Account Management & Provisioning
A User has come through with a different EmployeeID – What do I do?
A user will occasionally come through with a different EmployeeID when critical personnel data has been changed and the record has been reassessed by Directory Manager. Typically, Directory Manager will deal with this change silently, however, if you discover that a number of records are appearing as ‘new’ because Directory Manager is not recognising their relationships to existing accounts, there might be a need to change your configuration.
An AD Account Already Exists for a pending transaction – What do I do?
There may be a scenario where a record has appeared in the Web Portal as a ‘new’ transaction, however it should have matched to a pre-existing AD record. If this occurs, then the records can be matched together manually by clicking on the pending ‘new’ transaction’s Employee ID. This will open a new tab that displays all of the record’s details, along with a ‘Link’ button.
Clicking the ‘Link’ button will open a pop-up containing a drop-down that contains all potential pre-existing AD records that can be matched to the ‘new’ Transaction. Once the two records have been linked, the ‘new’ Transaction may return as a ‘change’ transaction, allowing the record to be updated with the relevant details extracted from the source system/input.
If you cannot see the desired pre-existing AD record within the ‘Account’ drop-down, then please see the section regarding an account is not visible in the linking list
How do I Approve of a record?
In order to approve a record(s), you will need to be part of the Directory Manager Control Group or another group that has been given the required permissions in order to approve pending transactions. Often it is easiest to locate a transaction by selecting the ‘Pending Search’ option and searching for the name of the related member of staff.
Alternately, all pending transactions are grouped by transaction type (i.e. New, Change, Rename or Expiration) and then by department. These can be browsed via the main ‘Pending Transaction’ page. After you have located the pending transaction(s) tick the approve checkbox for the record(s) you would like to approve and then click the ‘Apply Selection’ button located beneath the table at the bottom of the page.
If the record(s) cannot be found via either of the two above methods please see the section regarding being unable to find a record.
How do I Suspend a record?
In order to Suspend a record(s), you will need to be part of the Directory Manager Control Group or another group that has been given the required permissions in order to Suspend pending transactions. Once you are part of one of these groups log in to the Directory Manager portal and navigate to pending transactions, once in this section you will see transactions split up into the following categories; New, Change, Rename and Expiry, these can then be split up further into departments. After you have located the pending transaction(s) tick the checkbox under the Suspend column for the Record(s) you would like to Suspend and then click the apply selection button located beneath the table at the bottom of the page.
Alternatively, if you are unable to locate your record via the pending transactions option you could utilise the pending search feature where you can search for the record(s) by the name(s) of the user(s) that you would like to find.
if the record(s) cannot be found via either of the two above methods please see the section regarding being unable to find a record.
How do I unlink records?
In the event that a record has been linked to the incorrect pre-existing AD record, an unlinking process, similar to the linking process, can be carried out to remove the link. If an unlink is required, then the link can be removed by clicking on a pending Transaction’s Employee ID. This will open a new tab that displays all of the record’s details, along with an ‘Unlink’ button.
Clicking the ‘Unlink’ button will remove the link between the Transaction and the pre-existing AD record, and then the pending Transaction will be re-assessed, generating a pending New transaction for the newly unlinked record. Please note that this works for Change, Rename and Expiry Transactions. If you are attempting to unlink a Change, Rename or Expiry Transaction and the button is labelled ‘Link’ rather than ‘Unlink’, please refresh the pending list page and try again. If the issue continues, please contact the BDS Service Desk.
I am unable to find a record in the portal – What do I do?
If you are unable to find a record(s) in the portal it may have been approved or suspended by another by someone else. You can check ‘Recent Transactions’ under the administration section of the portal to see if it has been processed recently. Alternatively, you can use the suspended search to search through any suspended transactions.
If you are still unable to find the record(s) it may have not come through from ESR or another data input source yet. If you are unsure when your data sources are set to run please see the section regarding Data Sources.
Please note that ESR Records will not come through from ESR until the next working day after being submitted to ESR.
I have accidentally approved a Change/Rename Transaction – What do I do?
As soon as you realise you have accidentally approved a change or rename transaction please inform the BDS Service Desk, the sooner after the transaction has been approve the more likely we are able to roll this back.
I have approved a record but my account has not been created/updated – What do I do?
If you have approved of a record but the account associated with the transaction you have approved has not been created or updated there could be a couple of reasons for this, one reason for this is that the input has not yet been assessed this will happen in the next ‘heartbeat’ of Directory Manager.
Another reason that your account may not have been created/updated is because the underlying services are stuck or are not running. For more information regarding this please see the section regarding Services.
 If you do not believe it is one of these please contact the BDS Service desk.
The Record I Want To Link Is Not In The Linking Drop-Down – What Do I Do?
When trying to manually link a record via the Web Portal, the pre-existing AD record may not appear in the ‘Account’ drop-down. For a record to meet the manual matching criteria, an Active Directory account must either have no Employee ID value, or have a Directory Manager generated Employee ID starting with a ‘D’ (these are called ‘Temporary IDs’ or ‘’D’ Codes’). Also, the account must have been created in the last 90 days, and have a similar name. For example, for an account under the name Joe Bloggs, records under the name John Bloggs, or Joe Blog may appear in the ‘Account’ drop-down as they have similar names.
