Home / Nerdio Academy / Nerdio / Nerdio Fundamentals: Directory and Adding Users

Nerdio Fundamentals: Directory and Adding Users

0 commentsMay 23, 2019Videos

Joseph Landes
In this session, we are going to talk about Nerdio for Azure and specifically address the topic of directory and adding users. You will learn that there are three recommended ways to do this: a Greenfield Active Directory deployment where we import users via CSV or add them via the UI, a Greenfield Active Directory deployment with existing Office 365 where we import users directly from Office 365, and a hybrid AD scenario where we have a Greenfield deployment and then plug it into the existing AD environment.

Joseph Landes
This session will take you through the Greenfield deployment options, how and when to implement each scenario as you build your Azure practice using Nerdio for Azure. Enjoy the session.

Vadim Vladimirskiy
Let me introduce a couple of different concepts. As you recall, we talked about Active Directory, which is integrated with Azure AD, which is part of Office 365. That is done with AD connect that’s installed on the DCL1 VM. So if we go back to our diagram here, we have the main controller AD connect that’s configured here. It is then synchronizing with Office 365 Azure AD, and then the NAP, the Nerdio Admin Portal, sits on top of this entire infrastructure and is pulling data out of the various underlying systems including Active Directory and Azure AD.

Vadim Vladimirskiy
So when you provision a new Nerdio account, you don’t really get a choice of what your directory’s gonna be. It will always come out of the box with brand new Active Directory which is gonna be on this DCL1 VM, and that DCL1 VM will get plugged into the Office 365 Azure AD tenant that gets specified during the provisioning process, right? That’s step number two where you actually type in the credentials and authorize DCL1 to communicate with Azure AD.

Vadim Vladimirskiy
Okay so out of the box, every Nerdio environment looks the same. However, long-term there are different ways of approaching how to get the user accounts specifically, right, how to get the directory of the users into Nerdio. So we’ll deal with it sort of starting with the simplest and then building up to complexity.

Vadim Vladimirskiy
So there are two major ways to think about this directory decision, and it’s important to make this decision as early on in the process as possible. One way is a Greenfield deployment, and what the means is the ultimate goal for the Nerdio deployment is to have brand new Active Directory with a brand new AD where the user objects and the computer objects and everything that goes into Active Directory is set up clean and fresh from the ground up. Okay? As opposed to maybe inheriting an existing Active Directory, which is a use case as well, and in order to be able to extend an existing Active Directory into Nerdio, and then maybe even eventually fully transition it into Nerdio, then there’s this concept of Hybrid AD, which we will look at in just a little bit.

Vadim Vladimirskiy
Okay so let’s start with Greenfield. Simplest type of concept. You’re starting from scratch, fresh. Your default account is gonna have the four demo users that you’re all used to seeing, you know the Chad CEO, Sally Sales, Angie, and Andy IT Admin. These are the users that are currently in the DCL1 Active Directory. They are also being synchronized to the Azure AD Office 365 tenant just to kind of see what that tenant is we can click here, and we can see here is our Office 365 tenant that it’s syncing to.

Vadim Vladimirskiy
Now let’s say you wanted to add new users. So if you’re building up an environment for a brand new customer, maybe a new startup that doesn’t have employees yet- they are going to be adding employees, the easiest way to conceptually think about it is to just add a user from the UI from the NAP. We’ll go through the screen at some point in more detail, but the concept is simple. You just go in and add the user. You submit this as a task by clicking save. NAP will go in into the Active Directory, create that user object with all the parameters you specified, will then trigger an Azure AD sync or AD connect sync which will then create the object inside of Azure AD. It will then assign the necessary Office 365 license that you’ve selected during the process. It will add the user to all of the groups and distribution lists, and it will then assign the user to either a VDI desktop, in which case it will actually spin up a new VM, or it may assign the user to an RDS collection or an individual session.

Vadim Vladimirskiy
Okay so all of that happens when you just click the add user button. Adding users manually this way is something that can be done and is often done during a proof of concepts stage. You know people want to just test things out, so they’ll come in add users. It is also something that can be done for a smaller organization when it’s no big deal to go through and add users on the one by one basis. But a lot of times, even if you’re doing a Greenfield Active Directory deployment, you want to be able to import your users from somewhere, right? Somewhere that user list already exists because those individuals are using systems in some way and their names, their user accounts, exists somewhere.

