Skip to content

Active Directory

Account Unlock

Confirm the user's identity before proceeding:

  1. Log in to the Duo admin site and locate the user.
  2. Contact the affected user via phone.
  3. Click Send Duo Push to initiate a push notification.
  4. Ask the staff member to verbally confirm the code.
  5. Instruct the user to approve the Duo push notification.
  6. Proceed with the appropriate reset method.

If the user cannot receive a push, refer to IS-655 Changing or resetting Employee Network Password.

Unlock AD Account in RSAT

  1. Open RSAT.
  2. Go to Console Root.
  3. Click Account Lockout Status.
  4. File > Select Target > type in the username (first initial, last name) > click OK.
  5. Right-click both the INDY and SB domain controller names and choose Unlock Account.

Unlock AD Account in PowerShell

  1. Press Windows Key + X and select Windows PowerShell (Admin).
  2. Log in using admin credentials.
  3. To list locked accounts: 
    Search-ADAccount -SearchBase "OU=Users,OU=BeaconCU,DC=beaconcu,DC=org" LockedOut | Select SAMAccountName, Name
  4. To unlock the account: 
    Unlock-ADAccount -Identity username
  5. Verify unlock: 
    Search-ADAccount -SearchBase "OU=Users,OU=BeaconCU,DC=beaconcu,DC=org" LockedOut | Select Name

Replace username with the actual username.

Leave of Absence

To automate disabling accounts, this is handled through Paylocity.
Advise the supervisor to place a ticket on the HR Help Desk for the individual going on leave.
Include the expected return time.

Return from Leave of Absence

Managers/Supervisors should place Leave of Absence tickets.

  • If the staff member has already placed a ticket with HR, be prepared to work with them on their return date for a password reset.
  • If no ticket is created and the leave is over 30 days, staff accounts will be disabled. Use the steps below to resolve.

No Leave Ticket Created

  1. Open RSAT (Citrix Workspace, admin credentials).
  2. Go to Active Directory Users and Computers > beaconcu.org > Disabled Accounts.
  3. Locate the user account and open Properties.
  4. In Attribute Editor, set beaconDoNotDisable and beaconDoNoMove to TRUE.
  5. Click OK.
  6. Right-click the user account and select Enable.
  7. Click OK to confirm.
  8. In the On_Leave OU, right-click the user account and select Move.
  9. Move to beaconcu > BeaconCU > Users and click OK.
  10. Notify the Manager/Supervisor the account is ready.

Disabled Account

  1. Open RSAT (Citrix Workspace, admin credentials).
  2. Go to Active Directory Users and Computers > beaconcu.org > BeaconCU > Users.
  3. Locate the user account.
  4. Right-click and select Enable.
  5. Notify the Manager/Supervisor the account is ready.

Check Logon Hours

  • In RSAT, go to user properties.
  • Click Account > Logon Hours…
  • Change "Logon Denied" to "Logon Permitted" as needed.

Password Reset Procedures

Confirm the user's identity before proceeding:

  1. Log in to the Duo admin site and locate the user.
  2. Contact the affected user via phone.
  3. Click Send Duo Push to initiate a push notification.
  4. Verbally communicate the confirmation code and ask the user to confirm.
  5. Instruct the user to approve the Duo push notification.
  6. Proceed with the appropriate reset method.

If the user cannot receive a push, refer to IS-655 Changing or resetting Employee Network Password.

Before resetting an employee's password, verify if they are remote. If remote, refer to the appropriate section below.

On Site

  1. Open RSAT.
  2. Go to Active Directory Users and Computers > beaconcu.org > BeaconCU > Users.
  3. Find the user, right-click, and choose Reset Password…
  4. Enter the new temporary password in both fields and click OK.
  5. Confirm the user has changed the password.

Email on Phone

Staff with access to Mobile Email (through Hub) can change their password in the Hub.

Verifying Mobile Email Access

  1. Launch RSAT (admin credentials).
  2. In MyConsole, navigate to beaconcu.org/BeaconCU/Users/.
  3. Locate the staff member and open their profile.
  4. In Member of, check if the staff is a member of the WS1-MobileEmail Security group.
    • If not, follow the "No Email Access" steps.

Change Password in Hub

  1. Ask staff to open Hub on their phone.
  2. Tap profile picture (top right).
  3. Tap Change Password.
  4. Enter current password.
    • If forgotten, follow On Site reset steps.
  5. Enter a new password that meets complexity requirements.
  6. Confirm the new password.
  7. Click Save.

Remote

Knows Password

  1. Go to The Lighthouse and expand the sidebar.
  2. Portal Tools > Manage Users > User Management.
  3. Search for the user and click their username.
  4. Ask the user their Secret Question and verify their answer.
  5. Sign into Ansible and run the AD_SAM_Uncheck playbook for the user.
  6. Send a calendar reminder about the password reset, set for the exact time needed.
  7. Confirm the user has changed the password 24 hours later.

Does Not Know Password

  • Advise staff to go on site.
  • Return to Password Reset Procedures.

Group Access

Adding Group Access

Adding to Group:

  1. In RSAT, navigate to MyConsole > Console Root > Active Directory Users and Computers > beaconcu.org > Distribution Lists (or Security Groups).
  2. Locate and open the group.
  3. In Members, click Add.
  4. Type in the username and click Check Names.
  5. Click OK, then Apply and OK.

Adding Group to Account:

  1. In RSAT, navigate to MyConsole > Console Root > Active Directory Users and Computers > beaconcu.org > BeaconCU > Users.
  2. Locate and open the staff member's account.
  3. In Member Of, click Add.
  4. Type in the group name and click Check Names.
  5. Click OK, then Apply and OK.

Mapping Network Share:

  1. Open File Explorer.
  2. Navigate to This PC.
  3. Click Computer > Add a network location.
  4. Click Next.
  5. Choose Custom network location, then Next.
  6. Enter the network address (e.g., \\bcupublicdrives\ or \\bcuprivatedrives\).
  7. Name the location (remove parentheses for clarity), then Next.
  8. Click Finish.
  9. Leave "Open this network location when I click Finish" checked to verify.

Removing Group Access

Removing from Group:

  1. In RSAT, navigate to MyConsole > Console Root > Active Directory Users and Computers > beaconcu.org > Distribution Lists (or Security Groups).
  2. Locate and open the group.
  3. In Members, select the staff member and click Remove.
  4. Confirm removal, then OK, Apply, and OK.

Removing Group from Account:

  1. In RSAT, navigate to MyConsole > Console Root > Active Directory Users and Computers > beaconcu.org > BeaconCU > Users.
  2. Locate and open the staff member's account.
  3. In Member Of, select the group and click Remove.
  4. Click OK, then Apply and OK.