If the account has an Employee ID value that is not a ‘Temporary ID’, then this can mean that the account is currently linked to another record managed within Directory Manager (i.e. another ESR record), or there is an invalid Employee ID value against the AD account. In both scenarios please contact the BDS Service Desk and one of our consultants will be able to assist
Why have my transactions failed?
There are many reasons why a transaction(s) can fail ranging from incorrect data to Directory Manager being any able to connect to Active Directory, if you would like to know why your transaction(s) has failed please contact the BDS Service desk
Business Rules
How can I add more Business Rules?
If you would like to add more Business Rules you can do so by logging on to the Directory Manager Server and opening the Directory Manager Configuration Client, from here navigation to Management->Processing Rules and the you can select the transaction type and technology you wish to add new rules too. Very importantly, you must suspend Management service processing before making rules changes. Contact the BDS Service Desk if you need assistance with this activity.
How can I Amend Business Rules?
If you would like to amend your Business Rules you can do so by logging on to the Directory Manager Server and opening the Directory Manager Configuration Client, from here navigation to Rules Management, Processing Rules and the you can select the transaction type and technology you wish to add new rules too.
PLEASE NOTE: IF A TRANSACTION DOES NOT MEET A BUSINESS RULE THE TRANSACTION WILL BE IGNORED SO IT IS RECOMMENDED TO NOT REMOVE OR AMEND THE CATCH ALL RULE.
How can I Remove Business Rules?
If you wish to remove your Business Rules you can do so by logging on to the Directory Manager Server and opening the Directory Manager Config Client, from here navigation to Rules Management, Processing Rules and the you can select the transaction type and technology you wish to add new rules too.
 PLEASE NOTE: IF A TRANSACTION DOES NOT MEET A BUSINESS RULE THE TRANSACTION WILL BE IGNORED SO IT IS RECOMMENDED TO NOT REMOVE OR AMEND THE CATCH ALL RULE.
How can I see what rule a Transaction met?
There are a couple of ways to view the rule which a transaction met, one of these being to have a look at the pending transaction list, this will show you the rule that a pending transaction met, if your transaction is auto approved you will not be able to use this method.
If you take a look at your recent transaction list on the portal you will also see what rule the transaction hit, this will work for rules that are auto approved.
The final way to see which rule your transaction met is to log on to the Directory Manager server and open the Directory Manager Config Client, from here navigate to Reporting, Process Results here you will be able to search every transaction directory manager has ever processed grouped by user, you can search this on Surname, GivenName.
How Many Business Rules can I have?
You can have as many Business Rules as you wish, whether this just a single ‘catch-all’ rule that applies the same configuration to every user in the domain or a different rule for every department. Rules permit different technical configurations to be applied, Active Directory OU, password settings, user name format, etc. You can also separate the rules in relation to different data sources e.g. auto-approve all records coming from ESR because they have already been vetted.
What are Business Rules?
Business Rules are the criteria a transaction has to meet to be applied to specified groups, OUs, unique configurations, or even have the transaction excluded or auto-approved. Business rules are also split up amongst ‘New’, ‘Change’, ‘Rename’ and ‘Expiration’ transactions as well as the different standard technologies: Active Directory (User Management), Group Management (Active Directory Group Management), File Systems and Email services.
Why did my transaction hit a certain rule?
Transaction will always hit the first rule to which the Criteria is met, the only exception for this being on Group Technology Rules, if you believe that the rule met is incorrect please review your rule configuration (Please see How Can I Amend Business Rules).
Data Sources
Can I use another Database as a Data Source?
Directory Manager can use data from other database to create, amend or update accounts in order to do this the Directory Manager service account will need read access to the specified database that you wish to use, if you wish to set up another database connection as a Data Source please contact the BDS Service Desk and we will arrange to set this up for you.
How can I add more Data Sources?
Given the potential impact on the operation of Directory Manager, if you would like to add a Data Source please contact the BDS Service Desk and we will arrange the implementation for this.
How do I know when my Data Sources are set to run?
To find out when your data sources are set to run Log on to the Directory Manager Server and open the Directory Manager Config Client and navigate to Data Sources, Data Sources from here you will see a list of your data sources, their recent run times and the schedule for when they are set to run along with whether or not the data source is active, from here you will also be able to manually run the Data Source if you wish.
How many Data Sources can I have?
Directory Manager can manage as many Data Sources as you require, each one will either have a) unique identities that come from that system or b) have clear integration with other data.
What is a Data Source?
Data Source are input feeds into Directory Manager, these can vary from ESR to CSV or Portal Entries, each Data source can be set to run off of its own schedule whether that is by the minute to once a month or they can be set to run sequentially one after another.
What Types of input can a Data Source be?
Data Sources can have many different types of input however the main ones are; CSV files, ESR-GOI Feeds, Excel Files, and Database views. Once these files are run into Directory Manager they can go straight to input or be stored as raw data then formatted and combined with other data.