Vadim Vladimirskiy
So there are three ways in addition to… well I guess two ways in addition to manually adding the user. There are two additional ways to import the users in bulk. Okay? Let’s start with the next simplest one.

Vadim Vladimirskiy
The next simplest way to do it is by exporting a CSV spreadsheet, CSV file, from an existing Active Directory. Let’s say you have a customer that’s coming from an on-premise AD environment, which most networks have, and you want to be able pull a user list from there and then be able to in bulk, add all of those users into Nerdio.

Vadim Vladimirskiy
So the way you would do that is you would go under the onboarding module, you would go into “AD Export”. Here you would add the source, and the source would be… let’s call this “Source AD Domain Controller”. We would specify an IP address of that Domain Controller and then login credentials, obviously administrator username and password, and click on “Test connection”. The IP address must be reachable by DCL1, which means that there’s typically a site-to-site VPN tunnel that’s set up in advance, and this IP address will be the private LAN IP that would be reachable by the DCL1 that’s running inside of Nerdio over the VPN tunnel to wherever that source Domain Controller happens to reside. So once you put in the IP address, username, and password and test connection, it will allow you to save this source, and then, what you do is you simply add the job. And the job, again, gets a name. It gets a source. You can have multiple sources in the same account so here you would select your one validated source or one of the validated sources being the main controller on-prem. You would then select what you wanna export, whether it’s users or groups, and click save.

Vadim Vladimirskiy
This will connect to the main controller at the source. It will enumerate through the Active Directory, generate a CSV file in the format that could be easily edited, and then upload it into the Nerdio Admin Portal, and all of those objects could be created automatically. Okay? Once you have this file generated, you know, once you have the job added, you run the job. Alright so once here, there will be a “Run” button next to the job. Once you run the job there will be a file associated with it you’ll be able to click download, and it’s going to be a CSV file that when you open it, it will look- I’ll show you what it’ll look like in just a minute. Okay?

Vadim Vladimirskiy
So that’s how you get the data out. At that point you would go in, and you would edit the file. You know, a lot of times there’s accounts in existing Active Directories that do not need to be imported. There may be system accounts, there may be, you know, exchanged administrator type accounts, there may be some disabled users. So you would go through a CSV file in Excel, clean it up, and create a final list of users, and then you would go into this option here called “Bulk add/update users”, and this is where you can create a job to actually import users in bulk. So first of all, let me show you what a template looks like.

Vadim Vladimirskiy
So I’m downloading a template with users so this is gonna look at my existing user list and is going to export a file, again, this is a custom Nerdio created type of a format. We have- I’ll go through the columns so we all have a clear understanding of what’s in here. So this is the idea again, this is the CSV file. You would have other user objects in here if you exported it out of a source environment, and then you can go through and decide what to do with those objects so let’s go through the fields.

Vadim Vladimirskiy
So field number one, you can specify either add, update, or ignore. “Ignore”, as the name implies, will not do anything with that object. It will be equivalent of deleting it, but you may want to keep it in there for reference. “Adding” means this is an object that doesn’t exist yet, and you’re gonna be adding it in. And then “Update”, as the name implies, is making changes to an existing object. Any time you’re updating an object, this global user ID needs to be populated for that user. If you’re trying to edit an object and this field is not populated, the system won’t really know which object you’re trying to edit or to update.

Vadim Vladimirskiy
So those are the three possible options. The next thing you do is specify first name and last name, obviously. Then, just a note, the little asterisk next to the field means that’s a mandatory field. You then can specify a display name, which could be just a combination of first and last name. You can specify initials. You can specify email addresses. Now, this is the primary email address of the user. So this would be the equivalent of, if you go under the “Add user” screen, this would be the equivalent of this field right here, the primary email address of the user is that field. We then have the username. Now, the username may be the same as the email address, as it would be by default because this checkbox is checked, but in theory, it could be different, right? So you can have an email address that’s at the public domain but the username may be something that’s at the local domain. So they don’t have to match, but best practice is that they do, just to keep things consistent. You can then specify a password.

Vadim Vladimirskiy
So if you’re adding a user or you’re updating a user, then this password field becomes mandatory. So this is a really handy way of updating everyone’s passwords. You can add all the users, maybe manually, maybe some other method. You can export this list just like we did right now, and then go through, update everyone’s password, and then upload it back in, and the system will go through and reset the passwords.

