Copy existing AD User  to create new AD account

SAM2009
SAM2009 used Ask the Experts™
on
Hi,

Just wondering if it's a good practice to copy an existing user AD when we need to create a new employee AD. Like new employee who need the same access and need to be on same MemberOf AD groups.

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Danilo AndradeIT Systems Analyst
Commented:
That's exactly how you do it. If you need a user with the same security access you should create the new user by copying it from another one that has similar permissions. You don't need to create a new one and add the groups manually.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018
Commented:
Just wondering if it's a good practice to copy an existing user AD when we need to create a new employee AD. Like new employee who need the same access and need to be on same MemberOf AD groups.
No, in a mid to large environment you are almost guaranteed that that will over-permission user.

This question usually stems from an environment without proper group management. If you use the principle of role and delegation groups, you would, in most cases, just need to add the user to one group.
https://www.experts-exchange.com/articles/29366/Delegation-the-proper-way.html
Mohammed KhawajaManager - Infrastructure:  Information Technology

Commented:
Best practice is to NOT copy users.  Create them from scratch and assign them to appropriate group memberships.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

yo_beeDirector of Information Technology
Commented:
I personally feel that copying a user is not a bad practice, but you need to keep in mind what groups they really need to be part of.  That is the primary reason I use Copy.  Most the other attributes are not copied like Employee Number and things like that.  

If you want to follow this practice I would recommend creating user templates (a dummy user object that is disabled) per department.  
IT
HELPDESK
HR
ACCOUNTING
ETC.......
MaheshArchitect
Distinguished Expert 2018
Commented:
If you need group membership and other ad attributes to be copied automatically for users you can use copy method

And it depends on how your group membership structured and if u have any automated way of creating users

If you have many attributes to set with and don't have automated way to create them then copy process is the way
Danilo AndradeIT Systems Analyst
Commented:
It's definitely not a bad practice IMHO.
You stated the exact reason why a copy function exists in AD:
new employee who need the same access and need to be on same MemberOf AD groups

Of course you can end up giving more permissions to the new user than he/she should have. But that's when you are not aware of your own environment. If you have everything organized as per your distribution and security groups, everything works as it should for the role it is intended to be.

In a perfect world you could have not many groups and could possibly be selective and do your due diligence by adding them manually. But once you get a more complex environment, good luck trying to create a few users and adding the distinct groups they should be part of manually. Your day will be wasted by only creating users and that doesn't seem very productive. Not to mention that even by adding them manually you could make a mistake and add one that was not supposed to be there. All may depend on quantity as you can get lost.

You can even use powershell to create the users and copy from another. Things exist for a reason, and it would make your life easier. You just need to be careful and know what you are doing. Once a client can ask you to create a user and that he/she should have access to such and such groups, and they don't know who else has those permissions, you can check who does and just copy from that other user. The act of copying another user to create a new one is not bad. Again, is just making sure you have the correct permissions and if not, you can modify it slightly.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018
Commented:
It's definitely not a bad practice IMHO.
Of cause it is. You utilize it because you are unsure of permissions and you just do it because user John wants the same permission and user Sally. If you have everything "organized" you would never even think of using this function unless you use it from a template "skeleton" user
It means you do not understand your groups or it is too complex to make sense of.

In a perfect world you could have not many groups and could possibly be selective and do your due diligence by adding them manually. But once you get a more complex environment, good luck trying to create a few users and adding the distinct groups they should be part of manually.
No, just managed properly. I work is some of the most complex environments where I implement controls such as group object lifecycle management

You can even use powershell to create the users and copy from another.
Why? To use Powershell to automate user creations is a good idea, extending the bad practice of copying a user it not
MaheshArchitect
Distinguished Expert 2018
Commented:
Yes, you would create template user and use copy process to create users, but still its not preferred way to create users in bulk

You can use PowerShell to automate copy process as well but its bit complicated,

In that case you can better off with csv input with all required values
yo_beeDirector of Information Technology
Commented:
@mahesh comment.

For bulk creation scripting is the way to go. For the one user as the questions is asked the copy method is perfectly fine.

As others stated create a PowerShell script can be used to standardize for on-boarding.
Leading Engineer
Commented:
Hi,

Clearly the question has unearthed two clear attitudes: the copiers and the fresh starters.

I know the problem: creating user accounts is possibly the most dull and tedious task in IT. However it is a very serious one.

To quote Spider-Man : "with great power there must also come–great responsibility"

What am I on about? I am talking about the inappropriate membership of AD groups and the unnecessary powers that can give to employees. To stick to Least Privilege it all starts with creating user accounts. If you don't get that right, you're fighting a losing battle.

The danger (security risk) If you just use "copy and paste" user accounts is that two things will happen. First, it will become habit and all accounts will be made that way. Second, you will get "AD group creep". Someone will join a team and the account creations team will be told "oh they need the same rights as Bob". Unknown to the requester, Bob just happens to have rights to the Director's email. Then they start copying the same account regular and before you know it you have 437 accounts who can play with the Director's email account.

I have seen this sloppy copying accounts and copying inappropriate AD groups) happen, more than once. It just becomes a mess very quickly.

Using the AD GUI is probably the least efficient method.

If you want best practise of creating user accounts I would figure out a process first and then find a way to automate it (PowerShell or other tool). Some places give the job of giving groups to a dedicated security team. Others give it to low-paid 1st line staff who don't know what groups to give to who. The latter is where you need a strong process and automation.

Mike

Author

Commented:
Thank you for sharing your thoughts!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial