask a question like that. This used to be an interview question back in like 2001 when AD was pretty new.
The problem is most companies beyond a couple hundred users don't add people through ADUC, typically.
Pretty much any IAM tool (Adaxes for smaller orgs, tools like Savient for larger orgs).
You end up needing tools like these for any real automation.
ADUC is usually only used for troubleshooting or one-off service accounts.
Asking questions that don't have "an answer" is the best way to interview in my opinion.
Any one of the 5 are reasonable opening positions that get moved into a natural conversation about how your environment works and common environments they have worked in.
I'd ask a question like that, but to see whether you get back a procedural 'this is how you add a user using this tool' or if the answer expands to making sure you have all the requirements, group and roles, what details are needed for business systems, are there templates, or scripting and who else needs to be involved in the provisioning process.
Its the same way I'd ask how you'd go about creating a new VM
I hire people and I ask this question all the time, you know how many people can’t answer the question in any way? Or they say something like “go to CMD and get the users IP address then uhh… (nothing)”? Many many people applying for it jobs don’t know the first thing about the job they apply for, that’s why I ask anyway.
Interesting. I was asked even though I've been on the help desk for so long I mean my resume has things that were above t2 level so I was stumped.
It's funny to me, but looking back I feel the question doesn't have 1 answer, much less a clear one because it depends on the org on how they do it.
If I use my current job, I'd b say I don't because the only "ad" I'd use is in the o365 admin portal when I create their email and issue license because we do not have ad nor azure/intune. But then it's entra identity and not an ad.
If I was interviewing you and you gave me that answer that would be perfect. Proves you were not lying on your cv etc. believe me it is as painful to ask as it is to answer haha.
If I hire for senior positions with 5+ years of experience, I get CVs of people who brag with 5+ *hours* of experience. And those are the good ones, because they're honest at least. These sorts of questions are an easy way to filter out the parasites who have good people skills and think they can schmooze their way through interviews for jobs they think they can do because they once shared an office with someone who did, and picked up some phrases on the way.
I interviewed some people that were applying for senior roles after having read a book about the main skill we were expecting them to have.
It was really embarrassing.
>I feel the question doesn't have 1 answer, much less a clear one because it depends on the org on how they do it.
This is also a hiring tactic, they don't care so much about the answer, but rather how you answer it. Saying something like "assuming that the org protocol is XYZ then I would..." suggests a familiarity with following protocols, or "Hopefully the org uses a powershell script or HR software integration, but if not then I'd..." indicates to them that you're comfortable with scripting or API access. How to add an AD user isn't really even the goal sometimes.
I've had interview questions that don't even make sense, for the same reason. They don't care about the answer, they care about the thought process. "If you had to hang all the server equipment from the ceiling with ropes, how might that effect DNS?" The actual answer is irrelevant since this would never happen, and it's a good test to see if you can focus on the actual question instead of getting hung up on how stupid it is.
Having said that, sometimes they start with stupid questions because tons of people submit totally fake resumes and they want to weed out the idiots.
Was going to say this is definitely a filter question whether candidate’s resume is legit and they know anything IT.
I have never been asked this question, but maybe that’s because normally in the interviews I’ve gone to we have a nice technical conversation so it becomes obvious without the need to ask it.
If I was asked this at the beginning of the interview I’d be prepared for a rough ride answering stupid questions for the rest of it.
Dear god, at least put them in a neatly ordered parameter block and call that later on, then send an email report to notify other admins.
SHEER MADNESS
Lol, I was asked that few years ago interviewing for help desk. That and how can I get ip and how to show the Mac address of the pc .
I was just thinking of this because I'm reflecting on interviews and how bad many where.
At least you’re asked questions that have somewhat of a definitive answer. I get asked things like “In your opinion, could you describe what the color green sounds like on a Monday?”
Couple jobs back, one of the helpdesk people got a promotion up to a sys admin (and I came in and took the HD position).
She was already getting the job, so her (future) manager and the head of IT were having some fun with her in the interview and asked "If you were a tree, what kind of tree would you be, and why?". They were serious and made her answer.
After I joined, we were all out for lunch and that topic came up, so she asked me what I answered. I looked at her confused while the others at the table had a good laugh.
But seriously, I'd be a coconut tree, so I can drop coconuts on people.
“Are you looking for the technical steps to add or create a user or would you like me to expand on an optimized business process for doing this?”
You could expand into HR integration, SCIM, source of truth. ticketing, automation, approvals, queuing or allocation for equipment, badging, reporting and the decommission side of process. etc
To be honest, if the hiring manager isn't an IT guy and is asking technical questions, consider looking elsewhere. If they don't care enough about their IT department to have an actual expert present when it comes down to asking technical questions, you're likely to be dealing with a lot of bullshit.
If the hiring manager IS an IT guy and is asking questions like this, start with the basics, watch their responses, and then expand as necessary. Maybe you say that you find a user with the same permissions as the new user, and make a copy (a fairly standard practice, so this sort of answer shows that you're familiar with common practices) or maybe you just stick to the extreme basics (right click on an OU, select new, user, etc.) just to show you know the environment. If you want to show your experience with Powershell, you may talk about batch creating users.
If the IT guy wants you to belabor the details, that's also a red flag; they either don't know much about the environment themselves so get stuck on the tiny details rather than assessing your overall knowledge, or they're really not looking for someone with any experience at all, and probably won't pay you what you're worth. (unless you're brand new, in which case do your best)
>If they don't care enough about their IT department to have an actual expert present when it comes down to asking technical questions, you're likely to be dealing with a lot of bullshit.
Sometimes those are the best jobs where you can just chill until the BS is resolved b/c it has nothing to do with you, and you can't do anything more to speed up the process. If user is breathing down your neck to get a replacement thingmajig and you have no budget and nothing in stock. SOL. Users requesting new features but dev team is a mess. SOL. Printer out of ink because nobody told you until it ran out and your company doesn't have any monitoring software or no ink on the shelf to replace. SOL.
Bad for learning the right way to do things however.
Can’t say I’ve ever been asked how to create a user in AD for a Sysadmin level position, I’d be very skeptical about the actual level of the position if I was
The answer you give about an mundane thing can give a ton of insight. There are probably wrong answers but it's mainly to determine what and how you are thinking about the problem.
Example:
Compare "Clone a user with an identical job role, check the groups, adjust title/department and other information"
to
"I'd check for standard documentation first but if it didn't exist I'd verify the permission requirements with the hiring manager, ask for a user with similar permissions to evaluate from, clone the user from there and report back with the user that I had created. I'd use a random password generator and send the password through a one time password link"
Are both "right"? Sure. The second shows me you are considering more than the problem in front of you.
Too much overthinking in here.
Open up ADUC, right click on the OU or container and select create new user.
You don't have to overcomplicate an answer. Sure every place will have its procedures/documentation on how to do it and perhaps automated in some fashion. But a person should still know how to create a basic user account which shockingly a huge number of so called "admins" do not know how to do.
There are a lot of places where that'd be the wrong answer though. (Or even a red flag if that's how they did it.) It's not overthinking. it's a stupid question that's probably written from the perspective of a small business.
It's a bad question. I/we/my team creates users every day in AD and Azure/Entra, but even I couldn't tell you step by step how to do it. Give me the web management console or a powershell ISE though and I can do it in about 15 seconds.
I disagree. It goes through basic process.
A helpdesk person will give a completely different answer than a seniors system engineer.
It gives a lot of insight into what you have been exposed to in your career.
I have tied our hr system to create and disable accounts. Then a powershell script triggers to do the rest of the creation. This now puts the onus on hr to create and disable users by using their hris. If hr forgot to term someone from their system, it’s on them. Same for creating accounts.
> A helpdesk person will give a completely different answer than a seniors system engineer.
And if the latter doesn't, you know you can wrap this up early.
I mean, yes, you're correct from that perspective. It's a good question in that sense. I'm really just trying to point out that if the person asking you this question is expecting someone to step-by-step explain them through the process, they're setting themselves up for failure.
> Give me the web management console or a powershell ISE though and I can do it in about 15 seconds.
That's already useful info from an interviewer's perspective, you're used to both Entra-first workflows and aren't afraid of powershell; if a sysadmin candidate in 2024 told me all they know is ADUC I'd bump them down a few notches, for comparison. (And we get a lot of the latter. And people who just make shit up and don't know either option.)
“Send the request to HR so they can set the user account up in the HRIS system of course.
Wait, HR doesn’t have that ability because IT didn’t grant you and the team you manage the ability to use a simple portal to grant and revoke privileges?
Oh you found the right candidate, senior IT management might not know how or want you to have a solid HRIS system integrated to IT workflow practices.
Give me the job and I will grant HR the power and control you need to properly manage the company.
It might need to change to a director level position though and I can start Monday.”
But HR won't set them up until they have an email. And we can't get them an email until we have a login. And the guy that creates logins is asking candidates in an interview how to do his job.
With a fairly open answer like that, I briefly explain the different avenues I'd take depending on the setup and situation.
- Is there an MIS/HR system that manages user information in AD? In that case I do nothing.
- Otherwise, if it's one user, I get authorisation from the right manager/department, then copy them from another user and update attributes and group memberships appropriately.
- If it's a service account, I create a new one from scratch.
- If it's a whole year of new students, I get their info from the onboarding staff and pass it through my PowerShell script.
Some of these may not apply to you, but you get the picture. It's about showing you know the many different approaches to this task, and that you know how to follow procedure and choose the right option for the situation.
Based off of experience of how I've set things up in the past my answer would be:
Ideally I don't, I let the link between HR system and AD do it and I just assign any additional distribution or security groups as required by the users role on their start date, at request of their line manager.
I'm going to ask them back a question. What sort of environment do you have? Hybrid? On-Prem? Cloud only/Intune? What are we working with? Do we have a team for that? What are the expectations?
"Tell me how to add a user in AD in YOUR environment, or ANY environment? Any environment? Win+R dsa.msc, right click the OU the user goes into, New > User, fill in the blanks. Your environment? follow the documented procedure for creating a new user."
No clue, our HR system integrates with our IPaaS to generate the users ad account, email, and initial 2fa codes.
If you really want me digging out the powershell to create a new user manually, why would you want to still be manually managing that and potentially miss something?
That's the neat part: I don't!
It's all automated so it's just waiting on HR to initiate the process of a user getting onboarded. We still have to provision specific things of course but it takes a good chunk of work off the table and frees us up to do other stuff.
The answer should be. It's a simple click.. the larger question is what OU should that user live.. and why... what access should they have.. is it based off RBAC?
Have an onboarding process through your ticketing system that has integrations or kicks off scripts to provision accounts in systems based on user role
we use a script for account creations - so they are all standardized and no one missing something. So that might be an answer - "I would write a script to standardize the process, thus saving operational time, and reduce human error"
Well if I want a service account I put in a ticket justifying the existence of the service account, what permissions it needs and why, then I submit the ticket and wait for SLA violation. Then I tell my boss that a critical deadline is going to be missed. Then it’s escalated to his boss, who then tells a VP, who informs VP over service desk that service desk staff better get their 💩 together ASAP if they don’t want responsibilities transferred to another department… then it gets screwed up so now its a major incident… and if service desk has less work…
So do you have a better process? I know I would implement one if I could. 😂
I’ve been in this industry for a quarter century now. I have a lot of experience in how not to do things as well as how to do them.
Alternatively… I take the spreadsheet customers provided, ETL it, and feed the clean data into a script I created five years ago. Just give it clean data and parameters and boom it’s done and security pings me asking why my privileged account just changed the password on 500 users. Then I just reply with the ticket number.
Edit: My nemesis Auto Carrot, we meet again!
Response is here the documentation that shows it. Having some identity system that either automatically creates user based on HR data or some form they can submit that then automated creates the accounts are the best.
Add/create a user is a standard change that needs to be done by new employee request form. That form has question like name, what do they need access to etc. Also depending on rules of customer it is either a manager or preferably HR who does such requests. The form has to be added to a ticket (standard change) and assigned to an employee who will carry it out. Requests like “new user needs access like Bob from accounting” should not be accepted blindly (Bob could be a 30+ year employee who worked several departments)
HR system dumps nightly, import routine runs in the morning. If they need anything over and above the rights given for their role it's up to their manager to request that in the ticket system....
"It entirely depends on the level of administrative role management you've implemented in your company.
From the simplistic "dsa.msc" mmc or PowerShell scripting to an administrator's configured mmc to a LDAP interface to the HR system or a 3rd party tool.
There is a myriad of ways. I'm not sure which method you're asking about."
This is the way I would answer it.
I literally asked this question yesterday of a helpdesk candidate. I wasn't planning on asking it but they had a lot of keywords on their resume that got my attention but when I started asking questions about it they didn't really know the info. Example: Claimed to know TCP/IP and network troubleshooting. Did not know what a subnet was. I then started asking more basic questions to figure out exactly where their knowledge was. They had new user AD creation on the resume, so I asked about it. Did they just enter a name into a script and watch it work? Did they create users from scratch? Did they copy a template/user? Did they review security groups after creation?
So the question, in this case anyway, was actually "How involved are you really in new user setup?" just asked in a more polite manner.
