Z-Hire Administration Guide

Contents
  1. Introduction
  2. Requirements
  3. Templates
  4. Show/Hide Systems
  5. Generate User Summary Information
  6. Active Directory
  7. Exchange Server 2007
  8. Exchange Server 2010/2013
  9. Lync Server 2010/2013
  10. Office 365
  11. Custom Script
  12. HRIS Driven User provisioning
  13. Automation > Data Sync
  14. Automation > Dynamic Groups
  15. Macro Variable Feature (Fx button)
  16. Command Line
  17. Upgrading Z-Hire

Introduction

Z-hire allows fast account deployment while simplifying user provisioning process. Usually when an administrator provisions a new user account, multiple consoles are used to get the job done. Z-Hire uses a template concept that allows for system administrators to save frequently-used settings for multiple IT systems. With just a click of the button, your Exchange mailbox, and Active directory and Lync account and SalesForce account will be created simultaneously. Z-Hire serves as the platform for new hire accounts by allowing auto-creation of major IT accounts with the option for custom PowerShell scripts.

Requirements

System Requirements
- Windows 7 x64 (Domain Joined, .Net 3.5 and 4.0 Installed)
- Windows Server 2008 x64 (Domain Joined, .Net 3.5 and 4.0 Installed)
- Windows Server 2008 R2 x64 (Domain Joined, .Net 3.5 and 4.0 Installed)
- Windows Server 2012 x64 (Domain Joined, .Net 3.5 and 4.0 Installed)

Permission Requirements
For on-premise systems, Z-Hire uses current logon windows credentials to create user accounts avoiding the hassle to enter credentials manually. You may use “Run-as” function to run Z-Hire under user account with proper permissions. This is why you must run Z-hire on domain joined computer and logged on using credentials with below permissions:
- Ability to create Active Directory user (Active Directory Account Operator)
- Ability to create Exchange Mailbox (Exchange Recipient Administrator)
- Ability to create / enable Lync user (CSAdministrator)

Supported Environments
- Active Directory (all versions)
- Exchange 2007 (all versions)
- Exchange 2010 / 2013 (all versions)
- Lync 2010 / 2013 (both Standard and Enterprise versions)
- SalesForce Cloud
- Office 365 Cloud

PowerShell Remoting
- PowerShell remoting is usually enabled by default, but please make sure it is enabled on your Exchange and Lync servers you are connecting to.
- Ensure all Exchange / Lync Servers are enable PS remoting. This is done by running "Enable-Psremoting" powershell command on Exchange/Lync server you wish to connect to.
- Fill out "Environment Config" portion of the form. Use "File" > "Save Environment Config" to save configuration to select template.

Templates

Templates feature allows an administrator to easily save a set of commonly-used user information. This speeds up the account deployment process. For example, you can set a template for each business department such as Marketing and as a marketing template; you may select a list of marketing Active Directory groups, marketing mailbox database, marketing users Active Sync Policy, etc..
Load Template Settings – Use the drop down box to simply load template settings. You can also use the “Search” function to search for templates.

Save Template Settings – Use File > Save Configuration to save template settings. Settings will be saved to current template.

Shows/Hide Systems

You may hide unused systems by going to OPTIONS > Show/Hide Systems

Generate User Summary Information

This option generates new hire user’s data such as Firstname, Lastname, Displayname, SamAccountName, Password, SMTP Address, etc. to a text file in same directory as Z-Hire. The intent is to allow system administrators to easily copy this information from text file to new hire documentation that will delivered to end-user. Note that this option will write new user’s password to text file.

Active Directory

[ENVIRONMENT CONFIG]
New Users AD OU – This is a DN of an OU where new Active Directory users will be created. Example: ou=newusers,dc=mydomain,dc=net
UPN Suffix – This is your AD domain name in FQDN format. This will be used for Active Directory account upn suffix. Example: mydomain.net. This domain will automatically append to UPN field under “User Information”.
User Account Formats – Here you can specify the user account format for your AD environment. Use variables to set the format you wish. For example, if your Displayname format is “Doe, John” use “%lastname%, %firstname%”. Variables must be in lowercase and spaces will have an end effect.
Default Password – This is the password that will be set for the new AD account. Make sure this meets your domain password complexity requirements.
Must change password at next logon – This is the same as ADUC console option for “must change password at next logon”.
Domain Controller selection – Auto discovery is a default setting and it works for most cases. If you want Z-Hire to use a specific Domain Controller, you can specify it here. The domain controller must be a global catalog.

