Active Directory User Management System (ADUMS)

Active Directory User Management System (ADUMS) Release 2.9.3 User Guide Revision History Version Author Date Comments (MM/DD/YYYY) i RMA 08/05/2009 Initial Draft Ii RMA 08/20/09 Addl functionality and revised per team s comments Iii RMA 8/24/09 Revised per team s comments 1.0 RMA 8/26/09 Removed watermark; formatted for page fit. Iv RMA 8/27/09 Revised per meeting with pilot users 1.0.3 RMA 9/8/09 Updated to reflect feature changes 2.00 RMA 3/26/10 Updated to reflect Release 2.0 Features 2.00.-ii RMA 4/16/10 Updated to reflect current status of Release 2.0 Features 2.5 RMA 5/31/10 Updated to reflect currents status of Release 2.5 Features 2.5 RMA 7/15/10 Updated to reflect current status Release 2.5.6.5 2.5 RMA 7/30/10 Updated to reflect updates to features. 2.7.3 VPM 8/3/10 Updated to reflect current status and new features. 2.7.4 VPM 9/3/10 Updated to reflect current status and new features. 2.7.5 VPM 9/24/10 Updated to reflect current version. Bug fixes implemented. 2.7.6 VPM 10/15/10 Updated to reflect current version. Bug fixes implemented. 2.7.7 VPM 12/17/10 Updated to reflect current version. Bug fixes and new features implemented. 2.9.0 VPM 11/17/11 New code to create Exchange 2010 mailboxes. 2.9.1 VPM 11/16/12 Added additional Exchange Domains. 2.9.2 VPM 10/6/14 Added additional Exchange Domains. 2.9.3 VPM 2/6/15 Corrected Issue with ID Lookup.

Table of Contents INTRODUCTION... 4 Welcome to ADUMS...4 Glossary...4 Roles...5 Functions...6 SUPER USER FUNCTIONS... 8 Manage Administrative Areas...8 Organization... 8 General Guidelines for Managing Administrative Areas... 8 Manage Down Times...9 Manage Super Users... 10 Manage ID Lookup Users... 10 Query the ADUMS Change Log... 10 Check the integrity of the ADUMS configuration... 10 Additional Functions... 11 AREA ADMINISTRATOR FUNCTIONS... 12 Manage Administrative Areas... 12 General Guidelines for Managing Administrative Areas... 13 Lookup a USC Network ID... 13 Create a Guest Account... 15 Create a Resource Account... 17 Page 2 of 28

Upload CSV file of Accounts to Modify Expiration Dates... 20 Upload CSV file of Accounts to Modify Password... 21 Upload CSV file of Guest/Resource Accounts to Create... 21 Change the Notification Email Addresses and Comment... 23 SPONSOR FUNCTIONS... 24 Manage Administrative Areas... 24 Change the Password of a Sponsored User s Account... 24 Change the Expiration Date of a Sponsored User s Account... 25 Expire an Account... 25 USER FUNCTIONS... 26 Request Sponsorship... 26 Change Sponsorship... 26 Revoke Sponsorship... 26 Change My Password... 27 Lookup a USC Network ID... 27 EXPORTING DATA FROM ADUMS... 28 Page 3 of 28

INTRODUCTION Welcome to ADUMS ADUMS has been designed to allow USC Active Directory OU administrators to manage their sponsored accounts. The ADUMS application is administered by the USC Active Directory enterprise administrators at University Technology Services and supported by UTS Enterprise Applications. Area OU administrators have the ability to manage the sponsored accounts for their areas and to delegate sponsorship responsibilities to a group of users within their organizations. Glossary Term ADUMS Area Area Administrator Area OU Administrator Sponsee Sponsor Sponsorship Definition Active Directory User Management System for the USC Active Directory. Area maps to an organization; examples include campuses, colleges, or departments. Each area is managed by an area administrator and is associated with a group of sponsors who can then manage sponsee accounts for that organization. The user who is delegated the capability of managing an area. The OU Administrator for a top-level OU typically the senior OU administrator for a college or a campus. Any account that is sponsored. A user who is delegated the capability to sponsor a user, resource, guest, retiree, or admin account. The process by which a sponsor is granted the right to change passwords and reset expiration dates for sponsee accounts. Page 4 of 28

Roles There are 4 user roles within ADUMS. Role Super User Area Administrator Sponsor Ordinary User (Sponsee) Responsibility The super user is typically the UTS AD Enterprise Administrator who configures the original areas and assigns ownership to an area administrator. The ADUMS development team may also be assigned super user roles to assist with trouble-shooting any problems which may occur in deployment. The Area Administrator manages an Area and may assign sponsors for each area. The Area Administrator may also create accounts for guests and resources and lookup accounts as well. Renews or expires sponsee accounts; may reset passwords for sponsee accounts. Requests sponsorship, making that user a sponsee. Users can also change or revoke sponsorship. **Note: An Area Administrator will in almost all cases also be a Sponsor. A Sponsor may not always be an Area Administrator. Page 5 of 28

Functions Roles Function Super User Manage Administrative Areas List Areas Create Administrative Areas Delete an Existing Administrative Area Add / Remove Administrators Add / Remove Sponsors List Sponsees Manage Down Times Manage Super Users Add New Super Users Remove Super Users Manage ID Lookup Users Add ID Lookup Users Remove ID Lookup Users Query the ADUMS Change Log to Display Log Entries Created by a Specific Administrator For a Specific User All over a Date Range Check the Integrity of the ADUMS Configuration Create a Guest Account Create a Resource Account Upload a CSV file of Accounts to Modify Expiration Dates Upload CSV file of Accounts to Modify Passwords Upload CSV file of Guest/Resource Accounts to Create Change the Notification E-mail Addresses and Comment Page 6 of 28

Roles Area Administrator Function Manage Administrative Areas List Areas Add / Remove Sponsors List Sponsees Lookup a Network User ID By Network UserID By VIPID By SSN (Note that SSNs are not displayed, but may be used as input) Actual Name (First, Last, Middle) Create a Guest Account Create a Resource Account Upload CSV File of Accounts to Modify Expiration Dates Upload CSV file of Accounts to Modify Passwords Upload CSV file of Guest/Resource Accounts to Create (specified administrators only) Change the Notification E-mail Addresses and Comment Sponsor Manage Administrative Areas List Areas List Sponsees for each Area Change the Password of a Sponsored Account Change the Expiration Date of a Sponsored Account Expire an Account All Users Request Sponsorship Change Sponsorship Revoke Existing Sponsorship (Sponsored employees or students only) Change Password (Guest and Admin Accounts only) Lookup a Network User ID (For specified users only) Page 7 of 28

SUPER USER FUNCTIONS Manage Administrative Areas Organization When an area OU (or top level OU) is established, the USC Active Directory enterprise administrator will work with the area OU administrator to configure the administrative areas for ADUMS. It is not required that the administrative areas in ADUMS map to the OU hierarchy within each area OU. For example, a college may choose to configure a sub-ou for each department so that the IT administrators within each department can manage the servers, desktops, and printers for that department within their own OU. That same college may decide that the number of sponsored accounts for the college in general is relatively few and may opt to maintain only one ADUMS administrative area. The enterprise administrator will, as a super user, configure one or more administrative areas per the directions of the area OU administrator for an organization. The super will also configure the area administrators for an area. General Guidelines for Managing Administrative Areas The names of administrative areas should reflect the organizational hierarchy and should contain the 4-letter abbreviation already defined for that organization. For example HIST refers to the department of history. Please note that the name is not restricted to the 4- letter acronym itself. Areas should be assigned ownership to OU admin accounts, not the normal Network UserID of an administrator. Area administration functions should always be performed via logging in with the OU admin account. The OU administrators who are assigned areas should have completed FERPA certification as they will have access to lookup user information, including student users. It is not necessary that sponsor accounts be admin accounts. Sponsor accounts may be normal user accounts. There should always be more than 1 account assigned as an area administrator and as a sponsor for each area to avoid the situation where the primary administrator or sponsor is not available and a time-critical function is required. Page 8 of 28

Note that creating an administrative area and assigning ownership of that area to an OU admin account does add that OU admin account to the list of sponsors; assigning an additional OU admin account to the list of area administrators for that area does not automatically place the second OU admin account in the list of sponsors for that account. When removing an administrative area, it is best to ensure that no sponsee accounts are sponsored by that administrative area. Note: ADUMS Super users will need to verify that all Active Directory Admin accounts used in ADUMS have an e-mail account associated with them. This will require the creation of a mailbox, and setting up a System forward to the mailbox of the Preferred ID. Manage Down Times There are times when ADUMS functions may interfere with the normal Active Directory provisioning function; for example, new user accounts should not be created during the time of day that the normal Active Directory provisioning is run; generally from 8 am 9 am. Similarly, there may be mainframe outages that will impact the operations of ADUMS. ADUMS provides the super user two options: 1. Schedule a daily outage to cover the period when provisioning is running as well as any other periods where there may be account update to the Active Directory. 2. Schedule a one-time outage. This option would be used when maintenance is being performed on the ADUMS system itself. In either case, the super user has the option to shut down the account creation functions only or all ADUMS functions that query or update the mainframe C60 tables. Once the super user sets a down time period, a note is displayed on the main menu for all ADUMS users indicating the particular down time periods reserved. The super user is responsible for deleting the outage windows that are no longer needed; once a one-time outage period is no longer in effect, the super user should delete that outage. If the one-time outage period has past and the super user has not already deleted the outage, ADUMS will send the super user an e-mail notification every 30 minutes until the outage is deleted. Page 9 of 28

Manage Super Users A super user may grant other users super user access to ADUMS. All super user accounts should be admin accounts; the user s normal AD login (or preferred id) should not be used. Typically, super users are USC AD enterprise administrators, but the UTS developers responsible for the maintenance of the ADUMS software may also be super users so that they may assist with trouble-shooting any problems which may occur. Manage ID Lookup Users Some IT personnel may have the need to lookup user ID s for various reasons. Not all of these persons will need to be area administrators within ADUMS. The Super User may add a person to the group of users able to Lookup a USC Network ID provided that he/she is qualified to view HR and student data by the data stewards. Typically, these are users who had access to the legacy SingleUserID function. Query the ADUMS Change Log Super users may query the ADUMS change log to review: All actions performed today. All actions performed by a particular area administrator or sponsor. All actions regarding a particular Network UserID. All actions that have occurred during a particular date range. Check the integrity of the ADUMS configuration This function checks that all the ADUMS configuration files and databases are in order. The output displayed will be a list of all areas displayed and a status of OK in the comments field. If the status is not OK, the super user should contact the ADUMS development team. Page 10 of 28

Additional Functions The super user also has the capability of performing several functions that are typically performed by an area administrator: Create a Guest Account Create a Resource Account Upload CSV file of Accounts to Modify Expiration Dates Upload CSV file of Accounts to Modify Passwords Upload CSV file of Guest/Resource Accounts to Create Change the Notification E-Mail Addresses and Comment These features are fully described in the Area Administrator Functions section. Page 11 of 28

AREA ADMINISTRATOR FUNCTIONS The area administrator functions include the ability to create guest accounts and resource accounts, among other functions. Please note that Admin accounts are not created through ADUMS. Admin accounts still require a paper form request, which can be found at: http://www.sc.edu/universityemail/adoversight.php Manage Administrative Areas The Manage Administrative Area function for administrators lists the administrative areas associated with that administrator. Select Sponsors to view the list of sponsors for an area. The list includes each sponsor s First Name, Last Name, Network ID, VIPID, and E-Mail Address. You may sort the list using any column as key by clicking on the header for that column. Select Sponsees to view the list of sponsees. The list includes each sponsee s First Name, Last Name, Network ID, account expiration date, password expiration date, and a last login date. You may sort the list using any column as key by clicking on the header for that column. Clicking on the network ID will provide detailed information about the account, similar to what is provided with the Lookup a USC Network ID function. Clicking on the expiration date will launch the web page to reset the account expiration date. Clicking on the password expiration date will launch the web page to reset the password. Please note that it is possible for an account to have a blank expiration date; this situation typically occurs when a sponsored retiree is currently employed by USC. The expiration date will be displayed when the retiree is no longer actively employed. To determine the expiration date set for a working retiree, please use the Lookup a USC Network ID function to determine the C60 Account Expiration Date. An area administrator may add or remove sponsors for an area. Please note that the area administrator cannot create new administrative areas and cannot assign others the role of area administrator; if an area administrator would like to create a new area for his/her organization, or would like to add another person as an area administrator, he/she should contact the Service Desk (servicedesk@sc.edu or 777-1800) to place a ticket to request the addition. Page 12 of 28