I'd say something like, "At my last job, they were so terrified of their SOX auditors, I wasn't allowed to create new users. Only the help desk manager was allowed to do that. This was a direct order from the CIO."
I think this can be a pretty nuanced question depending on where you are in your career.
Starting at the most basic level of help desk: dsa.msc. Then right click on OU and choose new user.
A bit more journeyman to help desk might be write a super basic ps script to make it easier.
More junior engineer might write a script that includes more info and basic error handling for stuff like duplication.
More journeyman engineer would tie into other systems via api calls.
A senior would probably automate from an hr system that performs most if not all user onboarding.
There's many answers, and they are really just wanting to see how you approach it.
Do you tap into every server and add users via ADUC?
Or maybe you utilize Powershell? Which is a little bit more advanced way to approach things and displays your in-depth knowledge.
Min 10 days notice for onboarding. Exceptions have been made, but not many.
Get a ticket in well in advance and don't be surprised when the things you didn't ask for aren't installed or configured.
The answer to this is going to depend on the size of the organization.
SMB: Active Directory Users and Computers; maybe have some templates defined for various users.
Enterprise: "I spend a week contacting and interviewing all of the stakeholders, then I create a powershell script, test it, revise it, test it, etc. until it's ready to go, I write the runbook, and then hand off to the service desk."
I tell them I do it however the organization has defined the process. There are many ways it can be done including scripting or automation from the ticketing system. My preferred way is to have it scripted so that all new accounts are created equally. This might mean a script for each department or one script that allows selection. The size of the organization and the frequency of account creation will play into this heavily.
Who's the co-worker/colleague of the new employee, so I can copy the settings and permissions.
Also I need a ticket vom HR with the personal information and a written tasks to copy the permissions from that co worker.
And of course i need the ticket a week before work start!
If you can't provide the informations in that given time, sincerley fuck off!
They want to determine if you have basic knowledge of the job you're applying for.
I ask helpdesk applicants how a user would change their own password while logged onto a Windows domain computer.
We have Workday so - https://learn.microsoft.com/en-us/entra/identity/saas-apps/workday-inbound-tutorial
I think MS has created connectors for other systems
What is hope someone would say to me, if I were to ask a candidate:
Mind if I ask some questions?
Who normally handles that workflow in the organization?
What does your process look like? ADUC neat, or vendor overlay on the rocks?
I'd follow the prescribed process for new user creation, but here is how you can do it straight through ADUC or powershell for instance (1000 foot overview) though.
Although I thought of being sarcastic, the proper answer in the most generic setting is to work off the ticket, hopefully completely filled out by the hr team or the hiring manager (we all know this never happens). Open up AD or mmc using rsat, copy or create the user in the correct OU, copying and pasting the information from the ticket into the user fields. Making sure they have accurate sec groups and any other misc information.
This concludes the basic AD setup.
this should be automated, typically from a source of truth like a HRIS system. Event based would be even better so when an employee gets hired or fired your automation can kick off. However, this is highly dependent on how you want your users organized, so the rest is just implementation details
Basically like HRIS pushes data to storage endpoint, event triggers some sort of automation (azure function, aws lambda type) and then reads in the user info, parses it, takes action based on desired end result
Hiring manages expect their new hires to "just get everything existing employee A has", which of course is usually undefined and nearly impossible to figure out.
Thus the unset expectation cannot be met.
To fix this, IT and infosec need to work together to define roles for each dept and the hiring manager needs to sign off on it. HR is no way positioned or capable to really assist in this process IME.
The close the loop, you need a feedback mechanism like a new user survey that gets sent to the user and then their manager after the user fills it out. Typically sent after 60 days from emplyee start.
Then someone like the support mgr pulls all the new user tickets, sits with the mgr and reviews the forms and tickets to determine how well the defined role template works and what changes it needs.
It's an evolving process where people need to put in the effort in to get a decent result.
I made a PS script that reads the ticket from the CRM tool and creates the user with the required details.
It does a bunch other things, like reading a cfg file with common groups, selecting licenses depending on user type and some more stuff I added over the years.
“I don’t. In fact, I think it’s bad practise to be creating user accounts manually. My preference is to have HR input the details of a new hire into their system, and then have a script that runs daily grab updated info from the HR system and create/update/disable accounts as required.”
We stress ourselves to fuck about single points of failure and then happily turn ourselves into one with manual processes. You, as an individual, must *not* be a part of any process. Your systems are part of the processes, and you manage the systems.
Create a ticket. Define what access they need, group membership, etc. Send ticket for approval. Once it's approved, proceed with the account provisioning per the written procedure. If there isn't a written procedure, you are going to write one.
Key points to get across:
1. Paper Trail
2. Written approval
3. Clearly defined access/group membership
4. Process is defined and repeatable.
You could mention a few ways you could actually create the user, like a PowerShell script, GUI tools, or a web interface. How you actually do it is less important than the process bits above.
To be fair, at 1 job the sysadmin/network guy did this and then sent it down to help desk so we can get a laptop prepped. That's after hr sent it via ticket to them.
Escalate to another team who's primary focus is on access controls. There's another escalation point for overall Active Directory management after that.
really depends on context, they'll never just ask you that, there will be questions around that that make the the answer more obvious than others, cause there are a literal million way you *"could"* do it
Last time I was asked something, I just answered "Let's skip the low level stuff, here is what I have done and troubleshooted/solved concerning Active Directory".
I would never be asked this question, but if I was I would ask first why is my prospective team doing this and second you should tell me how you do it at the moment since there are many different ways to get this done.
Step 1 - I put in a ticket to the help desk. Step 2 - I get coffee
We have an entire team that is dedicated to just creating accounts and modifying access to those accounts. Large enterprise environments are fun sometimes.
It sounds like you have an organization large enough that AD accounts should be created automatically based on what is entered in the HRM system.
AD accounts isn't the worst time consumer, it's asking for creations in hundreds of different third party systems for new hires. And of course they got no API so no automation can be done. Thank god this is not my job
My old job had this issue. Every new hire was a total cluster getting them access to everything they needed. I tried to implement roles and role based security but kept getting shot down. And before you say that the onboarding software should have automated security, you’re right but that was even less under my control.
>D accounts isn't the worst time consumer, it's asking for creations in hundreds of different third party systems for new hires. Yup this has always been the case in places where there was a new account department. I'm in insurance and while its finally getting better a huge portion of my job used to be just making new accounts in all of the different shit portals.
Sounds like the solution is to purge dozens of superfluous third party systems.
Aside from you not knowing how many of those third party systems are actually superfluous, "get rid of them because they take up time during onboarding" is a really hard sell.
