How to Automate Staff Accounts for School Districts

Student Provisioning Services has provided student account automation for MicroFocus eDirectory and Microsoft Active Directory for over six years now. Recently we have been working with more schools to automate their staff accounts as well. This can be a more complicated process for many reasons, especially for K12 schools, but the problem isn't unique to schools.

While there is inherent value in automating staff accounts by eliminating the tasks associated with it and the possibility of human error, there is another significant advantage. The real value in this process comes from taking the time to apply the data in a way that will enable us to automate staff-related email distribution lists through group memberships. 

Read our article Google OU Structure and Automation.

The most challenging part of this process is finding an authoritative source of data that contains all staff information in a way that is useful for automating account creation. Most Student Information Systems focus primarily on teaching staff and don't normally have classified staff or even administrative staff in this system. For example, bus drivers and custodial staff would never have a reason to log in to a SIS and have any interaction with student learning information. I have encountered some school districts using Infinite Campus that have an account for every employee, which is a tremendous help because it gives us a single location to get all the staff's data. 

The next challenge that I have encountered is that not all systems have a primary building assignment for staff. Because many staff are assigned to multiple buildings and may have different job assignments in those buildings, we must be able to identify which one is primary. Because users can only exist in a single location in Active Directory, eDirectory and G-Suite, we must know where to place their account. Without this information, our only choice may be to put everyone into a single Organizational Unit and then distinguish them in another way for group automation, which isn't necessarily bad. Having building OU's in Active Directory can help deploy printers via Group Policy assignments and for automating email distribution lists, but it isn't the only way to accomplish these tasks.

Check out our article on Printing with Google Cloud.

If we are trying to automate email distribution lists completely, we need to decide what we want in lists that we can get from the available data. A good starting point would be to create a group for all staff based on building and job classification. That would give us a group for each Certified, Classified, and Administrative staff member for each building code that we have in our data. It may be possible for staff to have multiple building assignments and multiple job classifications. In this case, we should be able to enter multiple values into attributes in Active Directory to be parsed out later by either a PowerShell script or a commercial product like GroupSymmetry from Condrey Corporation.

An example of what this might look like would be if we had the following Job Classification codes:

01    Certified

02    Classified

03    Administration

Then if we have four different buildings use the following codes for each:

PS    Primary School

IS    Intermediate School

MS    Middle School

HS    High School

Then if we have a staff member with two roles in two buildings, it could be displayed this way. We enter both values for the building assignments into the Office field with a vertical bar (|) delimiter.

Next, use the Department field to store the Job Classification values and delimit them with a vertical bar (|) if there are multiple values. We want to save the Job Title field to put an actual job title that might provide more details about their actual role.

The next step in our process will be to have a naming standard for our groups in Active Directory that will also become email distribution lists in Office 365 or G-Suite. I avoid spaces but instead prefer to use a hyphen if I want separation between words to make them more readable. We may not want to refer to Certified by this name but might substitute Teacher, and for Classified, we might substitute staff. An example of group names just using the data that we have so far would be:

PS-Teacher, PS-Staff and PS-Admin

IS-Teacher, IS-Staff and IS-Admin

MS-Teacher, MS-Staff and MS-Admin

HS-Teacher, HS-Staff and HS-Admin

This covers the majority of the maintenance work. You won't be able to automate everything because there may not be any way to identify the situation through the data that we have available. The more granular data that we have, the more that we can do with automation. The challenge here is that if this person were in an Admin role at one building and a teaching role in the other building, we wouldn't be able to distinguish between them. This user would be added to both Admin and Teacher groups in both buildings. That may be OK, but it is less than ideal.

Next, we need to either use a PowerShell script or a commercial tool like GroupSymmetry from Condrey Corp to sweep through our OU structure, look for the different data values in our two different attributes, and update our group membership based on those values. 

I'm choosing to show how this can be done with GroupSymmetry because it is simple and straight-forward. (There is a cost associated with this product that you can purchase through K12 Services, LLC.)

First, you navigate to the group that you want to automatically manage and create a policy to define how it is to be managed.

Defining a Policy for IS-Admin requires the Office field (ldap attribute physicalDeliveryOfficeName) to contain the value IS and the Department field to contain 03.

When we preview this policy, you will see that it correctly wants to add the account keith.larson to the IS-Admin group.

You also have the option to write this requirement as an LDAP query. The software also has the option to manually override and include users that don't meet the requirement or exclude users that meet the requirement, but you don't want to be included in the group.

This runs as a task that can run on a schedule with a number of options available to choose for frequency.

The process would be similar with a PowerShell script running as a scheduled task. 

If you found this article helpful, please share it using the links below.

Need help determining how to handle staff accounts in  your district?