[USER CONFIG] – TAB 1
Office - This set the Office Active Directory attribute for the new AD account.
Street - This set the Street Active Directory attribute for the new AD account.
City - This set the City Active Directory attribute for the new AD account.
State / Province - This set the State Active Directory attribute for the new AD account.
Zip / Postal Code - This set the Zip code Active Directory attribute for the new AD account.
Country / Region - This set the Country Active Directory attribute for the new AD account.
Account Disabled – Disables the new AD Account.
Password never expires – Set new AD account status to password never expires.
Company – This set the Company Active Directory attribute for the new AD account.
Department - This set the Department Active Directory attribute for the new AD account.
Manager - This is a SamAccountName or Displayname of the manager.
Notes - This set the Notes Active Directory attribute for the new AD account.

[USER CONFIG] – TAB 2
Profile Path - This set the profile of the AD account.
Logon script - This set the logon script of the AD account.
Home Folder Path – This sets the home folder path for AD account, then it creates the folder with specified permissions. You may use variables here such as %username%. Example: “Netapp01\users\%username%” . *** If you are having problem setting permissions on home folder, make sure file server (where homefolder is created) and Z-Hire is pointing to the same domain controller. You can run “set | findstr LOGONSERVER” on the fileserver to see which domain controller it’s connected to. This server must be a global catalog.
Remote Access Permission - This set the remote access permission for the new AD account.

[USER CONFIG] – TAB 3
departmentNumber - This set the departmentNumber attribute of the AD account.
division - This set the division attribute of the AD account.
employeeID - This set the employeeID attribute of the AD account.
employeeNumber - This set employeeNumber attribute of the AD account.
employeeType - This set the employeeType attribute the AD account.
JPG Photo - This set the jpegPhoto and thumbnailPhoto attribute of the AD account. Note that this photo must be less than 10k in size and 96x96 pixels. Z-Hire will automatically resize it to specs if requirements are not met. This photo is usually used for Outlook and Lync.

Exchange Server 2007

Exchange 2007 Management Shell – Exchange 2007 Management Shell must be installed on a computer that is running Zohno Z-hire.
Mailbox Database – Exchange 2007 Mailbox Database, example: EX01\Storage Group1\DB1
Managed Folder Policy – Exchange 2007 Managed Folder Policy
ActiveSync Policy – Exchange 2007 ActiveSync Policy
Additional SMTP Address – Full SMTP address of the additional SMTP address, example: SuperMan@zohno.com
CustomAttribute – Set Exchange Mailbox CustomAttribute
Hidden from GAL – Hide Exchange Mailbox from Global Address List
Grant full access permission – Same as running Add-MailboxPermission –fullaccess
Grant send on behalf of – Same as running Add-ADPermission
Forward to – SamAccountName/Mailbox Alias/Mail Contact of user where mail will be forwarded to
Issue warning at – Issue warning at quota for the mailbox. If this field is blank, it will use Database default quota
Prohibit Send at – Prohibit Send at quota for the mailbox. If this field is blank, it will use Database default quota
Prohibit send and receive at – Prohibit send and receive at quota for the mailbox. If this field is blank, it will use Database default quota
Keep deleted items for – Keep deleted items for quota for the mailbox. If this field is blank, it will use Database default quota

Exchange Server 2010/2013

Exchange 2010/2013 Server – FQDN of Exchange 2010/2013 CAS or Mailbox Server. In load balanced environments, use the server name. Not VIP of the load balancer.
Mailbox Database – Exchange 2010/2013 Mailbox Database, example: MailboxDatabase01
Archive Database – Exchange 2010/2013 Archive Mailbox Database. If this field is set, archive mailbox will be created for user.
Retention Policy – Exchange 2010/2013 Retention Policy.
ActiveSync Policy – Exchange 2010/2013 ActiveSync Policy
Managed Folder Policy – Exchange 2010/2013 Managed Folder Policy
Additional SMTP Address – Full SMTP address of the additional SMTP address, example: SuperMan@zohno.com
CustomAttribute – Set Exchange Mailbox CustomAttribute
Hidden from GAL – Hide Exchange Mailbox from Global Address List
Grant full access permission – Same as running Add-MailboxPermission –fullaccess
Grant send on behalf of – Same as running Add-ADPermission
Forward to – SamAccountName of user where mail will be forwarded to
Issue warning at – Issue warning at quota for the mailbox. If this field is blank, it will use Database default quota
Prohibit Send at – Prohibit Send at quota for the mailbox. If this field is blank, it will use Database default quota
Prohibit send and receive at – Prohibit send and receive at quota for the mailbox. If this field is blank, it will use Database default quota
Keep deleted items for – Keep deleted items for quota for the mailbox. If this field is blank, it will use Database default quota