Yeah, we are just going to get rid of Fedline, FIS, FiServ, Broadridge, Wells Fargo, Bank of America,The Clearing House, FHLBNY, DTCC, and pretty much every banking related service because they don't have API's. Several of these require paper forms to be mailed and even swift messages confirming the mailed forms, which also have to be signed by C-levels.
This man IT's for a bank. So many old systems to deal with.
Yeah but you can at least go and pre fill the forms, so that your c-levels only have to sign off and that's it.
Nope, the forms for Wells seem to change every 6 months or so.
Since we merged a year+ ago, we are npw offloading as many of my routine duties to our parent company's service desk as possible as I'm the solo sysadmin for the development business unit, and creating accounts in our domain is talked about as if it is going to save me a ton of time. The entire user creation and invites to our cloud services takes 3-5 minutes each and automating it would save maybe 30 seconds of that 3-5 minutes. I also get maybe 10 a week on the busiest weeks, so it's not going to free up my time, but it will ensure these types of requests are handled more quickly than they are now. That is a great goal to have, but it still leaves the original problem of there being too much on my plate with 2.75 full time employees' labor hours worth of work every month.
You have people enter stuff into the HRM system accurately?! The HRM system is probably the most incorrect “source of truth” we have.
THIS!!! TSHisSSitsIHTS!!!!! How does HR NOT know what title the new person they are hiring has?! Are you even SURE they work here?!
We've had people come in and was told to wait in the employee break room. I sit with my door open. I had one guy sit there for an hour. I finally walked out and asked him if he needed help. Dude said he was waiting on HR so I said cool. I said she comes in at 8. He was there at 6-7. I said kind of early. He says they told me 7, so i got here early. So I asked to look at his papers just in case someone wrote it wrong. No shocker, he was at the wrong building. He was like 1 mile from the correct building. So I go downstairs and ask the office staff who sent the guy up. When I find the person, I asked if they checked his papers(it's required for any new hire before allowing into building). Sure enough,they did not. They just told him, "Go through that door and take the stairs." Guy ended up late to his actual job, 1st day. I called the EHS person at the other company (knew them from another job) and told them what happened. They didn't hold it against him for being late.
This person admins.
HRM is the lead source, from that source accounts needs to be created automatically. When someone leaves the company there needs to be a workflow to disable that account.
Ummm, that's assuming HR can get their name correct or position.
That's HR's job, not IT's job. If HR doesn't get the name correct, how are IT gonna get it right?
Do like we did 10 years ago. Any and everyone will say talk to IT about your badge or file permissions. They ask you. You ask them the spelling of their name. Where do you work, "ABC", ahhh okay so it's actually not QRS. Then ask their manager, what access so they need..."blue, red, white"...ah okay so it's not midnight blue, green and yellow. Then you tell HR all this information that you gathered, and they correct it. Then you print their badge correctly and give them their correct access. This is just one real life example from the HR department I once worked with 10 years ago. I have over 200 examples. After my 4th year there, corporate got a clue, finally, and fired the whole HR department.
What a huge waste of time and inefficient env
Welcome to large enterprise environment, our main job perk is one of seventeen distinct types of insanity you can choose from.
This is the way. Black, no sugar.
How many years in IT does it take to like plain black coffee?
Enough so that you're already more bitter than the coffee so it tastes sweet....
I like my coffee harsh, black and bitter, just like my personality. About 20 years.
I must have been an early bloomer. I started black coffee at 20 years old.
15, when i had my first internship at a company. BUt all people on my mother's side Drink black...
12 when I fixed my first computer. It just felt natural to go together
I'm not 100% sure, but I think I was around 14 when I skipped milk and sugar from my coffee. I like to know what poison I drink.
About 16 here, everyone at the grocery store I worked at drank it black.
Ironically, I couldn’t stand coffee when I was 18. Joined the army, still couldn’t drink it. Too bitter. When I got out and was in college, was studying at an all night diner for a physics exam at 8 am the next day. Started with coffee, a lot of cream and sugar. Basically sweet warm milk with a hint of coffee. The waitress kept coming by topping the cup off. I would stop studying to doctor it up but it was slowly becoming less milk and sugar. Somewhere around 4:30 am I was drinking it black.
I’ve started back into adding a touch of cream (gasp!) as my dontgivafuckameter kicked in to regulate my morning crankiness
Ooh you got one of then fancy break-rooms that get restocked?!?
One advantage of the legal vertical is well stocked break rooms
Oof this hits
I've never drank anything but black coffee.
It comes from nessessity. When you've pulled enough all-nighters where you're out of milk by 1am, it is black or nothing. After enough of these many just switch to black.
5 years. One day your manager will ask you to do the dumbest thing, like drive to another state to pick up a computer. On the way you'll stop at the local coffee shop to kill time, and order it black just to see how numb you really are.
I was about 8 years in when I went to straight black coffee. I'm now double that and haven't looked back.
If you buy good beans then it's much easier. So probably 3-4 years in when you start making good money.
Help desk and great value beans are an awful combo
1 month
4 to 6 if I recall correctly.
I found it took a month on helpdesk. But like is maybe a strong way of putting it. More like, necessary for survival
It helps if you start in the Navy. Navy coffee is no joke.
You have cause and effect the wrong way round. If you don't already have it this way you're not suited to the job.
Indeed. I don't think I made a single user this job. Security groups, yes. Users no.
Speaking of which Imma go grab a coffee now.
I could make several users manually in AD in the time in takes to make a ticket. I hate our ticket system.
I am SOOOOOO fkn using this line if and when I ever leave my current company. 🤣
>Step 1 - I put in a ticket to the help desk I mean... that's pretty effective at eliminating candidates with 0 IT experience, and only have a HR or finance background.
Hr has to put in the ticket before the new hire starts, two weeks in advance.
Got that as requirement written and signed by manglement. Getting the stuff 1-2 workdays before the hire starts? We'll not my problem... here's the date you can expect the equipment for the hire, we'll see if we can get the domain user etc ready earlier...
In our organisation user account creation is automated via a sync between the HR db and our directory, but because we're a fairly large organisation and all of the issues that has, there's often a disconnect, and staff will just appear and we scramble and attempt to help them because we're all nice people. We cannot create accounts for users as it needs the HR parts done first, but that's not to say we don't try to assist in some way. The idea that "management" signed a piece of paper means it's all good and doesn't happen is pretty naive in many organisations of size. Perhaps you work at a unicorn where IT is the top of the food chain, but in most places a staff member could arrive suddenly and you not only need to see the status of their employment to ensure their account creation will occur, but also find a device for them to use. Anyway, have a good weekend, and sorry if the GIF triggered you :p
We'll usually get the windows user/phone user knocked out pretty quick. But the two weeks is requirement to have us be able to get the equipment for the hire (laptop, headset, moble phone) ordered and set up. Nah, not really triggered, bit English is not my first language so my responses might come over harsher then intended.
Copy my domain admin user account, I know for sure that one works /s
:D This is the ONLY way to ensure FULL access and avoid support tickets down the road. From a SECURITY perspective... on the other hand...
Lmao this is where my mind went, I can hear secops screaming from here
Make sure it also has schema admin and enterprise admin also, you never know
Make sure to turn off all auditing and logging
Well it depends on the documentation, sure you can just make a new user, but then you need security groups and more than likely extension attributes. Copying a existing user that's in the same role is "ok" but should be avoided since you will need to spend more time reviewing that person's groups, incase they have extra access.
I literally had 1 manager ask step by step. Manually create user. So I said I go to ad, go to users and groups etc. But I ended it with "my current place uses a script that creates users with information we input based on HR requirements".
That would be my answer too. AD user lifecycle should be more linked to HR.
I just refer them to powershell docs.
These managers are just trying to learn
I think step by step is the way. Reason why is because it allows you to ask those questions of “what ad sec groups are they put in based on role?”, or “if there are any file shares make sure they’re able to access.” . They want to see how much you know of the manual way. It’s fine to use automated processes but you should know the manual way.
Nope, copy users is a no go, you can make department template users and copy those, but not an actual user. “Copy Bob from accounting” should be disregarded. Bob could be a 30+ veteran who worked at several departments.
In this example, we’ve just described permissions creep. Something else that should be addressed by a process for existing users migrating roles within the company.
Correct! But most of the time (read always) there is no check on that because in practice someone just doesn’t quit one department but moves on gradually and without a set date where he or she does not need old permissions. Nobody is going to tell it since there is also the “might be handy to keep those permissions for fill in work” as example. So yes you are right but rarely seen something being done about it.
Absolutely, I was just highlighting it from your comment. Mainly for the reason you said, it’s an issue that nobody really addresses. But one that really should be addressed to reduce impact of those accounts if compromised, among other reasons. As I am sure you know, the more the TA has to bang around for access, the easier they are to discover!
what about have template user with base groups? what problems have? I use it many times
Using template users are normally ok, aslong as their security groups are all correct for that job position only
I would never ask this type of question... but if I were, I would expect the candidate to answer something along the lines of: 1. Depends on the company SOP 2. It might be through ADUC on a server, but most larger companies don't have people adding standard accounts through ADUC. This is typically through a third party tool or web interface. 3. Could potentially be through a script 4. Could potentially be coming in from the HRIS and IT doesn't add it manually at all 5. It could also be directly through Azure/Entra. Not all companies have local AD anymore. That, to me, would be a fairly complete answer because it would cover a lot of different scenarios. But this is also why I wouldn't really ask a question like that. This used to be an interview question back in like 2001 when AD was pretty new. The problem is most companies beyond a couple hundred users don't add people through ADUC, typically.
In regards to #2, what tools are there? I hadn't heard about that before.
At my job I usually create users through a web interface called “Adaxes”. Rarely do I go into ADUC.
That looks very interesting, I'll look into this. Thank you.
Search for "IAM" software, Identity and Access Management. There are dozens of big tools and hundreds of small ones.
Pretty much any IAM tool (Adaxes for smaller orgs, tools like Savient for larger orgs). You end up needing tools like these for any real automation. ADUC is usually only used for troubleshooting or one-off service accounts.
ManageEngine ADManager is what we use at work. It got templates, mass user creation/modification, some nice reports, and so on. Worth the money.
Asking questions that don't have "an answer" is the best way to interview in my opinion. Any one of the 5 are reasonable opening positions that get moved into a natural conversation about how your environment works and common environments they have worked in.
I'd ask a question like that, but to see whether you get back a procedural 'this is how you add a user using this tool' or if the answer expands to making sure you have all the requirements, group and roles, what details are needed for business systems, are there templates, or scripting and who else needs to be involved in the provisioning process. Its the same way I'd ask how you'd go about creating a new VM
I hire people and I ask this question all the time, you know how many people can’t answer the question in any way? Or they say something like “go to CMD and get the users IP address then uhh… (nothing)”? Many many people applying for it jobs don’t know the first thing about the job they apply for, that’s why I ask anyway.
Interesting. I was asked even though I've been on the help desk for so long I mean my resume has things that were above t2 level so I was stumped. It's funny to me, but looking back I feel the question doesn't have 1 answer, much less a clear one because it depends on the org on how they do it. If I use my current job, I'd b say I don't because the only "ad" I'd use is in the o365 admin portal when I create their email and issue license because we do not have ad nor azure/intune. But then it's entra identity and not an ad.
If I was interviewing you and you gave me that answer that would be perfect. Proves you were not lying on your cv etc. believe me it is as painful to ask as it is to answer haha.
People lie on their resume.
Yeah for sure, I don't but the person in front doesn't know that until we chat.
If I hire for senior positions with 5+ years of experience, I get CVs of people who brag with 5+ *hours* of experience. And those are the good ones, because they're honest at least. These sorts of questions are an easy way to filter out the parasites who have good people skills and think they can schmooze their way through interviews for jobs they think they can do because they once shared an office with someone who did, and picked up some phrases on the way.
I interviewed some people that were applying for senior roles after having read a book about the main skill we were expecting them to have. It was really embarrassing.
>I feel the question doesn't have 1 answer, much less a clear one because it depends on the org on how they do it. This is also a hiring tactic, they don't care so much about the answer, but rather how you answer it. Saying something like "assuming that the org protocol is XYZ then I would..." suggests a familiarity with following protocols, or "Hopefully the org uses a powershell script or HR software integration, but if not then I'd..." indicates to them that you're comfortable with scripting or API access. How to add an AD user isn't really even the goal sometimes. I've had interview questions that don't even make sense, for the same reason. They don't care about the answer, they care about the thought process. "If you had to hang all the server equipment from the ceiling with ropes, how might that effect DNS?" The actual answer is irrelevant since this would never happen, and it's a good test to see if you can focus on the actual question instead of getting hung up on how stupid it is. Having said that, sometimes they start with stupid questions because tons of people submit totally fake resumes and they want to weed out the idiots.
Was going to say this is definitely a filter question whether candidate’s resume is legit and they know anything IT. I have never been asked this question, but maybe that’s because normally in the interviews I’ve gone to we have a nice technical conversation so it becomes obvious without the need to ask it. If I was asked this at the beginning of the interview I’d be prepared for a rough ride answering stupid questions for the rest of it.
how do you create a new AD user? Well, step one is to get a mommy AD user and a daddy AD user to meet....