General Guidelines for Managing Administrative Areas The names of administrative areas should reflect the organizational hierarchy and should contain the 4-letter abbreviation already defined for that organization. For example HIST refers to the department of history. Please note that the names are not restricted to the 4- letter acronym. Areas should be assigned ownership to OU admin accounts, not the normal Network UserID of an administrator. Area administration functions should always be performed via logging with the OU admin account. It is not necessary that sponsor accounts be admin accounts. Sponsor accounts may be normal user accounts. There should always be more than 1 account assigned as an area administrator and as a sponsor for each area to avoid the situation where the primary administrator or sponsor is not available and a time-critical function is pending. Note that assigning an additional OU admin account to the list of area administrators for that area does not automatically place the second OU admin account in the list of sponsors for that account. Lookup a USC Network ID This function allows a sponsor to lookup any network username. The sponsor may enter the Network ID of the user, the VIPID, the social security number, or the actual name of the user. The function will retain a description of that user object including: VIPID Network ID Home Department Code Display Name in AD Preferred Name First, Last, Middle Name and Suffix E-Mail Address Preferred ID Account Expiration Date o C60 Account Expiration Date Is the date when the account is set to expire. Retirees, guests, resources, and admin accounts will have expiration dates. Student and employee accounts should not have expiration dates set. Page 13 of 28

o AD Account Expiration Date Also reflects the expiration date for the account. Please note that the AD Account Expiration Date will be blank in the case of a retiree who is currently employed. When that retiree discontinues employment, the retiree account will expire on the date specified by the C60 account expiration date. USC Status Affiliate Expiration Date (if any) ID Status Sponsor (This is the Network UserID that generated the account) For Students: School, Major, Last Term Registered, and Currently Registered Flag Flags indicating whether the account is a Student, Employee, Retiree, Affiliate, Guest, Admin, or Resource. Last Transaction Date. Notification E-Mail Addresses (if any) Notification Comment (if any) Privacy Flag Extension Attribute 3 (Indicating whether account has requested sponsorship) The information displayed is color coded according to data source. Grey Information provided from table C60SA010. Blue Information provided from table C60SA050. Red Information provided from the USC Active Directory. Green Information provided from the IMS codeset. Please note that social security number is not displayed as output, although can be entered by an area administrator to lookup a user. Please note that the C60 expiration date is included as accounts for retirees who are also employed will not reflect an expiration date in AD. When looking up an ID, if you receive an *** ERROR*** - This network ID or SSN was found in table 50 and is no longer current, it means the account is no longer in the day to day Table10 file, but is in the History file, Table 50. If you need to create a new account based on the UserID or ssn, you will need to submit a ticket to the Service Desk (servicedesk@sc.edu or 777-1800). Page 14 of 28

Create a Guest Account This function allows area administrators the ability to create an account for a guest. This function does require a significant amount of information and may take a minute or two to complete as multiple systems must be updated. Once the input is verified and the function completed, the account is created; no additional overnight processing is required. The following information is required for the Create a Guest Account function. The requested Network ID. o Note that the Lookup a USC Network ID function may be used to determine whether the requested Network ID is available. o Typically, the Network ID should be derived from the guest s name. o Network ID s must be from 3 to 8 characters in length. The first character should be a letter (A-Z) and the remaining characters can be either letters or numbers. No special characters are allowed. o Network ID s are not cases sensitive, although they are stored in C60Table10 and in Active Directory in upper case. The social security number of the guest. Note, if the guest does not wish to give his ssn, the department should use one of their fake ssns for the guest account. All fake or made up ssns should have at least one character in them, and be documented and tracked by the department or college. These ssns and associated UserIDs are kept permanently in C60Table50 on the mainframe. First Name, Middle Name, Last Name, and Suffix. The Account Expiration Date. o The date must be within a year of the current date. Home Department Code o The home department code is selected from a list of all available codes. o Please note that ADUMS cannot suggest or validate the choice of a home department code. o The area administrator must know which home department code to select. Sponsorship Group o Only groups for which the administrator has sponsorship rights are displayed. Password o The password must comply with the complexity rules for the USC Active Directory; the password must be at least eight characters, cannot contain your Page 15 of 28