Lync Server 2010/2013/Skype for Business Server 2016

Lync 2010/2013/2016 FrontEnd Server – FQDN of Lync 2010/2013 FrontEnd Server role.In load balanced environments, use the server name. Not VIP of the load balancer.
Conferencing Policy – Lync 2010/2013 Conferencing Policy.
External Access Policy – Lync 2010/2013 External Access Policy.
Peer-to-Peer Audio Video – Enable or Disables Peer to Peer A/V.
Registrar Pool – FQDN of your lync registrar pool.
SIP Domain – Lync 2010/2013 SIP domain.
Archiving Policy – Lync 2010/2013 Archiving Policy
SipAddressType – Choose your Lync SIP address type
Client version policy – Lync 2010/2013 Client version policy
PIN Policy – Lync 2010/2013 PIN Policy
Location Policy – Lync 2010/2013 Location Policy
Client Policy – Lync 2010/2013 Client Policy

Office 365

Prerequisites
You must install the packages below on the server or desktop that is running Z-Hire:

Microsoft Online Services Sign-In Assistant
http://www.microsoft.com/en-us/download/details.aspx?id=28177

Windows Azure Active Directory Module for Windows PowerShell (64-bit version)
http://go.microsoft.com/fwlink/p/?linkid=236297

[ENVIRONMENT CONFIG]
User ID – Office 365 Administrator credentials ( Global Administrator role )
Password – Office 365 administrator password

Provisioning mode: License Only
In license only provisioning mode, Z-Hire will force sync the directory object from on-premises Active Directory (via on-premises DirSync server) and assign Office 365 license specified in the template. This is comparable to manually creating Active Directory user, forcing DirSync, and then assigning Office 365 license in Office 365 admin center portal.
Office 365 DirSync Server – on-premise server where Office 365 DirSync (Windows Azure Active Directory Sync tool is installed)
Office 365 UPN – UPN of Office 365 user. This may be the same format as the Active Directory UPN.
License – AccountSkuId of office 365 License. Use the “…” button to list available licenses.

Provisioning mode: Full Provisioning
Full provisioning assumes that Office 365 DirSync or Windows Azure Active Directory Sync tool is NOT used. As the name implies, full provisioning mode will create a new Office 365 user (comparable to creating a new user from Office 365 Admin center).

Custom Script

Custom script allows administrators to extend function of Z-Hire by running an additional PowerShell script prior or post to creation a new user. Make sure “Set-ExecutionPolicy unrestricted” PowerShell command is set. Z-Hire allows for script argument customization also. If you want to pass down the new hire SamAccountNane as an argument, simply choose “SamAccountName”. If you have more than one argument, use the “read-host” command within PowerShell instead of script argument. Since Z-Hire will spawn an instance of PowerShell, you can use interactive commands such as “read-host” and “write-host”.
Script Path – Local script path of your script. No spaces are allowed in the path.
Script Argument – argument for the PowerShell script. This field is not required. Usually this is the SamAccountName. For example, if script path is “c:\scripts\dosomething.ps1” and argument is SamAccountName, script command will be c:\scripts\dosomething.ps1 john.doe
Script Sequence – Choose if PowerShell script will run at prior or post to creating a user.

HRIS (Oracle, SAP, Workday, BambooHR, Zenefits, etc..) Driven User Provisioning)

You may use Z-Hire Auto Provision feature( Automation > User Provisioning) to automatically provision users using data from HRIS system such as Workday. To do this setup a daily job from HRIS system to export data to CSV or TSV file. You may need to talk to HR or your application team to get CSV export of your new hires. Then use Z-hire Auto Provision feature to schedule a job that reads the input CSV file.

Auto provisioning allows template assignment based on CSV data. For example, you want to apply the Finance_Users template to new hires where CSV column Department is "Finance" or "Accounting". Z-Hire apply specified attributes from CSV file. Then, it looks for template assignment rules to assign proper template. Finally, unassigned attributes are applied from default template.

