RE: [ActiveDir] Group Management
JoeK... quite honestly, it almost sounds like you could sell this beast. I am sure there are things very specific to your business, but I expect you could tweak what you have into something others could use. It sounds pretty cool to me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, July 01, 2005 12:21 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group Management I could not agree more with Joe on this point too. We have a bunch of business rules that work really well for us, but they definitely arent for everyone. For example, most organizations would not allow all users to create and delete groups willy-nilly like we do. I can actually change that quite easily via config to restrict that to a particular group or groups, but the business users want it the other way. End user maintenance of groups for line of business apps is very important to the model. The other piece I never mentioned was that we have a separate app for creating query-based groups as well. Essentially, the main website for groups is for ad hoc membership. The other app is essentially a batch process that generates groups based on LDAP queries. Anything that can be built and maintained based on schema is done that way. We also have about 75 user account schema additions for pushing in all sorts of data from the HR system to make it easy to create these groups. We do this with a custom app so that we can get security and DL groups (the current query-based groups are for DLs only unless you are talking about the AzMan query groups which isnt enough for us) and so we can do custom nesting to accommodate syncing the group structure to Domino which has bigger limits on group sizes. Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, June 30, 2005 7:18 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group Management I think you need to solve your business issues before your technical issues. The technology is certainly readily available to handle this type of work if you want to build it. However, you need to be able to feed rules into the system to follow or else the systems no matter how complex will be as worthless as not having anything and not help you as you stand right now. You must find owners for all groups and those owners need to be responsible for the membership. Doing this at a centralized manned level will kill you and be a good way for mistakes to come in and people get access to things they shouldn't as you indicate. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, June 28, 2005 11:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group Management Hi all, sorry up front for the long post. I'm curious how larger organizations manage groups in AD, with respect to authorizing users to be added to/removed from a group. I don't mean the security around the administration, but the supporting business processes and workflows. We've just centralized security administration, and this has created a problem with group administration on quite a large scale. Our security admins will get a request to add UserA to GroupA. Since they have inherited the job, there isnt a clear 'owner' of GroupA, be it an IT owner like the SQL group, or a business owner like the Radiology dept. If its a group that ultimately get you admin rights on all SQL servers or access to patient data...you can see the problem developing here. The problem is really two-fold, the security aspects, as well as the time it takes to complete the request. (multiply it by 1500 requests a day and the admins are really backed up) I'm wondering if anyone has had success with a self-service web-based request system, or something similar, and what made it successful? Ideally, the goal here is to get a detailed request into the admin group with all the info and approvals already in it. Thanks in advance, rb This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] Group Management
Thanks. J We probably should. The app belongs to the company and they tend to go to market with services, not software products, but it is the kind of thing that could help sell consulting jobs. Unfortunately, there tends to be a disconnect between the internal IT guys (me) and the go to market guys, so I doubt anyone has even considered it. The major issue with generalizing it is that there are a bunch of pieces that are somewhat naïve and would not work in other orgs without some thought. For example, we have a single domain model (ok, empty parent, but it really doesnt count), so we get to make a lot of assumptions based on that. We also only create global groups as that works fine in our model, so we dont even offer the user an option there and get to make lots of assumptions about how nesting can work. Still, it is a good idea. Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, July 01, 2005 8:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Group Management JoeK... quite honestly, it almost sounds like you could sell this beast. I am sure there are things very specific to your business, but I expect you could tweak what you have into something others could use. It sounds pretty cool to me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, July 01, 2005 12:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Group Management I could not agree more with Joe on this point too. We have a bunch of business rules that work really well for us, but they definitely arent for everyone. For example, most organizations would not allow all users to create and delete groups willy-nilly like we do. I can actually change that quite easily via config to restrict that to a particular group or groups, but the business users want it the other way. End user maintenance of groups for line of business apps is very important to the model. The other piece I never mentioned was that we have a separate app for creating query-based groups as well. Essentially, the main website for groups is for ad hoc membership. The other app is essentially a batch process that generates groups based on LDAP queries. Anything that can be built and maintained based on schema is done that way. We also have about 75 user account schema additions for pushing in all sorts of data from the HR system to make it easy to create these groups. We do this with a custom app so that we can get security and DL groups (the current query-based groups are for DLs only unless you are talking about the AzMan query groups which isnt enough for us) and so we can do custom nesting to accommodate syncing the group structure to Domino which has bigger limits on group sizes. Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, June 30, 2005 7:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Group Management I think you need to solve your business issues before your technical issues. The technology is certainly readily available to handle this type of work if you want to build it. However, you need to be able to feed rules into the system to follow or else the systems no matter how complex will be as worthless as not having anything and not help you as you stand right now. You must find owners for all groups and those owners need to be responsible for the membership. Doing this at a centralized manned level will kill you and be a good way for mistakes to come in and people get access to things they shouldn't as you indicate. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 28, 2005 11:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Group Management Hi all, sorry up front for the long post. I'm curious how larger organizations manage groups in AD, with respect to authorizing users to be added to/removed from a group. I don't mean the security around the administration, but the supporting business processes and workflows. We've just centralized security administration, and this has created a problem with group administration on quite a large scale. Our security admins will get a request to add UserA to GroupA. Since they have inherited the job, there isnt a clear 'owner' of GroupA, be it an IT owner like the SQL group, or a business owner like the Radiology dept. If its a group that ultimately get you admin rights on all SQL servers or access to patient data...you can see the problem developing here. The problem is really two-fold, the security aspects, as well as the time it takes to complete the request. (multiply it by 1500 requests a day and the admins are really backed up) I'm wondering if anyone has had success with a self-service web-based request system, or something similar, and what made it successful? Ideally, the goal here is to get
RE: [ActiveDir] Group Management
I think you need to solve your business issues before your technical issues. The technology is certainly readily available to handle this type of work if you want to build it. However, you need to be able to feed rules into the system to follow or else the systems no matter how complex will be as worthless as not having anything and not help you as you stand right now. You must find owners for all groups and those owners need to be responsible for the membership. Doing this at a centralized manned level will kill you and be a good way for mistakes to come in and people get access to things they shouldn't as you indicate. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, June 28, 2005 11:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group Management Hi all, sorry up front for the long post. I'm curious how larger organizations manage groups in AD, with respect to authorizing users to be added to/removed from a group. I don't mean the security around the administration, but the supporting business processes and workflows. We've just centralized security administration, and this has created a problem with group administration on quite a large scale. Our security admins will get a request to add UserA to GroupA. Since they have inherited the job, there isnt a clear 'owner' of GroupA, be it an IT owner like the SQL group, or a business owner like the Radiology dept. If its a group that ultimately get you admin rights on all SQL servers or access to patient data...you can see the problem developing here. The problem is really two-fold, the security aspects, as well as the time it takes to complete the request. (multiply it by 1500 requests a day and the admins are really backed up) I'm wondering if anyone has had success with a self-service web-based request system, or something similar, and what made it successful? Ideally, the goal here is to get a detailed request into the admin group with all the info and approvals already in it. Thanks in advance, rb
RE: [ActiveDir] Group Management
I agree with JoeK, keep this info all together. I have visualized a system that synced back and forth to AD/AM though. But that was to set it up so that the ACL manipulations were in AD/AM and then any changes in AD/AM were doublechecked, logged, and then shot over to AD so you knew exactly when changes occurred. Of course you can also do this through a web interface but if you have anyone who manages large numbers of groups, they themselves will probably want some programmatic mechanism to do updates. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, June 29, 2005 3:41 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group Management No, it seemed to make more sense to put it in AD and keep it all in the same place. Using DN syntax attributes to represent the users and groups allows us to take advantage of any changes to those objects without having to implement a sync process and gives us a lot of useful semantics such as no duplications and such. There is a goofy sync app that we have that pushes stuff one way to our Domino system that does use some SQL for metadata, but that was a different circumstance. That whole app could probably be replaced with MIIS very easily now if we had any will to do so. Joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, June 28, 2005 11:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group Management Did you consider using SQL to store all the metadata for the groups? Thats what Im doing now, or planning to, but Id be interested to hear if you debated this what the final reasoning was. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] Group Management
I could not agree more with Joe on this point too. We have a bunch of business rules that work really well for us, but they definitely arent for everyone. For example, most organizations would not allow all users to create and delete groups willy-nilly like we do. I can actually change that quite easily via config to restrict that to a particular group or groups, but the business users want it the other way. End user maintenance of groups for line of business apps is very important to the model. The other piece I never mentioned was that we have a separate app for creating query-based groups as well. Essentially, the main website for groups is for ad hoc membership. The other app is essentially a batch process that generates groups based on LDAP queries. Anything that can be built and maintained based on schema is done that way. We also have about 75 user account schema additions for pushing in all sorts of data from the HR system to make it easy to create these groups. We do this with a custom app so that we can get security and DL groups (the current query-based groups are for DLs only unless you are talking about the AzMan query groups which isnt enough for us) and so we can do custom nesting to accommodate syncing the group structure to Domino which has bigger limits on group sizes. Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, June 30, 2005 7:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Group Management I think you need to solve your business issues before your technical issues. The technology is certainly readily available to handle this type of work if you want to build it. However, you need to be able to feed rules into the system to follow or else the systems no matter how complex will be as worthless as not having anything and not help you as you stand right now. You must find owners for all groups and those owners need to be responsible for the membership. Doing this at a centralized manned level will kill you and be a good way for mistakes to come in and people get access to things they shouldn't as you indicate. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 28, 2005 11:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Group Management Hi all, sorry up front for the long post. I'm curious how larger organizations manage groups in AD, with respect to authorizing users to be added to/removed from a group. I don't mean the security around the administration, but the supporting business processes and workflows. We've just centralized security administration, and this has created a problem with group administration on quite a large scale. Our security admins will get a request to add UserA to GroupA. Since they have inherited the job, there isnt a clear 'owner' of GroupA, be it an IT owner like the SQL group, or a business owner like the Radiology dept. If its a group that ultimately get you admin rights on all SQL servers or access to patient data...you can see the problem developing here. The problem is really two-fold, the security aspects, as well as the time it takes to complete the request. (multiply it by 1500 requests a day and the admins are really backed up) I'm wondering if anyone has had success with a self-service web-based request system, or something similar, and what made it successful? Ideally, the goal here is to get a detailed request into the admin group with all the info and approvals already in it. Thanks in advance, rb This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] Group Management
ADAM would have been cool if it had existed when we built this. There are a bunch of things I would do differently now if ADAM had been an option sooner. Our crazy certificate system comes to mind. I actually started off with an ACL model for security and eventually had to ditch it as they are essentially opaque to LDAP queries and made it impossible to do things like list all of the groups a user can modify in the system. We ultimately determined also that we did not want them to actually be able to modify groups directly since there were business rules we need to enforce that AD could not do for us (limiting max size of a group for example). There actually is part of a web services interface to the system for allowing programmatic updates. This never went very far because there werent any people who needed to actually use it when we started building it. However, the architecture of the app makes it very simple to bolt on other UIs and interfaces to the core business logic classes. There are also some tools in the web UI for doing bulk imports and exports of membership lists to help some of the laborious chores. Speaking of logging, that is another great benefit of this system. Every single operation is audited in a separate system (this one SQL-based) to keep a change history of what took place. This audit function is a centralized system for all IAM apps in the company so that all of the contacts, users and service accounts histories are all logged to the same system. This is especially nice because I can get a comprehensive history of all updates to any of the managed objects this way. Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, June 30, 2005 7:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Group Management I agree with JoeK, keep this info all together. I have visualized a system that synced back and forth to AD/AM though. But that was to set it up so that the ACL manipulations were in AD/AM and then any changes in AD/AM were doublechecked, logged, and then shot over to AD so you knew exactly when changes occurred. Of course you can also do this through a web interface but if you have anyone who manages large numbers of groups, they themselves will probably want some programmatic mechanism to do updates. This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] Group Management
We have a centralized security department, and we used to do group management this way. As you found, it gets to be a chore, and the security people really don't know what the groups are for anyway. What we ended up doing was creating an OU structure that mimics our business unit divisions[1]. Each unit's groups are stored under their OU. We have one person at each business called a "security administrator". Each security administrator has rights to manage all the groups in their OU. Their job is to accept security related requests from their users and either handle them themselves (in the case of group management), or forward to corp security (new user setup, etc). [1]. We use alias names for each business unit (ie bu01, bu02, etc) because business units have a nasty habit of changing names. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, June 28, 2005 10:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group Management Hi all, sorry up front for the long post. I'm curious how larger organizations manage groups in AD, with respect to authorizing users to be added to/removed from a group. I don't mean the security around the administration, but the supporting business processes and workflows. We've just centralized security administration, and this has created a problem with group administration on quite a large scale. Our security admins will get a request to add UserA to GroupA. Since they have inherited the job, there isnt a clear 'owner' of GroupA, be it an IT owner like the SQL group, or a business owner like the Radiology dept. If its a group that ultimately get you admin rights on all SQL servers or access to patient data...you can see the problem developing here. The problem is really two-fold, the security aspects, as well as the time it takes to complete the request. (multiply it by 1500 requests a day and the admins are really backed up) I'm wondering if anyone has had success with a self-service web-based request system, or something similar, and what made it successful? Ideally, the goal here is to get a detailed request into the admin group with all the info and approvals already in it. Thanks in advance, rb
RE: [ActiveDir] Group Management
Brian, I have a perl CGI script that allows the owner of a group to manage it's members. We use it for distribution lists, but it would work for any groups. It might take a few mods to work in your environment, but you are welcome to it if you like. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, June 28, 2005 10:15 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group Management I wish we had a system to do that here. I wont create any group without the managed by attribute being populated. This way I can then pass off the membership management to whomever. I havent really identified yet the magnitude of the problem here, but, were going to figure out a way to get that attribute populated on as many groups as possible and then it will tie into a web portal for AD mgmt that were developing in house. IMHO thats the way to go. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, June 28, 2005 10:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group Management Hi all, sorry up front for the long post. I'm curious how larger organizations manage groups in AD, with respect to authorizing users to be added to/removed from a group. I don't mean the security around the administration, but the supporting business processes and workflows. We've just centralized security administration, and this has created a problem with group administration on quite a large scale. Our security admins will get a request to add UserA to GroupA. Since they have inherited the job, there isnt a clear 'owner' of GroupA, be it an IT owner like the SQL group, or a business owner like the Radiology dept. If its a group that ultimately get you admin rights on all SQL servers or access to patient data...you can see the problem developing here. The problem is really two-fold, the security aspects, as well as the time it takes to complete the request. (multiply it by 1500 requests a day and the admins are really backed up) I'm wondering if anyone has had success with a self-service web-based request system, or something similar, and what made it successful? Ideally, the goal here is to get a detailed request into the admin group with all the info and approvals already in it. Thanks in advance, rb
RE: [ActiveDir] Group Management
No, it seemed to make more sense to put it in AD and keep it all in the same place. Using DN syntax attributes to represent the users and groups allows us to take advantage of any changes to those objects without having to implement a sync process and gives us a lot of useful semantics such as no duplications and such. There is a goofy sync app that we have that pushes stuff one way to our Domino system that does use some SQL for metadata, but that was a different circumstance. That whole app could probably be replaced with MIIS very easily now if we had any will to do so. Joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, June 28, 2005 11:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Group Management Did you consider using SQL to store all the metadata for the groups? Thats what Im doing now, or planning to, but Id be interested to hear if you debated this what the final reasoning was. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
[ActiveDir] Group Management
Hi all, sorry up front for the long post. I'm curious how larger organizations manage groups in AD, with respect to authorizing users to be added to/removed from a group. I don't mean the security around the administration, but the supporting business processes and workflows. We've just centralized security administration, and this has created a problem with group administration on quite a large scale. Our security admins will get a request to add UserA to GroupA. Since they have inherited the job, there isnt a clear 'owner' of GroupA, be it an IT owner like the SQL group, or a business owner like the Radiology dept. If its a group that ultimately get you admin rights on all SQL servers or access to patient data...you can see the problem developing here. The problem is really two-fold, the security aspects, as well as the time it takes to complete the request. (multiply it by 1500 requests a day and the admins are really backed up) I'm wondering if anyone has had success with a self-service web-based request system, or something similar, and what made it successful? Ideally, the goal here is to get a detailed request into the admin group with all the info and approvals already in it. Thanks in advance, rb
RE: [ActiveDir] Group Management
I wish we had a system to do that here. I wont create any group without the managed by attribute being populated. This way I can then pass off the membership management to whomever. I havent really identified yet the magnitude of the problem here, but, were going to figure out a way to get that attribute populated on as many groups as possible and then it will tie into a web portal for AD mgmt that were developing in house. IMHO thats the way to go. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 28, 2005 10:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Group Management Hi all, sorry up front for the long post. I'm curious how larger organizations manage groups in AD, with respect to authorizing users to be added to/removed from a group. I don't mean the security around the administration, but the supporting business processes and workflows. We've just centralized security administration, and this has created a problem with group administration on quite a large scale. Our security admins will get a request to add UserA to GroupA. Since they have inherited the job, there isnt a clear 'owner' of GroupA, be it an IT owner like the SQL group, or a business owner like the Radiology dept. If its a group that ultimately get you admin rights on all SQL servers or access to patient data...you can see the problem developing here. The problem is really two-fold, the security aspects, as well as the time it takes to complete the request. (multiply it by 1500 requests a day and the admins are really backed up) I'm wondering if anyone has had success with a self-service web-based request system, or something similar, and what made it successful? Ideally, the goal here is to get a detailed request into the admin group with all the info and approvals already in it. Thanks in advance, rb