Network UserID or a 3-character sequence contained within your network ID, and must meet at least three of the following. One or more lowercase alphabetic characters (a-z) One or more uppercase alphabetic characters (A-Z) One or more numeric characters (0-9) One or more special characters (!@#$%^&*-+= etc) E-Mail Type o This field defines whether the guest should have a USC Exchange E-mail address, no e-mail account, or whether the guest s own external e-mail address should be used. Exchange Domain o If the guest will have a USC Exchange E-mail address, the administrator may choose a particular departmental or campus domain if appropriate. For example, guests of the law school may prefer their default e-mail address to be userid@law.sc.edu. o If a domain other than mailbox.sc.edu is selected, a checkbox is provided to indicate whether the selected domain should be the primary e-mail address for the guest. In Global Address List o Indicates whether the guest s name and e-mail address should be included in the USC Exchange address book. External E-Mail Address o This is the guest s own external e-mail address that should be entered if the E- Mail Type Provide External E-mail Address is selected. If the guest will have a USC Exchange mailbox, this field should be left blank. Notification E-mail Addresses and Notification Comment o The comment is included with all notifications that may be automatically e- mailed when the password or the account is due to expire. The notification e- mail addresses are the e-mail addresses of the persons who should receive notification e-mails regarding the account and who are not the account sponsors. Note that the account sponsors will automatically receive the notification e-mails regarding the account. The account itself will not receive the notification e-mail, unless the e-mail address is entered here. o The comment field is associated with the guest account and could be used to document the purpose for the guest account. The comment is included on all notification e-mails. Thus, the comment should be clear and easily understood by all who will receive the notifications. For example, the College of Arts and Sciences has chosen to manage sponsored accounts at the College level. Page 16 of 28

o o Suppose the Geography department hosts a visiting professor for the summer. An appropriate notification comment would be This account is for Dr. Smith, a visiting professor, in the Geography department. The notification e-mail address list might include the e-mail address of the IT manager of the Geography department and Dr. Smith as well. Separate multiple e-mail addresses in the E-mail notification address field with semicolons. Both the Notification E-mail Addresses and the Notification Comment fields may be left blank. Note, for guest accounts that are created for new employees, once the employee's HR paperwork is processed into the system, the account status will automatically convert to an employee status. ADUMS uses the extension attribute 3 to distinguish employees who are sponsored because their accounts were originally introduced as guest accounts from employees who have specifically logged into ADUMS and requested sponsorship. Thus, for new employees, ADUMS deploys a background task that runs weekly to check for new employees whose extension attribute 3 is not set, indicating that the account was first entered as a guest, and then removes those accounts from their sponsorship group. Create a Resource Account Administrator menu when they login. This function allows area administrators the ability to create an account for a resource. A resource is basically a generic account that is not associated with any particular individual. Examples of resource accounts are: Conference room accounts that can be managed via Outlook calendars. Accounts for applications which interact with the USC Active Directory. Accounts for managing workflow for a group; for example, a marketing group may have one e-mail account athlmrkt@mailbox.sc.edu that all members of the marketing staff may access. This function does require a significant amount of information and may take a minute or two to complete as multiple systems must be updated. Once the input is verified and the function completed, the account is created; no additional overnight processing is required. Page 17 of 28

The following information is required for the Create a Resource Account function. The requested Network ID. o Note that the Lookup a USC Network ID function may be used to determine whether the requested Network ID is available. o Typically, the Network ID should be based on the department and the function of the resource. o Network ID s must be from 3 to 8 characters in length. The first character should be a letter (A-Z) and the remaining characters can be either letters or numbers. No special characters are allowed. o Network ID s are not cases sensitive, although they are stored in C60Table10 and in Active Directory in upper case... Social Security Number o Obviously, resources will not have social security number, but today, this is the primary identifier that the C60 uses for an account. Thus, the resource must have a contrived social security number that will be unique and static for that account. o Typically the contrived SSN for a resource should start with an alphabetic prefix indicating the name of the area associated with the resource. o Each area administrator should have reserved this prefix with the enterprise administrator and must track which SSNs have already been assigned. o These contrived ssns and the associated NetworkID are permanently stored in C60Table50 on the mainframe. First Name, Middle Name, Last Name, and Suffix. o The resource account must have at least a first name and a last name. Please note that the first name and last name will be displayed in the address book. Most department resources use the department or its abbreviation for the first name, i.e. LAW. The Account Expiration Date. o The date must be within a year of the current date. Home Department Code o The home department code is selected from a list of all available codes. o Please note that ADUMS cannot suggest or validate the choice of a home department code. Sponsorship Group o Only groups for which the administrator has sponsorship rights are displayed. Password and Password Option Page 18 of 28