Automation > Data Sync

You can use the Z-Hire Data Sync feature to move AD users to proper AD OU and add them to AD Groups depending on HRIS data. Then, you can use these AD Groups for further automation as role based access control assignments or email distribution list automation. For example, you want to add all the users in CSV (HRIS Source) that has the "SF" as Office attribute and "Marketing" as Department attribute to "SF Marketing" AD group. Z-Hire Data Sync feature also can takes list of users from CSV file and updates them in Active Directory Database. When using this feature, administrator will have the following benefits:

1.) Error Free Environment
As user may encounter spelling mistakes while entering the information in Active Directory. This tool will prevent storing the wrong or incorrect information because it does not require information to be entered by the user as it reads it from CSV file and stores it in Active Directory.

2.) Reduces Manual Work & Time
If huge amount of data to be updated in Active Directory, user may take too much time to update them manually; here this tool saves the user time by reading and updating the information in flawless and faster way.

3.) Data Translation Rules
This tool features Data Translation Rules. With that user can manipulate the information very easily and take various actions on AD User depending on HRIS data.

5.) Keep information up to date.
This tool sync data from HR systems to Active Directory. So information in Global Address List is always up to date.

Permission Requirements
For on-premise systems, as with Data Sync feature uses current logon windows credentials to update user accounts avoiding the hassle to enter credentials manually. You may use "Run-as" function to run Z-Hire under user account with proper permissions. This is why you must run Z-Hire on domain joined computer and logged on using credentials with below permissions:
- Ability to create/update Active Directory user (Active Directory Account Operator)

Data Source
--------------
Data Source: This field is used to specify the CSV file that contains the user data. User gets a notification whether it is loaded succssfully or not.

Data Mapping
---------------

Primary Key in CSV: Used to select a column from CSV which is a primary key for users.
Primary Key: Used to define if the selected column is a "SAMAccountName" or "Windows Email Address".

Add Mapping: Used to create new mapping between CSV column and Active Directory Attribute.
Remove Mapping: Used to remove existing mapping.

Warning: User has to map all the columns of CSV with Active Directory Attributes otherwise he would get "Error in configuration" error when try to Test, Run or Schedule Task.

Data Translation
-------------------
Used to create user defined rules on data.

Define Rule-> Used to define new rule.
If:
User needs to select column name, operator then enter the value to create a condition.
Else:
User has to select a column name and enter it's value.

Seperator(AND/OR): User can create multiple conditions with this option.
"+": User has to click this button to add a condition to the list.

"Done" Button: Finally Click this button to create and add the new Data Translation Rule to the list.

Run
------
Used to Run Sync Process in different ways.

Scheduled Task Name: This will be the name of the new Windows Scheduler Task that is being created. If a task is already created, this TextBox will show the current Task Name.

Warning: If user changes the existing task name and schedule it again, a new task will be created in Windows Task Scheduler.

User Name: Name of the user that will be used to create/modify tasks in Windows Task Scheduler.
Password: Password for the user.

Verify Credentials: Used to verify if the supplied credentials are valid.

Currently Scheduled: Shows the Date and Time of the currently scheduled task.

Calender Control: Used to pick a valid date for scheduling the task.
Timer Control: A valid Time for runnng the task.

Test Run: Used to generate a test that will create a file with the target data that Z-Sync is going to update in Active Directory Database.

Schedule Task: Used to schedule a task in Windows Task Scheduler with current settings.

Run: To start the sync process.
Info: When user click the "Run" button, he will be asked to create a backup of currrent users data in CSV file format so that he can restore that later if anything goes wrong.

Automation > Dynamic Groups

Dynamic Groups feature allows automation of AD Groups based on AD attributes -- office, department, employeeType, etc.

Create Groups Based on AD Attribute ? Office, Department, Title, Country, Employee Type, Company
This feature automatically creates AD Group based on the attribute and automatically maintains the group membership. For example, this feature will automatically create AD groups for each departments in organization (by looking at AD department attribute) and automatically add and remove members when the data change. Name Prefix field allows IT Admins to prefix the AD Group name.

