Back to Projects

AD Lifecycle Automation

LIVE

Onboarding + Offboarding

A production-grade system that covers the full Active Directory user lifecycle — provisioning new employees and deprovisioning departing ones — in under 60 seconds each, with full audit trails, actor tracking, and real-time Slack alerts at every step.

<60s

To onboard a new hire

<60s

To fully offboard a user

4

n8n workflows running live

0

Silent failures — every error is alerted

Overview

Onboarding

An IT team member fills out a web form with the new hire's details. The system generates a username, creates a strong random password, places the account in the correct OU, assigns all requested groups, logs the full execution, and sends a Slack notification — all automatically.

Offboarding

IT searches for the departing user directly in the web app, selects them from live AD results, and confirms. The system immediately disables the account, removes them from every AD group, logs who triggered it, and alerts Slack — with full error handling if anything fails.

Who it's for

IT and infrastructure teams that need a reliable, auditable, and consistent process for both ends of the employee lifecycle — eliminating the security risks and time cost of manual AD administration.

Before vs. After

Manual Process

Onboarding a new hire

10–15 minutes per hire

Manually create account, set password, assign OU, add to groups

Typos & wrong OU placements

Human error on usernames, departments, or group assignments

No audit trail

Who created this account? When? Which groups did they assign?

Offboarding a departing employee

15–30 minutes per departure

Find account, disable it, manually remove from every group one by one

Account left active for days

Delayed offboarding = active credentials after someone has left

Orphaned group memberships

Groups get missed — ex-employees retain access to shared resources

No record of who triggered it

No accountability, no compliance trail

With This System

Onboarding a new hire

Under 60 seconds

Username generated, account created, groups assigned — automatically

Consistent every time

Same logic, same output — zero drift between admins

Partial success detection

If a group fails, the account is still created and IT is alerted with exactly what needs attention

Offboarding a departing employee

Under 60 seconds

Search, confirm, done — account disabled and all groups removed

Immediate account disable

No window for credential abuse — disabled the moment IT confirms

Complete group cleanup

Every group membership removed — no orphaned access left behind

Full accountability

Who triggered it, when, and what happened — logged permanently

Onboarding: ~92% time reduction

From 10–15 minutes of manual work to under 60 seconds, every time

Offboarding: ~97% time reduction

From 15–30 minutes of manual cleanup to under 60 seconds

The Solution: Two Pipelines

A single LDAP-authenticated web application backed by four n8n automation workflows — one for each lifecycle operation.

Onboarding Pipeline

1

LDAP-Authenticated Login

IT staff logs in with their Active Directory credentials. The system verifies identity via LDAP and establishes a secure session.

2

Onboarding Form Submission

The authenticated user fills in new hire details and selects permission groups dynamically loaded from Active Directory.

3

Input Validation & Sanitization

All fields validated against command injection patterns, length limits enforced, whitespace trimmed — before anything touches AD.

4

AD User Provisioning via PowerShell

A hardened PowerShell script runs on the domain controller via SSH: generates username, creates a strong random password, places user in the correct OU, assigns all requested groups.

5

Partial Success Detection

Requested groups vs actually assigned groups are compared. If any failed, the user is still created and IT is alerted with exactly which groups need manual attention.

6

Audit Logging to Data Tables

Every execution logged to two n8n Data Tables: New Hire - Onboarding (full record) and Workflow Execution Log (START and END events with timing, result, and actor).

7

Slack Notifications

Real-time alerts: Success (credentials), Partial Success (which groups failed), Data Table Failure (if logging itself fails).

Offboarding Pipeline

1

LDAP-Authenticated Login

Same secure login as onboarding — only authorized IT staff can access the offboarding tab.

2

Live User Search

IT types a name or username. A dedicated n8n workflow queries Active Directory in real time and returns matching accounts with department and status.

3

Select & Confirm

IT selects the correct user from the live results and confirms the offboarding action before anything is executed.

4

Account Disable + Group Removal via PowerShell

A hardened PowerShell script disables the AD account and removes the user from every group they belong to — automatically and completely.

5

Parse & Report Result

The workflow parses the PowerShell output: which groups were removed, which failed (if any), and whether the account was successfully disabled.

6

Execution Logging (START + END)

Full lifecycle of the offboarding execution is logged to a dedicated data table — actor, timestamp, result, execution time, and error details if any.

7

Slack Alerts

Success notification with groups removed count. If SSH fails: immediate Slack alert. If data table insert fails: separate Slack alert so nothing goes unnoticed.

Architecture

React Frontend

Onboarding + Offboarding tabs

Express Backend

LDAP Auth · CSRF · Rate Limiting

n8n Webhooks

4 workflows

PowerShell via SSH

Domain Controller

Active Directory

Create · Disable · Groups

n8n Data Tables

New Hire Log · Offboard Log · Execution Logs

Slack Webhooks

Success · Partial · Failure alerts

Four Workflows Running in Production

n8n Workflow - Get AD Groups for Onboarding Form
Click to enlarge

Get AD Groups (Onboarding)

Called when the onboarding form loads. Fetches all available permission groups from Active Directory via SSH + PowerShell, categorized by department and function.

n8n Workflow - New Hire Onboarding
Click to enlarge

New Hire Onboarding

The main onboarding pipeline. Validates input, provisions the AD user, detects partial group failures, logs to two data tables, and sends Slack alerts — with error handling on every path.

n8n Workflow - Search AD Users for Offboarding
Click to enlarge

Search AD Users (Offboarding)

Called when IT types in the offboarding search box. Queries AD in real time and returns matching users with department, title, and account status. Logs every search with query and result count.

n8n Workflow - Offboard Users
Click to enlarge

Offboard Users

Disables the AD account, removes from all groups, logs START and END execution events with timing and actor info, and sends Slack alerts — with dedicated error paths for SSH failures and data table failures.

Security

LDAP Authentication

Only authorized AD users can access the system. No anonymous access to either onboarding or offboarding.

Actor Tracking

Every action — hire or departure — records who initiated it (username, display name) in every data table and Slack alert.

Input Sanitization

All input validated and stripped of LDAP/PowerShell injection characters before reaching Active Directory.

CSRF Protection

Double-submit cookie pattern prevents cross-site request forgery on both onboarding and offboarding endpoints.

Rate Limiting

All API endpoints are rate-limited per IP. Offboarding is more strictly limited — only 5 requests per minute.

No Stored Passwords

Generated passwords are returned once to the screen and never written to any data table, log, or Slack message.

What Happens When Something Fails

The system is designed to fail safely, loudly, and traceably. No silent failures — every error path has a handler.

Onboarding Failures

  • Invalid input: Caught before reaching AD. The form returns a clear error — nothing is created.
  • Partial group failure: Account is still created and usable. A Slack alert lists exactly which groups failed with a clear "Action Required."
  • Data table insert fails: A separate Slack alert fires so the team knows the audit log needs manual attention.

Offboarding Failures

  • SSH connection fails: Immediate Slack alert with the error, username, and a clear action required — check the Windows Server and PowerShell script.
  • Groups fail to remove: The account is still disabled. Slack lists which groups need manual cleanup.
  • Execution log insert fails: A dedicated Slack alert fires — offboarding still completes and the result is returned to the website, but IT is told to manually log the event.
Execution logging on both workflows: START and END events are written independently. Even if a workflow crashes mid-execution, the START record is already in the log — so you always have visibility into what was attempted and when.

Key Features

LDAP-Authenticated Web App

Single secure application for both onboarding and offboarding — login once with AD credentials

Live AD Search

Offboarding tab queries AD in real time — search by name or username, results include department, title, and enabled status

Dynamic Group Loading

Onboarding form fetches permission groups live from AD — always up to date, no hardcoded lists

Full AD Provisioning

Username generation, secure password, correct OU, all groups — or account disable and complete group removal

Partial Success Detection

Onboarding compares requested vs assigned groups — partial failures are surfaced, not hidden

Actor Tracking

Every hire and departure is tied to the IT member who triggered it — across all data tables and Slack alerts

Multi-Table Audit Logging

Dedicated tables for onboarding records, offboarding records, and execution logs for both workflows

Real-time Slack Alerts

Success, partial success, SSH failure, and data table failure — every outcome has a notification

Hardened PowerShell Scripts

LDAP injection prevention, safe character sets, structured JSON output, full error handling

Screenshots & Demo

LDAP Login Page
Click to enlarge

LDAP Login — AD credentials, session-based auth

Slack Partial-Success Alert
Click to enlarge

Slack Partial-Success Alert — which groups failed and why

Onboarding Form with Department and Group Selection
Click to enlarge

Onboarding Form — dynamic groups loaded live from AD

Offboarding Form — Search and Select User
Click to enlarge

Offboarding Form — live AD search, confirm before action

Data Tables with Actor Tracking Columns
Click to enlarge

Data Tables — actor tracking, execution time, result status

📽️ Demo Walkthrough

Full demo: login → onboarding form → user created → Slack alert

Tech Stack

Frontend

ReactTypeScriptTailwind CSSVite

Backend

Node.jsExpressLDAP (ldapjs)Zod ValidationCSRF Protection

Automation

n8nPowerShellSSH

Infrastructure

Active DirectoryDockerSlack Webhooksn8n Data Tables

Development Timeline

Built and hardened across four phases:

1
COMPLETED

Core Onboarding Automation

Input validation, AD provisioning via PowerShell, partial success detection, execution logging, and Slack alerts.

2
COMPLETED

Security Hardening

Removed password storage from logs, hardened PowerShell character sets, LDAP injection prevention, polished Slack messages.

3
COMPLETED

Actor Tracking & Web App

LDAP-authenticated website integrated with all workflows. Every action records who initiated it across all logs and alerts.

4
COMPLETED

Offboarding Automation

Full offboarding pipeline: live AD search, account disable, complete group removal, execution logging, SSH and data table failure alerts.

Interested in this system?

Book a 15-min demoSend a message