Using AD as a general purpose directory [closed]

Is there anyone using AD as a general purpose directory (meaning for uses other than domain authentication / authorisation and stuff) ?


Solution 1:

I worked for a large (100k+ users) environment where the AD was used to hold a significant amount of general employee information - in addition to the usual e-mail and user\department names, we also had multiple phone numbers, physical office location (down to in building office location), organisational hierarchy (who worked for whom), employee number, photo thumbnail, normal time zone, start date and a bunch of other stuff that I can't recall now.

Admittedly we had a pretty slick in house set of controlled access API's (and some authorization process to go with approving access to them) that allowed us to control delegation of rights to update specific AD properties on a per user\per group basis so it was easy to tie updates to these AD properties safely into HR apps which is where the management of this sort of data was handled.

As a user in a large organisation I found that having this sort of info available was really useful, and being able to get this sort of data via a simple LDAP query within my own apps without having to jump through hoops to gain access to HR databases was also very useful.

Solution 2:

If you use Exchange this can be helpful by allowing people to look up others in the global address book, particularly for large organizations. If you don't use Exchange, there's probably not a whole lot of benefit to this without some custom programming.

Having said that, as a smaller organization we used to run Exchange, still run AD, and have never put non-login information into it except full name and in a few cases department affiliation.

I should add, the biggest roadblock to this is that keeping the AD updated is a function of IT and in many organizations there's not a good process to get the kinds of information that would populate a general-purpose directory from, e.g., HR to IT -- often security or required permissions are the IT priority for new hires and updates.

Solution 3:

We use the telephone information, organisational information (fed from our HR system) and a few extensionAttributes for misc. stuff. The organisational information is invaluable from an IT perspective, as you can quickly see who you're dealing with, or contact teams as opposed to individuals. The telephone information can be queried using a simple web front end. Users have also got used to seeing quite a bit of info via Outlook. Oh, the organisational info also gets used to dynamically populate some global groups, based on what department you're in. These groups are then used to provide department-based access. In short, AD is a good place to hold stuff like this.