How to reduce our AD account creation and maintenance requests and work load

accounts user-management active-directory

There are many tools for allowing users self-service password reset. We're using SSRPM which provides both a msgina.dll replacement, which we install on all client stations, as well as web-based access. The reset questions are customizable and you can build profiles for different OUs or Groups.

Delegation of user administration activity is highly recommended. It's fairly simply (implementation-wise) once you've done your planning and design.

  1. Break out your user account group mappings.
    • e.g. User Management Finance, User Management Sales, User Management Password Reset, etc.
  2. Create AD groups which represent these management delegations.
  3. Delegate access to respective OUs/groups for the management groups.
  4. Populate management groups with approved user accounts.

The biggest time saver for us was connecting AD to our HR and Student Management Systems. As we're a customer of the SSRPM product above, our director bought into another of their products -- URMA. I can't recommend this specific product as it is very painful for someone who is already more-than-comfortable with scripting. But the target of the product is more important. You want to find out how to get data from your HR system and script/hack something to import this into AD on a cyclical basis.


This depends widely on the structure of your company. If you have an IT department consisting of several groups, it's common to grant those types of roles to a Help Desk section, usually consisting of lower- to mid-level techs.

It's also possible to delegate these rights to individuals within the departments. Select one or two people in each department to be their "IT Helper" (Please choose a better name) to whom you can Delegate this kind of access to. This is especially easy to manage if you already have your AD structure broken out into department, so that you can assign these individuals to their own OUs without being able to modify those outside of those departments.

These links should help:

  • Implementing Active Directory Delegation of Administration
  • Best Practices for Delegating Active Directory

Related

Encrypt backups with GPG to multiple tapes
Windows XP cant join Server 2008 Domain
What free options are available for web content filtering? [closed]
Windows Server 2008R2 - Auditing changes to a service account
php5 fpm: how do you generate core dump from segfault?
Tips to backup ubuntu server
Run an rsync replication script under a user other than root
Java CertificateException in Domino 9 when trying to access HTTPS URL
My DAG has failed over, but Outlook clients won't connect
Nginx HTTPS www to non-www redirect issue
what should be monitored for baseline sql server performance
What's the right RAID Controller for my Dell Server?