o The password must comply with the complexity rules for the USC Active Directory; the password must be at least eight characters, cannot contain your Network UserID or a 3-character sequence contained within your network ID, and must meet at least three of the following. One or more lowercase alphabetic characters (a-z) One or more uppercase alphabetic characters (A-Z) One or more numeric characters (0-9) One or more special characters (!@#$%^&*-+= etc) o If the resource account is to be used by staff members or students who should not change the password without authorization, then the password option User cannot change password should be selected. E-Mail Type o The e-mail type defines whether the resource should have a USC Exchange E- mail address, no e-mail account, or whether the resource should be associated with an external e-mail address. Exchange Domain o If the resource account will have a USC Exchange E-mail address, and if a particular departmental or campus domain is preferred. For example, the law school may want to use a resource account for the student Law Review organization with an e-mail address of LReview@law.sc.edu. o If a domain other than mailbox.sc.edu is selected, a checkbox is provided to indicate whether the selected domain should be the primary e-mail address for the resource. In Global Address List o Indicates whether the resource name and e-mail address should be included in the USC Exchange address book. External E-Mail Address o This is the external e-mail address for the resource that should be entered if the E-Mail Type Provide External E-mail Address is selected. If the resource will have a USC Exchange mailbox, this field should be left blank. Notification E-mail Addresses and Notification Comment o The comment is included with all notifications that may be automatically e- mailed when the password or the account is due to expire. The notification e- mail addresses are the e-mail addresses of the persons who should receive notification e-mails regarding the account and who are not the account sponsors. Note that the account sponsors will automatically receive the notification e-mails regarding the account. Page 19 of 28

o o o o o The comment field is associated with the resource account and should be used to document the purpose for the resource account. The comment is included on all notification e-mails. Thus, the comment should be clear and easily understood by all who will receive the notifications. For example, the College of Arts and Sciences has chosen to manage sponsored accounts at the College level. Suppose the Geography department requires a resource account for the mapping application. The notification e-mail address list might include the e-mail address of the IT manager of the Geography department. The notification comment should be something similar to This account has been created for the Geographic Mapping application. The resource account will not receive notification e-mails unless its e-mail address is included in the Notification E-mail field. Separate multiple e-mail addresses in the E-mail notification address field with semicolons. Both the Notification E-mail Addresses and the Notification Comment fields may be left blank. Upload CSV file of Accounts to Modify Expiration Dates This function will allow the area administrator to update the expiration date for up to 100 sponsored accounts with one function. The area administrator is requested to browse and select a CSV file that contains no header row and contains 2 fields per row, separated by commas: userid, expiration date. The expiration date must in the form yyyymmdd, cannot be a date in the past, and cannot be set for more than 1 year into the future. The area administrator must also be a sponsor for the area and can only upload expiration date updates for users that are sponsored by that area. The account update will take a few minutes as the function requires updates to various systems. Once the function completes, no additional overnight processing is required. Page 20 of 28

Upload CSV file of Accounts to Modify Password This function will allow the area administrator to reset the passwords for up to 100 sponsored accounts with one function. The area administrator is requested to browse and select a CSV file that contains no header row and contains 2 fields per row, separated by commas: userid, new password. The password must comply with the complexity rules for the USC Active Directory; the password must be at least eight characters, cannot contain the Network UserID or a 3-character sequence contained within your network ID,, and must meet at least three of the following. One or more lowercase alphabetic characters (a-z) One or more uppercase alphabetic characters (A-Z) One or more numeric characters (0-9) One or more special characters (!@#$%^&*-+= etc) The area administrator can only upload expiration date updates for users that are sponsored by that area. The password update will take a few minutes. Please note that University policy requires all passwords to be encrypted; please either delete the upload file and empty your recycle bin once you ve completed this function, or please ensure that the upload file is stored with the appropriate level of encryption. Upload CSV file of Guest/Resource Accounts to Create Relatively few area administrators will require a batch capability to create multiple accounts at a time. This function provides the equivalent of the Create Guest Account or Create Resource Account function, with the exception that all the information is provided in a csv file, one row per account to be created. The format of the file by Column is as follows: A. Account Type GUEST or RESOURCE B. Network ID Please make sure that the network ID is unique. Please check the Lookup Network ID function for each ID to be entered before beginning this process. C. SSN or Identifier Page 21 of 28

