Wasn't different than the one I was thinking of. I wasn't thinking of the gentleman sailor, scholar, and world-traveller from NZ though.
I'm well aware that the Tony you speak of is a Microsoft employee who's considering writing a utility to fill a gap he likely sees among his customers. I was suggesting earlier, as were several others, that this functionality may already exist and that Tony should be made aware of it and possibly should check with the AD and Exchange produt teams and maybe even OTG (or whatever they're called today in case I missed the memo.)
Al
On 12/28/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote:
Tony Bailey
Senior Product Manager
Security and Compliance Solutions
http://www.microsoft.com/security/guidance/default.mspx
Sorry possibly a different Tony that what you may be thinking?
Al Mulnick wrote:List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/Wouldn't Tony already be aware of such things?DL/DG management is not a new issue by any stretch. It gets new life because the DG can now also be a SG which makes it more important to understand the ramifications of creating a new DG.The Dev team should well aware of such things and should also be familiar with the Microsoft solutions used in-house (which are not always available to the public).Personally, if they're going to roll a solution for group management, don't limit it to those using Exchange and therefore have DG's that are also SG's. Make it a group management function (preferred not to be based on expensive DB technology) that encompasses customers of AD (the common denominator). It would not bother me if there were added functions that you could get with Exchange deployed, but don't make it so you have to have it.Any solution created should have the ability to be self or centrally managed in an organization with 1 or more DC's and 1 to 500,000 users (or more?) There should be audit ability as well as the ability to send reminders and validation flows of group membership along with the ability to set business logic rules. An example of that would be to require an owner for every group created. That owner MUST have an account in the AD and it must be active. If not, there must be some sort of override else the group is automatically removed from circulation. This would help greatly with things such as SOX compliance as well as other compliance efforts. Another need to have would be the ability to have the creation of groups follow a pre-defined naming standard. Nice to allow users the freedom to create groups with any name they wish, but that doesn't help with the greater good in an organization over 100 people. Surprisingly (not really) if you put 100 people in a room and ask them to come up with meaningful names for groups, you'd get 101 names for the same group you're going to create. That would be fine in a Yahoo! setting but for corporate use it's unpredictable and next to impossible to manage or worse, troubleshoot. Good naming standards are the responsibility of the corporation's architects and it's up to those standards creation processes to come up with meaningful and useful naming standards. Not the consumers of the service. At least, not if you intend to keep the service available and able to be troubleshot in a timely manner. Besides, who would win if two equal folks decided they wanted the same name for a group? Sword fighting duels are not legal in most countries any longer :)The list goes on, but there are many things that this type of tool can be useful for. I think many of the third party solutions that are mentioned later in the thread are very good, but if Microsoft is going to create such a product, they should consider what it's intended uses are and balance that against what exists and what problems their customers need to solve. They should also consider the implications of creating a product that competes with their partners.Finally, Susan, if you know Tony, you might suggest that he talk with the Exchange and AD product teams. I'm sure they have somebody who is aware of the issues and the currently available solutions from partners. It's possible there's still some room for additional solutions, but it would be good for him to research with them to avoid overlap where it may not be needed.Then again, what would I know about it? ;-)
On 12/27/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] < [EMAIL PROTECTED]> wrote:Got a list? You might want to ping Tony so he doesn't reinvent the
wheel :-)
Brian Desmond wrote:
>Tools exist form MS in the past, 3rd party, and in many large orgs home baked stuff...
>
>Thanks,
>Brian Desmond
> [EMAIL PROTECTED]
>
>c - 312.731.3132
>
>________________________________
>
>From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>Sent: Tue 12/27/2005 9:42 PM
>To: ActiveDir@mail.activedir.org
>Subject: [ActiveDir] OT: creation of Email and Security groups [through GUI no less]
>
>
>
> http://blogs.technet.com/secguide/archive/2005/12/27/416528.aspx
>
>MSSC is looking into the possibility of a solution/tool to help with creation and lifecycle management of email and security distribution groups
>
>* Creating and managing groups within an organization requires unnecessary administrative overhead.
>* Administrators use valuable time creating groups that could otherwise be used for other IT activities.
>* End-user productivity may be hampered by delays in processing requests for creation of groups.
>* End users find it frustrating that they cannot create and manage groups that have meaningful names and users find it hard to manage especially for adding and removing users.
>
>The proposed solution would provide end-users with the ability to create and manage groups through a simple self-help Web portal.
>
>
>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