General Questions
I am unable to access the Directory Manager Config Client – what do I do?
In order to view the Directory Manager Config Client you will need to be part of the Directory Manager Control Group Security Group, if you are not part of this and wish the view the Config Client please add yourself to the group, log out and back into your account and this will then give you access, if you are still unable to access the Config Client please contact the service desk and we will take a look at the issue for you.
I can’t see the administration section on the portal
If you are logged in to the Directory Manager portal and you are unable to see the Administration section on the side bar you may not be part of one of the admin security groups, if you are part of the security group(s) and you are still unable to see the administration section there may be an issue with the group itself, please contact the BDS service desk and we can look into this for you.
If you have any further questions
If you have any further questions or issues which we have not covered on this page please contract the BDS Service Desk and we will be happy to help you.
Call us on: 01884 33440
Email us at: Servicedesk@bds-solutions.co.uk
What Is Directory Manager?
Directory Manager provides direct integration with Electronic Staff Record (ESR) and the Directory Manager web portal to capture identity information that is used to automate handling of starters, changes and leavers. Through the configuration of business rules, the software makes Active Directory and email account creation, update and expiration as simple as pushing a button.
Directory Manager’s fixed-price ‘Core Service’ includes:
- ESR integration and web portal account request management
- Active Directory starter, changes and leaver management
- Group membership management
- User home and profile folder management
- Mailbox management for Exchange or NHSMail
What other components can be added to Directory Manager?
The Directory Manager Extended Feature set is designed to meet the evolving needs of NHS Digital Identity management, Directory Manager supports a range of extended functions to better serve the needs of IT, HR and Information Governance, including:
- Digital Directory
- Personal Digital Identity (PDI)
- Automated Matching
- Credential vault
- Access Workflows
- Position-based Access
- Office 365 integration and SKU management
- Web page builder
Notifications
How can I update a notification?
If you would like to update the text of the notification or the recipients log on to the Directory Manager server and open the Directory Manager Configuration Client. In the ‘Portal & Notifications’ section there is an Email Notifications applet that provides access to the notifications configuration.
How do I create a notification?
Given the potential impact on the operation of Directory Manager, if you would like to create a notification please contact the BDS Service Desk and we will arrange the implementation for this.
What are Instant Notifications?
Instant Notifications are activated by triggers, for example, when New Transaction is approved and the account is created as a result, a ‘New Account’ Notification under the type ‘Instant’ will be sent, as this Notification was triggered by the creation of the account.
What are list notifications?
List Notifications are triggered by a schedule; Meaning that these must be configured to run, either once a month/day/hour/minute etc. If a Notification of this type is not sending as expected, please review the schedule.
What are Notifications?
Notifications are emails that are sent to users, managers or Directory Manager admins based on the criteria of the Database view that is behind the notification, these can range from accounts created as they are created to a monthly report of any changes to users presented in a CSV file. Any source of data that present unique records can be used as an event source for notifications – the possibilities are limitless.
In relation to account management, notifications are often use to send details of new accounts to line managers or Directory Manager administrator, to advise users and managers of changes or to advise of pending expiration, but the notifications service can be used to advise staff of many events. Contact the service desk to discuss your requirements.
Why have I not received a notification?
If a notification was expected after a specific process, or a daily notification was not received at the agreed time, these are the following factors you can check:
- Services (Please see the section regarding services)
- Notification configuration (Please see checking the configuration for my notifications)
- ‘Stuck’ Processing (Please see the section regarding services)
Services
How can I tell if the services are running?
If you believe the services or your transactions have stalled, log in to the Directory Manager Web Portal and navigate to the ‘About Directory Manager’ page. You will see the ‘Heartbeat’ of each Directory Manager Service, these should be ‘heart beating’ at regular intervals (30 seconds by default) and recent operations.
If one of your services is not running properly, there is a chance that it has stopped, in order to review this if you log on to the Directory Manager server and load the Services management console and check all BDS services are running.
If the heart beats are updating regularly and you still believe the services or transactions to be stuck if you look at the tables on the about section of the portal anything that is highlighted in red is the current stage of the service, if any of these have lasted longer than an hour they may need manual intervention, if you contact the BDS Service desk we will take a look at why they are stuck and restart them safely.
What are the Services?
Directory Manager is made up of three windows services, they are as follows; BDS Directory Manager Input Service, BDS Directory Manager Management Service and BDS Directory Manager Notification Service. The services are set up as Automatic Delayed and are usually run with the Directory Manager Service Account (DMSA).
Web Reports
How can I add more web reports?
If you would like to add more web reports please contact the BDS Service Desk and we will arrange implementation for you.
What are Web Reports?
Directory Manager contains a reporting tool known as Web Reports. There are two different types of reports available, these being ‘Parameterised List’ and ‘List’ reports. Where ‘List’ reports are pre-generated lists, ‘Parameterised List’ reports allow you to specify a value to filter the report on. For example, a report may give the option to search via Surname, meaning that the report will only show records that have the specified Surname value. Web reports can be viewed directly in the browser or can be exported and stored locally.