Create Groups Based on Organization (Reporting, org chart) Structure
This feature automatically creates AD Groups based on org chart by using the manager attribute in AD. For example, this feature create two AD Groups for each user in the organization that has direct reports, the automatically maintains the membership. The ?Direct? groups contains all the users that reports to the manager directly and ?All Reports? contains all the users in the org chart hierarchy.

Macro Variable Feature (Fx button)

Macro Variable “Fx” button allows system admins to configure variable/pointer between Z-Hire fields, thus eliminating duplicate data entry for each IT systems. For example, the WebEx Phone number field can be filled automatically from the Active Directory Phone number field by using Active Directory Phone Number variable; Click on a textbox, then click the “Fx” button to view available variables for particular field.

Command Line

Running Z-Hire from command line allows bulk creation for Active Directory, Exchange, Lync, SalesForce and Office 365. This advanced feature can be used to import large batch of users . To fully automate the provisioning process by reading CSV file exported from HRIS system such as Workday, use the Auto Provision feature.

Create a single user from command-line:
z-hire.exe -template TEMPLATE_NAME [-firstname Arya] [-lastname Stark] [-cn "Arya Stark"] [-UPN "Arya.Stark@zohno.com"] [-AD] [-Exchange]

Below example create a single user(for AD, Exchange and Lync ) with settings from Template1
z-hire.exe -template Template1 -Firstname Arya -Lastname Stark -AD -Exchange -Lync

Create multiple users from command-line w/ CSV:
z-hire.exe -template TEMPLATE_NAME [-datafile batch-input.csv] [-AD] [-Exchange]

Parameter Details
-template: Specify which template to use. Run in UI mode to create/update templates.
-datafile: Run ZHire in batch mode. User data are loaded from CSV file. Download example CSV format here.
Minimal CSV format: FirstName,LastName,Title(optional),DeskPhone(optional),MobilePhone(optional), SamAccountName(Optional),CN(Optional),UPN(optional), DisplayName(optional)
-firtname: New user's first name
-lastname: New user's last name
-initials: New user's initials
-samAccountName: New user's samAccountName. If omitted, it will be constructed from the template's samAccountName format setting
-cn: New user's CN. If omitted, it will be constructed from the template's CN format setting
-displayName: New user's display name. If omitted, it will be constructed from the template's displayName format setting
-upn: New user's UPN. If omitted, it will be constructed from the template's UPN format setting
-AD: Create AD account.
-Exchange: Create Exchange mailbox.
-Lync: Create Lync account.
-SalesForce: Create SalesForce account.
-office365: Create Office 365 account.
-RunScript: Run custom PowerShell script set in the template.

How to format CSV file for -datafile option

example CSV format

givenname,sn,title,department,manager,company,info
John,Doe,Sr Sys Admin,IT Department,John Smith,Amce Inc,This is notes

Z-Hire looks for native Active Directory attributes in CSV column and process it. If attribute is not specified in CSV file, Z-Hire will use template settings. Note Active
Directory attributes are not same as Active Directory Users and Computers console UI names. For example, Active Directory attributes for "Note" field is "info". For full mapping
please see below Microsoft link. Please note that CSV column attributes are case sensitive and MUST match exactly as described in below TechNet article.
http://msdn.microsoft.com/en-us/library/ms677980(v=vs.85).aspx

Supported CSV Columns

cn
upn
sAMAccountName
firstname
lastname
displayName
country
carLicense
department
departmentNumber
description
division
employeeID
employeeNumber
employeeType
extensionAttribute1
extensionAttribute10
extensionAttribute11
extensionAttribute12
extensionAttribute13
extensionAttribute14
extensionAttribute15
extensionAttribute2
extensionAttribute3
extensionAttribute4
extensionAttribute5
extensionAttribute6
extensionAttribute7
extensionAttribute8
extensionAttribute9
givenName
homeDirectory
homeDrive
info
initials
ipPhone
l
manager
memberOf
pager
personalPager
personalTitle
physicalDeliveryOfficeName
postalAddress
postalCode
postOfficeBox
profilePath
roomNumber
sn
st
street
streetAddress
telephoneNumber
thumbnailPhoto
title
unixHomeDirectory
unixUserPassword
userPrincipalName
wWWHomePage

Upgrading Z-Hire

To upgrade, download the latest version of Z-Hire from support section, extract the contents, and replace the .exe files. All your templates will be automatically migrated to the new version. Please make a backup copy of old Zohno Tools folder prior to launching the new .exe file.