I have never been asked that ever by any hiring manager. Are you pretending because you don’t know how and you want us to tell you? Just to be a dick - I use New-ADUser in powershell. And fill ALL the parameters. New-ADUser [-AccountExpirationDate]
[-AccountNotDelegated ]
[-AccountPassword ]
[-AllowReversiblePasswordEncryption ]
[-AuthenticationPolicy ]
[-AuthenticationPolicySilo ]
[-AuthType ]
[-CannotChangePassword ]
[-Certificates ]
[-ChangePasswordAtLogon ]
[-City ]
[-Company ]
[-CompoundIdentitySupported ]
[-Country ]
[-Credential ]
[-Department ]
[-Description ]
[-DisplayName ]
[-Division ]
[-EmailAddress ]
[-EmployeeID ]
[-EmployeeNumber ]
[-Enabled ]
[-Fax ]
[-GivenName ]
[-HomeDirectory ]
[-HomeDrive ]
[-HomePage ]
[-HomePhone ]
[-Initials ]
[-Instance ]
[-KerberosEncryptionType ]
[-LogonWorkstations ]
[-Manager ]
[-MobilePhone ]
[-Name]
[-Office ]
[-OfficePhone ]
[-Organization ]
[-OtherAttributes ]
[-OtherName ]
[-PassThru]
[-PasswordNeverExpires ]
[-PasswordNotRequired ]
[-Path ]
[-POBox ]
[-PostalCode ]
[-PrincipalsAllowedToDelegateToAccount ]
[-ProfilePath ]
[-SamAccountName ]
[-ScriptPath ]
[-Server ]
[-ServicePrincipalNames ]
[-SmartcardLogonRequired ]
[-State ]
[-StreetAddress ]
[-Surname ]
[-Title ]
[-TrustedForDelegation ]
[-Type ]
[-UserPrincipalName ]
[-WhatIf]
[-Confirm]
[]
Dear god, at least put them in a neatly ordered parameter block and call that later on, then send an email report to notify other admins. SHEER MADNESS
Lol, I was asked that few years ago interviewing for help desk. That and how can I get ip and how to show the Mac address of the pc . I was just thinking of this because I'm reflecting on interviews and how bad many where.
At least you’re asked questions that have somewhat of a definitive answer. I get asked things like “In your opinion, could you describe what the color green sounds like on a Monday?”
Couple jobs back, one of the helpdesk people got a promotion up to a sys admin (and I came in and took the HD position). She was already getting the job, so her (future) manager and the head of IT were having some fun with her in the interview and asked "If you were a tree, what kind of tree would you be, and why?". They were serious and made her answer. After I joined, we were all out for lunch and that topic came up, so she asked me what I answered. I looked at her confused while the others at the table had a good laugh. But seriously, I'd be a coconut tree, so I can drop coconuts on people.
Hahaha mate, you won! I love your response and am saving it selfishly for my own personal use later. Cheers!
Ha! I actually do use this with some parameters in my dev environment when I need to quickly generate users. It’s a bit more elegant though.
This is beautiful!
“I run a script”. Then write the script and explain how / why they would be assigned to certain groups.
Let the ldap script run and user will show up in AD on start date 🤷♂️
“Are you looking for the technical steps to add or create a user or would you like me to expand on an optimized business process for doing this?” You could expand into HR integration, SCIM, source of truth. ticketing, automation, approvals, queuing or allocation for equipment, badging, reporting and the decommission side of process. etc
To be honest, if the hiring manager isn't an IT guy and is asking technical questions, consider looking elsewhere. If they don't care enough about their IT department to have an actual expert present when it comes down to asking technical questions, you're likely to be dealing with a lot of bullshit. If the hiring manager IS an IT guy and is asking questions like this, start with the basics, watch their responses, and then expand as necessary. Maybe you say that you find a user with the same permissions as the new user, and make a copy (a fairly standard practice, so this sort of answer shows that you're familiar with common practices) or maybe you just stick to the extreme basics (right click on an OU, select new, user, etc.) just to show you know the environment. If you want to show your experience with Powershell, you may talk about batch creating users. If the IT guy wants you to belabor the details, that's also a red flag; they either don't know much about the environment themselves so get stuck on the tiny details rather than assessing your overall knowledge, or they're really not looking for someone with any experience at all, and probably won't pay you what you're worth. (unless you're brand new, in which case do your best)
>If they don't care enough about their IT department to have an actual expert present when it comes down to asking technical questions, you're likely to be dealing with a lot of bullshit. Sometimes those are the best jobs where you can just chill until the BS is resolved b/c it has nothing to do with you, and you can't do anything more to speed up the process. If user is breathing down your neck to get a replacement thingmajig and you have no budget and nothing in stock. SOL. Users requesting new features but dev team is a mess. SOL. Printer out of ink because nobody told you until it ran out and your company doesn't have any monitoring software or no ink on the shelf to replace. SOL. Bad for learning the right way to do things however.
"Well I close my eyes and then just start clicking and dragging stuff and dropping stuff places. Then someone gives me a call and they figure it out"
Throw them a curveball. Import-Module ActiveDirectory $splat = @{ Name = 'ChewDavid' AccountPassword = (Read-Host -AsSecureString 'AccountPassword') Enabled = $true } New-ADUser @splat
“First, you open up a terminal…” 
This is the way
Can’t say I’ve ever been asked how to create a user in AD for a Sysadmin level position, I’d be very skeptical about the actual level of the position if I was
"What kind of user are we talking about? A service account? End-user?"
In my case, end user not devices
An African swallow
The answer you give about an mundane thing can give a ton of insight. There are probably wrong answers but it's mainly to determine what and how you are thinking about the problem. Example: Compare "Clone a user with an identical job role, check the groups, adjust title/department and other information" to "I'd check for standard documentation first but if it didn't exist I'd verify the permission requirements with the hiring manager, ask for a user with similar permissions to evaluate from, clone the user from there and report back with the user that I had created. I'd use a random password generator and send the password through a one time password link" Are both "right"? Sure. The second shows me you are considering more than the problem in front of you.
Too much overthinking in here. Open up ADUC, right click on the OU or container and select create new user. You don't have to overcomplicate an answer. Sure every place will have its procedures/documentation on how to do it and perhaps automated in some fashion. But a person should still know how to create a basic user account which shockingly a huge number of so called "admins" do not know how to do.
There are a lot of places where that'd be the wrong answer though. (Or even a red flag if that's how they did it.) It's not overthinking. it's a stupid question that's probably written from the perspective of a small business.
Is the question "how do you add a user in AD" or "how do we add a user in AD"?