Vadim Vladimirskiy
The next field is “Groups”, and here you can specify as many groups as you want that user to be added to. They need to be separated by commas without spaces. If you look at the membership of this “Chad CEO” user, he’s a member of all of these different groups, and you can change group membership pretty easily by modifying this particular column.

Vadim Vladimirskiy
The next thing you get to choose is Office 365. So Office 365 you can either give no license assigned, or you can assign a specific license. Obviously, being in the CSV file you don’t know what’s available so there is a license assignment that’s been specified, but the license doesn’t exist. The job will error out explaining that there isn’t a license assigned. Then you can decide if you want to enable or disable Outlook Web App for a particular user, whether you wanna enable or disable ActiveSync so they can use mobile devices or not, you can also specify additional email address aliases. So let’s just jump back to the screen specifying these aliases would be the equivalent of typing in that in the CSV file.

Vadim Vladimirskiy
You could specify pager, X500 email address, mobile number, work number, fax number, and you’ll notice all of these fields are the ones from the “Extended attributes” section. You then have your job title, website, street address, city, state, postal zip code, the description for the user, this is something that Active Directory has as a field, you can add notes, you can… I don’t remember exactly how this works, but I believe you can specify a template user, and it will copy all of the settings from that user. It would be the equivalent of typing someone’s name in this field, and it automatically will inherit the group membership and other components so that what that field is for.

Vadim Vladimirskiy
Okay and finally we get to the desktop settings. So you have a few options. You can either give user no desktop in this section, you can give them an RDS desktop, in which case you have to specify either a name of a RDS session host or a collection that already exists, or you can make the user a VDI user, in which case you do not need to specify an RDS server because that doesn’t apply. You then specify the size, the instance size of either the VDI VM that’s to be created or of the RDS session host that it’s assigned to. You specify your disk, again, for VDI to be created your disk size, and then finally this is an existing user, the GUID needs to stay in place.

Vadim Vladimirskiy
So for example, let’s say I have a bunch of VDI users, and I want to upgrade everyone from premium to standard, right? So all I would do is I would go through and change this to “Standard_LRS”, and maybe I want to take him from 128 to 256, and then I would just copy this down through all the users that I want to make changes. I would then go through in to column number one, I would change this to update, and again, I would copy that across all the users where I want to make that change.

Vadim Vladimirskiy
Alright so you can make one change or multiple changes all very simple in this file. You would then save the file, and then once the file is saved, you go back into “Onboard”, “Bulk update users”, you would add a job, in this job you would give it a name, and you would upload the CSV file associated with the job. So let’s go ahead, and click here. You would then click next. It will validate the file. It will tell you what it’s gonna do. We found four rows excluding the header. There were zero users to add. Zero users to update because I didn’t save the file so everything is set to “Ignore”. If there are any actions, you would click run, and then the NAP would step through line by line and execute any of those changes that you made.

Vadim Vladimirskiy
So this is method number two of taking a user list from the existing AD, exporting it, modifying it, assigning the necessary desktop, user groups, email addresses, or any other changes you wanna make, and then uploading it into the NAP. Then, the final way of getting users into a NFA Greenfield directory deployment is by importing users from Azure AD. Remember, every Office 365 account always comes with an Azure AD tenant, and every Nerdio deployment is connected to an Azure AD Office 365 tenant.

Vadim Vladimirskiy
So, when you provision Office 365, I’m sorry, when you provision Nerdio, it will plug into Office 365’s tenant and read the list of users, and it will give you a list that looks like this. Couple of handy little options here if you click on this little “View settings”, you can decide if you want to hide this section completely, that way it’s sort of out of the way. For example, the context section is hidden by default. You can unhide it by just changing this setting. Okay, so you can hide this section if you don’t want it at all, and you can also select to show all users.

Vadim Vladimirskiy
Now, let’s talk about this user list. So there are two types of Azure AD users. We spoke about this in the previous session. You’ll recall there’s what’s called “in-cloud users”, ones that were created and are manageable inside of Office 365 directly, and then there are Active Directory synced users. So Active Directory synced users can not be imported into Nerdio. They can show up in the list, but by default, they are hidden. So when you have the settings like this, which is the default settings, it only shows your users that are considered “in-cloud” and are, therefore, importable into the Active Directory Nerdio. However, if you wanted to see other users, you can unhide it, and it will show you what other users there are that are not imported. Okay?