Enter the SSN for the guest or a contrived SSN for the resource that you can ensure is unique and managed. Please see the information for Create a Guest Account or Create a User Account for further information. D. First Name E. Middle Name F. Last Name G. Suffix H. Account Expiration Date yyyymmdd I. Home Department Code 6 digit code J. Sponsorship Group Please include the correct spelling of the sponsorship group. K. Password Option Either NORMAL or NOCHANGE L. Password Please ensure that the password complies with the USC AD password requirements. M. Confirm Password N. E-Mail Type PROVIDE, CREATE, or NONE O. Additional Exchange Domain Include the additional domain that should be included. Please note that the domain must already exist in Exchange. For example, law.sc.edu is a valid domain. P. Additional Exchange Domain Primary? enter Y or N Q. In Global Address List? enter Y or N R. External E-mail Address Provide if you entered PROVIDE for E-Mail Type (N). S. Notification E-Mail Addresses These are the e-mail addresses that should be notified when this account nears expiration or the password is about to be expired. T. Notification Comment Enter the comment that should be included in notification e-mails for the account. Please note that the data in each of these fields must be correctly entered before the account can be created. Please also note that no more than 100 accounts can be processed by this function at a time. Page 22 of 28

Change the Notification Email Addresses and Comment This function allows area administrators the ability to edit the notification comment or change the list of e-mail addresses to which automated notifications about the sponsored account are sent. The notification comment is a 255 character field associated with a sponsored account that the area administrator can use to describe the account and to document the purpose for the account. The comment is included on all notification e-mails, including password and account expiration notices. Thus, the comment should be clear and easily understood by all who will receive the notifications. The notification e-mail addresses are the e-mail addresses of the persons who should receive notification e-mails regarding the account and who are not the account sponsors. Multiple e- mail addresses should be separated with a semicolon. Note that the account sponsors will automatically receive the notification e-mails regarding the account. For example, if the College of Arts and Sciences is hosting a visiting history professor for the Fall semester, the area administrator for the College of Arts and Sciences may want to update the notification comment to indicate Dr. Smith will be working with the History Department through Fall, 2011. The area administrator may include the History department IT person s e- mail address and Dr. Smith s e-mail address in the notification e-mail addresses. Thus, the sponsors for the College of Arts and Sciences area, the History IT manager, and Dr. Smith will receive the automated notices regarding Dr. Smith s account. Both the Notification E-mail Addresses and the Notification Comment fields may be left blank. The area administrator can only update the notification comment and the notification e-mail addresses for users that are sponsored by that area. Page 23 of 28

SPONSOR FUNCTIONS Manage Administrative Areas The Manage Administrative Area function for sponsors lists the administrative areas associated with that sponsor. The sponsor may click on the sponsee link for each area to list the sponsees associated with that area. The list includes each sponsee s First Name, Last Name, Network ID, Expiration Date, and the Password Expiration Date. You may sort the list using any column as key by clicking on the header for that column. Both the sponsee s network ID and the sponsee s expiration dates are links. Clicking on the network ID will provide detailed information about the account, similar to what is provided with the Lookup a USC Network ID function. Clicking on the expiration date will launch the web page to reset the account expiration date. Clicking on the password expiration date will launch the web page to reset the password. Please note that it is possible for an account to have a blank expiration date; this situation typically occurs when a sponsored retiree is currently employed by USC. The expiration date will be displayed when the retiree is no longer actively employed. Change the Password of a Sponsored User s Account This function allows a sponsor to reset a sponsee s password. The Network UserID entered must be for an account that is sponsored by that sponsor. The password must comply with the complexity rules for the USC Active Directory; the password must be at least eight characters, cannot contain your Network UserID or a 3-character sequence contained within your network ID, and must meet at least three of the following: One or more lowercase alphabetic characters (a-z) Page 24 of 28