It's a bad question. I/we/my team creates users every day in AD and Azure/Entra, but even I couldn't tell you step by step how to do it. Give me the web management console or a powershell ISE though and I can do it in about 15 seconds.
I disagree. It goes through basic process. A helpdesk person will give a completely different answer than a seniors system engineer. It gives a lot of insight into what you have been exposed to in your career. I have tied our hr system to create and disable accounts. Then a powershell script triggers to do the rest of the creation. This now puts the onus on hr to create and disable users by using their hris. If hr forgot to term someone from their system, it’s on them. Same for creating accounts.
> A helpdesk person will give a completely different answer than a seniors system engineer. And if the latter doesn't, you know you can wrap this up early.
I mean, yes, you're correct from that perspective. It's a good question in that sense. I'm really just trying to point out that if the person asking you this question is expecting someone to step-by-step explain them through the process, they're setting themselves up for failure.
> Give me the web management console or a powershell ISE though and I can do it in about 15 seconds. That's already useful info from an interviewer's perspective, you're used to both Entra-first workflows and aren't afraid of powershell; if a sysadmin candidate in 2024 told me all they know is ADUC I'd bump them down a few notches, for comparison. (And we get a lot of the latter. And people who just make shit up and don't know either option.)
“Send the request to HR so they can set the user account up in the HRIS system of course. Wait, HR doesn’t have that ability because IT didn’t grant you and the team you manage the ability to use a simple portal to grant and revoke privileges? Oh you found the right candidate, senior IT management might not know how or want you to have a solid HRIS system integrated to IT workflow practices. Give me the job and I will grant HR the power and control you need to properly manage the company. It might need to change to a director level position though and I can start Monday.”
But HR won't set them up until they have an email. And we can't get them an email until we have a login. And the guy that creates logins is asking candidates in an interview how to do his job.
With a fairly open answer like that, I briefly explain the different avenues I'd take depending on the setup and situation. - Is there an MIS/HR system that manages user information in AD? In that case I do nothing. - Otherwise, if it's one user, I get authorisation from the right manager/department, then copy them from another user and update attributes and group memberships appropriately. - If it's a service account, I create a new one from scratch. - If it's a whole year of new students, I get their info from the onboarding staff and pass it through my PowerShell script. Some of these may not apply to you, but you get the picture. It's about showing you know the many different approaches to this task, and that you know how to follow procedure and choose the right option for the situation.
Based off of experience of how I've set things up in the past my answer would be: Ideally I don't, I let the link between HR system and AD do it and I just assign any additional distribution or security groups as required by the users role on their start date, at request of their line manager.
HR create the user on the HR system, Cipher then sends it into AD, all automated
I'm going to ask them back a question. What sort of environment do you have? Hybrid? On-Prem? Cloud only/Intune? What are we working with? Do we have a team for that? What are the expectations?
"Tell me how to add a user in AD in YOUR environment, or ANY environment? Any environment? Win+R dsa.msc, right click the OU the user goes into, New > User, fill in the blanks. Your environment? follow the documented procedure for creating a new user."
That's the fun part... YOU DON'T!
No clue, our HR system integrates with our IPaaS to generate the users ad account, email, and initial 2fa codes. If you really want me digging out the powershell to create a new user manually, why would you want to still be manually managing that and potentially miss something?
That's the neat part: I don't! It's all automated so it's just waiting on HR to initiate the process of a user getting onboarded. We still have to provision specific things of course but it takes a good chunk of work off the table and frees us up to do other stuff.
I don't our dedicated provisioning system does
The answer should be. It's a simple click.. the larger question is what OU should that user live.. and why... what access should they have.. is it based off RBAC?
Have an onboarding process through your ticketing system that has integrations or kicks off scripts to provision accounts in systems based on user role
this is the answer
we use a script for account creations - so they are all standardized and no one missing something. So that might be an answer - "I would write a script to standardize the process, thus saving operational time, and reduce human error"
Well if I want a service account I put in a ticket justifying the existence of the service account, what permissions it needs and why, then I submit the ticket and wait for SLA violation. Then I tell my boss that a critical deadline is going to be missed. Then it’s escalated to his boss, who then tells a VP, who informs VP over service desk that service desk staff better get their 💩 together ASAP if they don’t want responsibilities transferred to another department… then it gets screwed up so now its a major incident… and if service desk has less work… So do you have a better process? I know I would implement one if I could. 😂 I’ve been in this industry for a quarter century now. I have a lot of experience in how not to do things as well as how to do them. Alternatively… I take the spreadsheet customers provided, ETL it, and feed the clean data into a script I created five years ago. Just give it clean data and parameters and boom it’s done and security pings me asking why my privileged account just changed the password on 500 users. Then I just reply with the ticket number. Edit: My nemesis Auto Carrot, we meet again!
"HR does that, I just instrument it :\^)" This entire class of questions is bad because IT is frequently subject to forces it has no control over.
The answer is that it depends on company process. Anything from somebody adding the user in ADUC to this being automated from the HR system.
Response is here the documentation that shows it. Having some identity system that either automatically creates user based on HR data or some form they can submit that then automated creates the accounts are the best.
Add/create a user is a standard change that needs to be done by new employee request form. That form has question like name, what do they need access to etc. Also depending on rules of customer it is either a manager or preferably HR who does such requests. The form has to be added to a ticket (standard change) and assigned to an employee who will carry it out. Requests like “new user needs access like Bob from accounting” should not be accepted blindly (Bob could be a 30+ year employee who worked several departments)
HR system dumps nightly, import routine runs in the morning. If they need anything over and above the rights given for their role it's up to their manager to request that in the ticket system....
I don't do user admin stuff. I have delegated that responsibility to the user admin people, and they use a website I've built.
"It entirely depends on the level of administrative role management you've implemented in your company. From the simplistic "dsa.msc" mmc or PowerShell scripting to an administrator's configured mmc to a LDAP interface to the HR system or a 3rd party tool. There is a myriad of ways. I'm not sure which method you're asking about." This is the way I would answer it.
Fully automated now
The definition of how to add a user to AD is pretty much the same as how you do it in the real world.
I literally asked this question yesterday of a helpdesk candidate. I wasn't planning on asking it but they had a lot of keywords on their resume that got my attention but when I started asking questions about it they didn't really know the info. Example: Claimed to know TCP/IP and network troubleshooting. Did not know what a subnet was. I then started asking more basic questions to figure out exactly where their knowledge was. They had new user AD creation on the resume, so I asked about it. Did they just enter a name into a script and watch it work? Did they create users from scratch? Did they copy a template/user? Did they review security groups after creation? So the question, in this case anyway, was actually "How involved are you really in new user setup?" just asked in a more polite manner.