Vadim Vladimirskiy
So this section has a few different features to it. Obviously, it lists the users with the name, the username, and any assigned Office 365 licenses that it may have. You can then click on the user and make a few changes to it. You can change the username. You can block sign-in. If the user has an Office 365 license, you can edit the email address. You can also do assignment of Office 365 licenses so kind of very basic management of that user object, again, only if it’s an “in-cloud” type of an object. You can also reset the password for a user from this in here. You can click reset password, and it will change the password in Office 365. You can delete the user. You can edit, which is what we just looked at now, and you can forward the email for the user assuming they have an Office 365 license. You can select someone else’s name, and it will set up forwarding. Okay?

Vadim Vladimirskiy
So, just basic Office 365 management. All the types of actions that would be available to you in their Office 365 admin portal, but sometimes it’s convenient if there are users that you’re not gonna import into Nerdio. You wanna keep them where they are, but you wanna still use Nerdio to manage basic things like passwords, sign-in, email addresses, names, and etc. But the main functionality for this section, is the ability to import the user. So when would you import the user? So imagine the scenario where you have a customer that you’re bringing on board with Nerdio in Azure and that customer either doesn’t have an on-prem Active Directory because it’s a sort of a “born in the cloud” type of a customer, they only have Office 365 accounts, or maybe their existing Active Directory is kind of messy and old, and you know, the administrator doesn’t want to inherit any of those settings, they just want to start fresh, and bring the user information from an existing Office 365 deployment because all of those users already have mailboxes and are using Office 365 actively.

Vadim Vladimirskiy
So this is where this would come in. You can do multiple selections. If you hold control, you can select multiple users. You can do also shift to select multiple users. When you click to import the user, a few things will happen. It will first generate a random password, and if you are selecting multiple users it will generate, it will generate a random password and use it for all of the users that you have selected. It will give you the option to email this password to yourself or to someone else, just so you have a record. After you click confirm, this box goes away, and you can’t see it anymore. And then you have to click this checkbox that you understand what’s going on. So we go back here and import these users, the mechanics of what’s happening on the back is there will be Active Directory accounts that will get created on DCL1.

Vadim Vladimirskiy
Those then will be matched exactly to these, right, because it’s going to take the first name, last name, username, email address, group membership, it’s going to enumerate everything it knows about the account from Office 365 and create corresponding settings in AD, and then when it syncs, it should match to these accounts. They will then disappear from this list down here, there will no longer be other Azure AD users, and the user will then appear in this list here. However, the user will not have a desktop assigned, right, because there is nothing in the process that we’ve gone through so far that has assigned a desktop. We’ve simply imported that user. You can then, once the user is imported, you can then edit the user and assign a desktop, or you can use the bulk user upload method that we’ve shown that we looked at earlier to update desktops for bulk of the users all at the same time.

Vadim Vladimirskiy
Okay one important thing to keep in mind, is that the Azure AD connect synchronization has password hashing enabled, which means that the AD password overrides the Office 365 password, and during this import process, even though we’re creating a new Active Directory object in DCL1, we don’t have a way of reading the passwords from Azure AD. So therefore, we generate that random password you saw before, that password will override the password on the Office 365 object, so the user needs to know that they now have to use a new password to access their Office 365 resources.

Vadim Vladimirskiy
Okay, so this is the third way of adding users into Nerdio. So way number one is adding users from the UI. Number two, exporting from an existing AD and then using the import tool to import them. You can also do the same thing by just writing out that CSV file without necessarily importing it. It’s small enough. And then the third method is moving users or importing users from Azure AD directly by using this functionality down here. So Greenfield deployment would be likely if you have a smallish environment or smaller environment, the customer is willing to start over, you know, or any such scenarios.

Vadim Vladimirskiy
In many cases, you have a customer that is not ready to abandon their existing Active Directory and doesn’t want to create a new on to have to manage two separate directories. They may, you know, either have a lot of investment in their existing directory. They may have a lot of objects in there that would be difficult to recreate. They may have applications that are integrated into it that are not going to be going to the cloud. They may be looking to migrate a subset of their users into the cloud and not all of their users. There are lots of scenarios when someone would walk than doing a Greenfield deployment of directory when spinning up Nerdio, and that’s where the Hybrid AD functionality comes in that we’re gonna look at in the next section in detail and see how all of that works.

Videos in the series