How to reduce our AD account creation and maintenance requests and work load
There are many tools for allowing users self-service password reset. We're using SSRPM which provides both a msgina.dll replacement, which we install on all client stations, as well as web-based access. The reset questions are customizable and you can build profiles for different OUs or Groups.
Delegation of user administration activity is highly recommended. It's fairly simply (implementation-wise) once you've done your planning and design.
- Break out your user account group mappings.
- e.g. User Management Finance, User Management Sales, User Management Password Reset, etc.
- Create AD groups which represent these management delegations.
- Delegate access to respective OUs/groups for the management groups.
- Populate management groups with approved user accounts.
The biggest time saver for us was connecting AD to our HR and Student Management Systems. As we're a customer of the SSRPM product above, our director bought into another of their products -- URMA. I can't recommend this specific product as it is very painful for someone who is already more-than-comfortable with scripting. But the target of the product is more important. You want to find out how to get data from your HR system and script/hack something to import this into AD on a cyclical basis.
This depends widely on the structure of your company. If you have an IT department consisting of several groups, it's common to grant those types of roles to a Help Desk section, usually consisting of lower- to mid-level techs.
It's also possible to delegate these rights to individuals within the departments. Select one or two people in each department to be their "IT Helper" (Please choose a better name) to whom you can Delegate this kind of access to. This is especially easy to manage if you already have your AD structure broken out into department, so that you can assign these individuals to their own OUs without being able to modify those outside of those departments.
These links should help:
- Implementing Active Directory Delegation of Administration
- Best Practices for Delegating Active Directory