One or more uppercase alphabetic characters (A-Z) One or more numeric characters (0-9) One or more special characters (!@#$%^&*-+= etc) The sponsor is given the option to set the password with no further constraints or to prohibit the user from resetting the password himself. Please note that selecting the option where the user cannot change password does not prevent a sponsee who has a VIP account from resetting his/her password via VIP. Also, please note that a sponsor will be able to reset a password for an account that is expired. Change the Expiration Date of a Sponsored User s Account This function allows a sponsor to renew sponsorship for a sponsee s account by extending the expiration date into the future. Please note that the date entered must be a date in the future no later than 1 year from the current date. Expire an Account This function allows a sponsor to expire a sponsee s account. This action will take effect immediately. Please note that this function cannot be used to disable the account of an employee, affiliate, or a student. Accounts that are provisioned based on the HR system or the student information system are governed by the normal life-cycle for those roles and cannot be expired. If you wish to remove a sponsored guest or resource account as it may no longer be required, please submit a ticket to the Service Desk (servicedesk@sc.edu or 777-1800). The ability to delete sponsored guest or resource accounts is not in ADUMS. Page 25 of 28

USER FUNCTIONS Request Sponsorship Normal users may also request sponsorship; a good example is a retiree who would like to continue to use his/her AD account. The user is asked to select the administrative area of which the request for sponsorship is made. The request generates an automated e-mail to the sponsors for that area. The message contains a link to a temporary function to sponsor that account. The link remains active for 1 week to allow sufficient time for the sponsor to respond. The link will open a session of ADUMS in which the sponsor must authenticate with sponsor userid and password, and then complete the grant of sponsorship. Once the sponsor has completed the session to grant sponsorship, an automated e-mail message will be sent to you to let you know that your account has been sponsored. Please note that granting sponsorship does not automatically set an expiration date. Once sponsorship has been requested and granted, the sponsor must still select the Change the expiration date on a sponsored user s Account to extend the expiration date. Change Sponsorship If a user who has requested sponsorship wishes to change his/her sponsorship, he/she may request another area take sponsorship. An example may be for a contractor who is sponsored as a guest from Department A may complete the work with Department A but still have work remaining with Department B. The guest could request that Department B take sponsorship. If there is a notification comment and notification e-mail addresses associated with the account, the process of changing sponsorship does clear these fields. The area administrator for the new department may enter a new notification comment and set of notification e-mail addresses. Revoke Sponsorship If a user who has requested sponsorship wishes no longer to be sponsored, the user may select this function to revoke sponsorship. Please note that only employees or students can revoke Page 26 of 28

sponsorship; accounts which are initiated as sponsored accounts such as resource accounts or admin accounts cannot revoke sponsorship. Change My Password The Change My Password function is provided as a self-service convenience for guest accounts and admin accounts as these do not have access to VIP to change their passwords. Please note that this function cannot be used by active faculty, staff, students, or retirees as password reset is available to them in VIP (https://vip.sc.edu ). There is no self-service option for password reset for resource accounts as the area administrators and sponsors for that area should manage those accounts. The password must comply with the complexity rules for the USC Active Directory; the password must be at least eight characters, cannot contain your Network UserID or a 3-character sequence contained within your network ID, and must meet at least three of the following: One or more lowercase alphabetic characters (a-z) One or more uppercase alphabetic characters (A-Z) One or more numeric characters (0-9) One or more special characters (!@#$%^&*-+= etc) Lookup a USC Network ID This function allows a qualified user to lookup any network username. The user may enter the Network ID of the user, the VIPID, the social security number, or the actual name of the user. A detailed description of this function is provided on page 13 of this document. To request use of this function, please place a ticket with the UTS Service Desk. Please note that you must have the permission of the HR and student data stewards to access this function. Page 27 of 28

EXPORTING DATA FROM ADUMS The lists that are displayed for OU Admins, Sponsors, and Sponsees that are generated from Manage Administrative Area functions may either be printed or exported by clicking on the diskette icon at the top right-hand corner of the list. There are several export formats that are supported: CSV The file generated is actually in comma separated value format; however, the suffix for the file will be jsp. This may be corrected by renaming the file with the.csv suffix. The csv export or the Excel export is typically used to extract information for mail merges and other functions. Excel The file generated is a Microsoft Office 97-2003 format spreadsheet with file suffix of.xls. XML The file generated is an.xml file. PDF The file generated is an Adobe pdf file. The list may also be printed by selecting the printer icon displayed above the list. Page 28 of 28