RE: [ActiveDir] Group Management
We do the vast majority of our group management via a custom web interface. The system is self-service and requires no approval process for creating a group. We do enforce some semantics and business rules though. For example, we enforce specific naming conventions, require a sponsor to be named (manager+ level internally), 2+ owners (can be valid users or other security groups) and a valid description. We allow users to create security groups, mail-enabled distro groups or mail-enabled security groups. Owners can modify or delete the group. Name changes are not allowed after creation. We also support email change notifications for different types of events, an expiration process where groups have to be renewed periodically and a background process that ensures that groups maintain the business rules enforced by the UI in the event that sponsors and owners leave the organization or owner groups are deleted. This app manages about 60K groups in a single domain with about 110K users. It works really well for us. The original web app took about 2 months for 2 guys to build and is 100% ASP.NET. Note that all of the security in the app is application-managed, in that a super user account makes all of the modifications and enforces the security policy in the business rules. We chose this approach to prevent people from using AD UC to modify groups or any other LDAP code. We also use custom schema for representing all of the security attributes instead of DACLs as DACLs are a PITA to program and cant be queried effectively (which groups do I own or sponsor? etc.). Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 28, 2005 10:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Group Management Hi all, sorry up front for the long post. I'm curious how larger organizations manage groups in AD, with respect to authorizing users to be added to/removed from a group. I don't mean the security around the administration, but the supporting business processes and workflows. We've just centralized security administration, and this has created a problem with group administration on quite a large scale. Our security admins will get a request to add UserA to GroupA. Since they have inherited the job, there isnt a clear 'owner' of GroupA, be it an IT owner like the SQL group, or a business owner like the Radiology dept. If its a group that ultimately get you admin rights on all SQL servers or access to patient data...you can see the problem developing here. The problem is really two-fold, the security aspects, as well as the time it takes to complete the request. (multiply it by 1500 requests a day and the admins are really backed up) I'm wondering if anyone has had success with a self-service web-based request system, or something similar, and what made it successful? Ideally, the goal here is to get a detailed request into the admin group with all the info and approvals already in it. Thanks in advance, rb This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] Group Management
Did you consider using SQL to store all the metadata for the groups? Thats what Im doing now, or planning to, but Id be interested to hear if you debated this what the final reasoning was. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 28, 2005 10:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Group Management We do the vast majority of our group management via a custom web interface. The system is self-service and requires no approval process for creating a group. We do enforce some semantics and business rules though. For example, we enforce specific naming conventions, require a sponsor to be named (manager+ level internally), 2+ owners (can be valid users or other security groups) and a valid description. We allow users to create security groups, mail-enabled distro groups or mail-enabled security groups. Owners can modify or delete the group. Name changes are not allowed after creation. We also support email change notifications for different types of events, an expiration process where groups have to be renewed periodically and a background process that ensures that groups maintain the business rules enforced by the UI in the event that sponsors and owners leave the organization or owner groups are deleted. This app manages about 60K groups in a single domain with about 110K users. It works really well for us. The original web app took about 2 months for 2 guys to build and is 100% ASP.NET. Note that all of the security in the app is application-managed, in that a super user account makes all of the modifications and enforces the security policy in the business rules. We chose this approach to prevent people from using AD UC to modify groups or any other LDAP code. We also use custom schema for representing all of the security attributes instead of DACLs as DACLs are a PITA to program and cant be queried effectively (which groups do I own or sponsor? etc.). Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 28, 2005 10:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Group Management Hi all, sorry up front for the long post. I'm curious how larger organizations manage groups in AD, with respect to authorizing users to be added to/removed from a group. I don't mean the security around the administration, but the supporting business processes and workflows. We've just centralized security administration, and this has created a problem with group administration on quite a large scale. Our security admins will get a request to add UserA to GroupA. Since they have inherited the job, there isnt a clear 'owner' of GroupA, be it an IT owner like the SQL group, or a business owner like the Radiology dept. If its a group that ultimately get you admin rights on all SQL servers or access to patient data...you can see the problem developing here. The problem is really two-fold, the security aspects, as well as the time it takes to complete the request. (multiply it by 1500 requests a day and the admins are really backed up) I'm wondering if anyone has had success with a self-service web-based request system, or something similar, and what made it successful? Ideally, the goal here is to get a detailed request into the admin group with all the info and approvals already in it. Thanks in advance, rb This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
