Copy existing AD User to create new AD account

Hi,

Just wondering if it's a good practice to copy an existing user AD when we need to create a new employee AD. Like new employee who need the same access and need to be on same MemberOf AD groups.

Thanks
LVL 1
SAM2009Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Danilo AndradeIT Systems AnalystCommented:
That's exactly how you do it. If you need a user with the same security access you should create the new user by copying it from another one that has similar permissions. You don't need to create a new one and add the groups manually.
Shaun VermaakTechnical SpecialistCommented:
Just wondering if it's a good practice to copy an existing user AD when we need to create a new employee AD. Like new employee who need the same access and need to be on same MemberOf AD groups.
No, in a mid to large environment you are almost guaranteed that that will over-permission user.

This question usually stems from an environment without proper group management. If you use the principle of role and delegation groups, you would, in most cases, just need to add the user to one group.
https://www.experts-exchange.com/articles/29366/Delegation-the-proper-way.html
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Best practice is to NOT copy users.  Create them from scratch and assign them to appropriate group memberships.
Price Your IT Services for Profit

Managed service contracts are great - when they're making you money. Yes, you’re getting paid monthly, but is it actually profitable? Learn to calculate your hourly overhead burden so you can master your IT services pricing strategy.

yo_beeDirector of Information TechnologyCommented:
I personally feel that copying a user is not a bad practice, but you need to keep in mind what groups they really need to be part of.  That is the primary reason I use Copy.  Most the other attributes are not copied like Employee Number and things like that.  

If you want to follow this practice I would recommend creating user templates (a dummy user object that is disabled) per department.  
IT
HELPDESK
HR
ACCOUNTING
ETC.......
MaheshArchitectCommented:
If you need group membership and other ad attributes to be copied automatically for users you can use copy method

And it depends on how your group membership structured and if u have any automated way of creating users

If you have many attributes to set with and don't have automated way to create them then copy process is the way
Danilo AndradeIT Systems AnalystCommented:
It's definitely not a bad practice IMHO.
You stated the exact reason why a copy function exists in AD:
new employee who need the same access and need to be on same MemberOf AD groups

Of course you can end up giving more permissions to the new user than he/she should have. But that's when you are not aware of your own environment. If you have everything organized as per your distribution and security groups, everything works as it should for the role it is intended to be.

In a perfect world you could have not many groups and could possibly be selective and do your due diligence by adding them manually. But once you get a more complex environment, good luck trying to create a few users and adding the distinct groups they should be part of manually. Your day will be wasted by only creating users and that doesn't seem very productive. Not to mention that even by adding them manually you could make a mistake and add one that was not supposed to be there. All may depend on quantity as you can get lost.

You can even use powershell to create the users and copy from another. Things exist for a reason, and it would make your life easier. You just need to be careful and know what you are doing. Once a client can ask you to create a user and that he/she should have access to such and such groups, and they don't know who else has those permissions, you can check who does and just copy from that other user. The act of copying another user to create a new one is not bad. Again, is just making sure you have the correct permissions and if not, you can modify it slightly.
Shaun VermaakTechnical SpecialistCommented:
It's definitely not a bad practice IMHO.
Of cause it is. You utilize it because you are unsure of permissions and you just do it because user John wants the same permission and user Sally. If you have everything "organized" you would never even think of using this function unless you use it from a template "skeleton" user
It means you do not understand your groups or it is too complex to make sense of.

In a perfect world you could have not many groups and could possibly be selective and do your due diligence by adding them manually. But once you get a more complex environment, good luck trying to create a few users and adding the distinct groups they should be part of manually.
No, just managed properly. I work is some of the most complex environments where I implement controls such as group object lifecycle management

You can even use powershell to create the users and copy from another.
Why? To use Powershell to automate user creations is a good idea, extending the bad practice of copying a user it not
MaheshArchitectCommented:
Yes, you would create template user and use copy process to create users, but still its not preferred way to create users in bulk

You can use PowerShell to automate copy process as well but its bit complicated,

In that case you can better off with csv input with all required values
yo_beeDirector of Information TechnologyCommented:
@mahesh comment.

For bulk creation scripting is the way to go. For the one user as the questions is asked the copy method is perfectly fine.

As others stated create a PowerShell script can be used to standardize for on-boarding.
Mike TLeading EngineerCommented:
Hi,

Clearly the question has unearthed two clear attitudes: the copiers and the fresh starters.

I know the problem: creating user accounts is possibly the most dull and tedious task in IT. However it is a very serious one.

To quote Spider-Man : "with great power there must also come–great responsibility"

What am I on about? I am talking about the inappropriate membership of AD groups and the unnecessary powers that can give to employees. To stick to Least Privilege it all starts with creating user accounts. If you don't get that right, you're fighting a losing battle.

The danger (security risk) If you just use "copy and paste" user accounts is that two things will happen. First, it will become habit and all accounts will be made that way. Second, you will get "AD group creep". Someone will join a team and the account creations team will be told "oh they need the same rights as Bob". Unknown to the requester, Bob just happens to have rights to the Director's email. Then they start copying the same account regular and before you know it you have 437 accounts who can play with the Director's email account.

I have seen this sloppy copying accounts and copying inappropriate AD groups) happen, more than once. It just becomes a mess very quickly.

Using the AD GUI is probably the least efficient method.

If you want best practise of creating user accounts I would figure out a process first and then find a way to automate it (PowerShell or other tool). Some places give the job of giving groups to a dedicated security team. Others give it to low-paid 1st line staff who don't know what groups to give to who. The latter is where you need a strong process and automation.

Mike

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SAM2009Author Commented:
Thank you for sharing your thoughts!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.