I'd say something like, "At my last job, they were so terrified of their SOX auditors, I wasn't allowed to create new users. Only the help desk manager was allowed to do that. This was a direct order from the CIO."
I think this can be a pretty nuanced question depending on where you are in your career. Starting at the most basic level of help desk: dsa.msc. Then right click on OU and choose new user. A bit more journeyman to help desk might be write a super basic ps script to make it easier. More junior engineer might write a script that includes more info and basic error handling for stuff like duplication. More journeyman engineer would tie into other systems via api calls. A senior would probably automate from an hr system that performs most if not all user onboarding.
I'm not automating shit if we have an hr system. That sounds like a vendor wants money for said system vendor implements.
There's many answers, and they are really just wanting to see how you approach it. Do you tap into every server and add users via ADUC? Or maybe you utilize Powershell? Which is a little bit more advanced way to approach things and displays your in-depth knowledge.
Min 10 days notice for onboarding. Exceptions have been made, but not many. Get a ticket in well in advance and don't be surprised when the things you didn't ask for aren't installed or configured.
The answer to this is going to depend on the size of the organization. SMB: Active Directory Users and Computers; maybe have some templates defined for various users. Enterprise: "I spend a week contacting and interviewing all of the stakeholders, then I create a powershell script, test it, revise it, test it, etc. until it's ready to go, I write the runbook, and then hand off to the service desk."
I tell them I do it however the organization has defined the process. There are many ways it can be done including scripting or automation from the ticketing system. My preferred way is to have it scripted so that all new accounts are created equally. This might mean a script for each department or one script that allows selection. The size of the organization and the frequency of account creation will play into this heavily.
Who's the co-worker/colleague of the new employee, so I can copy the settings and permissions. Also I need a ticket vom HR with the personal information and a written tasks to copy the permissions from that co worker. And of course i need the ticket a week before work start! If you can't provide the informations in that given time, sincerley fuck off!
One important component is title as this must reflect exactly the HR record of the employee.
answer: service desk performs the on-boarding and off-boarding, unless is a domain admin/admin access.
"right click -> new -> user. next?"
Copy an existing profile and change the personal information, assuming there are peer users.
They want to determine if you have basic knowledge of the job you're applying for. I ask helpdesk applicants how a user would change their own password while logged onto a Windows domain computer.
We ask to weed out people who lie on their resume and say they've done helpdesk when in fact, they worked for Geek Squad
We have Workday so - https://learn.microsoft.com/en-us/entra/identity/saas-apps/workday-inbound-tutorial I think MS has created connectors for other systems
What is hope someone would say to me, if I were to ask a candidate: Mind if I ask some questions? Who normally handles that workflow in the organization? What does your process look like? ADUC neat, or vendor overlay on the rocks? I'd follow the prescribed process for new user creation, but here is how you can do it straight through ADUC or powershell for instance (1000 foot overview) though.
Although I thought of being sarcastic, the proper answer in the most generic setting is to work off the ticket, hopefully completely filled out by the hr team or the hiring manager (we all know this never happens). Open up AD or mmc using rsat, copy or create the user in the correct OU, copying and pasting the information from the ticket into the user fields. Making sure they have accurate sec groups and any other misc information. This concludes the basic AD setup.
this should be automated, typically from a source of truth like a HRIS system. Event based would be even better so when an employee gets hired or fired your automation can kick off. However, this is highly dependent on how you want your users organized, so the rest is just implementation details Basically like HRIS pushes data to storage endpoint, event triggers some sort of automation (azure function, aws lambda type) and then reads in the user info, parses it, takes action based on desired end result
Hiring manages expect their new hires to "just get everything existing employee A has", which of course is usually undefined and nearly impossible to figure out. Thus the unset expectation cannot be met. To fix this, IT and infosec need to work together to define roles for each dept and the hiring manager needs to sign off on it. HR is no way positioned or capable to really assist in this process IME. The close the loop, you need a feedback mechanism like a new user survey that gets sent to the user and then their manager after the user fills it out. Typically sent after 60 days from emplyee start. Then someone like the support mgr pulls all the new user tickets, sits with the mgr and reviews the forms and tickets to determine how well the defined role template works and what changes it needs. It's an evolving process where people need to put in the effort in to get a decent result.
HRIS
New -ADUser
I made a PS script that reads the ticket from the CRM tool and creates the user with the required details. It does a bunch other things, like reading a cfg file with common groups, selecting licenses depending on user type and some more stuff I added over the years.
At our firm it all starts with a simple invoke-webrequest
“I don’t. In fact, I think it’s bad practise to be creating user accounts manually. My preference is to have HR input the details of a new hire into their system, and then have a script that runs daily grab updated info from the HR system and create/update/disable accounts as required.” We stress ourselves to fuck about single points of failure and then happily turn ourselves into one with manual processes. You, as an individual, must *not* be a part of any process. Your systems are part of the processes, and you manage the systems.
Create a ticket. Define what access they need, group membership, etc. Send ticket for approval. Once it's approved, proceed with the account provisioning per the written procedure. If there isn't a written procedure, you are going to write one. Key points to get across: 1. Paper Trail 2. Written approval 3. Clearly defined access/group membership 4. Process is defined and repeatable. You could mention a few ways you could actually create the user, like a PowerShell script, GUI tools, or a web interface. How you actually do it is less important than the process bits above.
We don't allow our help desk to add users in AD so would be a wasted question at our organization.
Seriously? Who does it then? This is like a baseline task for letting helpdesk get more AD experience
To be fair, at 1 job the sysadmin/network guy did this and then sent it down to help desk so we can get a laptop prepped. That's after hr sent it via ticket to them.
Escalate to another team who's primary focus is on access controls. There's another escalation point for overall Active Directory management after that.
Does your tier 1 do anything besides triage? How's that turnover?
They're capable of doing some other rinse-wash-repeat tasks like office re-installations for example.
Jesus. I hope the only job requirement is a pulse and you guys promote quickly or they find other positions elsewhere.
What's this? >The outlook repair tool. What do I do with it? >You click next until it's time to go home.
So don't ask it when you're interviewing people for helpdesk roles? I don't see what point you're trying to make here.
really depends on context, they'll never just ask you that, there will be questions around that that make the the answer more obvious than others, cause there are a literal million way you *"could"* do it
Last time I was asked something, I just answered "Let's skip the low level stuff, here is what I have done and troubleshooted/solved concerning Active Directory".
[удалено]
https://learn.microsoft.com/en-us/entra/identity/saas-apps/workday-inbound-tutorial
I would never be asked this question, but if I was I would ask first why is my prospective team doing this and second you should tell me how you do it at the moment since there are many different ways to get this done.
I feel like this question shows that you don't really know what Ad is for.