Creating User Accounts from People

This topic demonstrates how to create user accounts in external directories from existing EmpowerID people and is divided into the following activities:

Prerequisites: Before you can create user accounts from existing EmpowerID people, EmpowerID must first be connected to an external account directory, like Active Directory. For more information on connecting EmpowerID to external account directories, see Connecting to Directory Systems.

To create a user account for an existing EmpowerID Person

  1. From the Navigation Sidebar of the EmpowerID Web interface, navigate to the Person management page by expanding Identities and clicking People.
  2. From the Actions pane of the Person management page, click the Create User (Person Optional) action.
  3. This opens the Create User form, which contains a number of tabs with fields for setting user account attributes or properties.

  4. From the General tab of the Create User form, do the following:
    1. Select an account type from the Account Type drop-down. Personal Standard and Personal Privileged are the possible personal account type options, with Personal Standard being the default.
    2. Type a first name and last name for the user account in the First Name and Last Name fields, respectively.
    3. Type a display name and logon name for the user account in the Display Name and Logon Name fields, respectively.
    4. Underneath Account Creation Location, click the Select a Location link and in the Location Selector that opens do the following:
      1. Search for and select the appropriate external directory location for the user account.
      2. Click Save to close the Location Selector.
    5. Select the appropriate UPN suffix from the UPN Suffix drop-down.
    6. Optionally, type a description in the Description field and any comments in the Comments or Justification field.
    7. Select Join Account to an Existing Person.
    8. Type the name of the Person from whom you are creating the account in the Account Owner field and then click the tile for that Person.
    9. Optionally, select Allow me to enter a password if you want to set the password for the user account.
    10. In our example, we are setting the password so we have ticked the option. When we do so, the form changes to display the Password and Confirm Password fields.

    11. If you have opted to enter a password for the user account, type the password in the Password and Confirm Password fields.
    12. Scroll to the Security section and select any desired settings you want to apply to the account. By default, Allow Joining Account to a Person and Allow Provisioning a Person from Account are selected. These two flags tell EmpowerID that it can join the account that it is creating to an EmpowerID Person and that a Person can be provisioned for the account if one does not currently exist. In this case we are creating a user account for an existing person, so EmpowerID will join the user account to the Person and sync the attributes to one another based on the Attribute Flow Rules set for the account store in which the user account is being provisioned. In addition to the default flags, we have chosen to set Must Change Password At Next Logon.
    13. EmpowerID determines whether to join new accounts to existing people or provision new people from those accounts based on the Join and Provision rules set for your environment. For more information on these rules, see Overview of the Account Inbox and Reviewing Join and Provision Rules.
  5. Optionally, click the Address tab and fill in the appropriate information for the user account you are creating.
  6. Optionally, click the Personal tab and fill in the appropriate information for the user account you are creating.
  7. When ready, click Save.
  8. After creating the user account, EmpowerID directs you to the account's View Page. View pages allow you to view information about a selected resource and manage that resource as needed.

    One important attribute to take note of here is the EmpowerID Logon attribute. This attribute points to the logon name of the EmpowerID Person owning the account. If this attribute doesn't have a value, the account does not belong to an EmpowerID Person.

To verify the account was joined to the Person

  1. From the View page for the account, click the EmpowerID Logon link underneath the Account Information section.
  2. You should be directed to the View page for the EmpowerID Person owning the account. This person should be the same person you selected above when creating the account.

  3. From the View page for the Person, click the Roles, Accounts, and Login Security accordion to expand it.
  4. You should see the User Accounts Owned pane reflect the user account you just created for the Person.

To verify the account was created in Active Directory

  1. On a machine with the Active Directory Module for Windows PowerShell installed, run the following cmdlet, substituting the name of the user with the user you created:
  2. GET-ADUser -filter {name -eq 'CharlesKraft'}

    You should see the account.