Allowing the HR Department to enter users into Active Directory / Exchange instead of IT?

windows-server-2008 active-directory exchange-2010

It is certainly possible to delegate a limited set of privileges to manage user objects. I work at an educational service provider, and on of our departments deals with a lot of students that are only present for a couple weeks, and they are constantly coming and going. It would be a pain for us to manage the accounts for them. So we delegated privileges to one of the staffers for that program.

We haven't decided not to do it, but we had been investing integrating our payroll system directly into the AD via SIF. It should be possible for the accounts to automatically be created. All the software exists to do this, but since we are not a traditional school it didn't exactly fit our requirements.

If you do choose to delegate this, you may need to evaluate your security requirements. Perhaps you can let HR create the accounts, but don't permit them to modify group membership. That way it requires some kind of request to someone to double check the privileges requested are valid for that person.


One of my AD deployments involves hundreds of overseas employees and a multitude of projects. One of the products we work with also required a separate logon, much as you describe.

I was not able to find a unified way to allow access to the second product. In the end I went with their AD integration as hokey as it is.

Delegating permissions to staff outside of IS became a definitive business requirement. At the end of the day we had a couple levels of delegate access - one which allows non IS users to create projects and do general AD management tasks (limited to one branch of AD) and another for user management including new users, group membership and password resets.

The biggest thing I found is that it is imperative to set permissions on your groups as well. If set up properly your delegated users will be able to move users between common groups without the ability to perform privilege escalation attacks.


Where I've been that would be a task that is completed by the System Administrator using information provided by the HR department through a work order or ticket system.

I have configured Active Roles Server for a help desk I supported which you could use to do what you're trying to do but you'd have to decide if the effort is justified based on your user base.

Related

What equivalent technologies to Microsoft's forthcoming ReFS exist for Linux/Unix?
Tools for Remote Control of Linux over internet [closed]
Fastest way to chown a whole device (xfs)
HTTP requests "\x80z\x01\x03\x01" in my Apache logs
Can't SSH into Linux server
MySQL Error on Startup: ambiguous option '--log=/var/log/mysqld.log'
Is an ntpdate correction atomic?
Domain joined PC not appearing in AD or SBS Console
ZFS over iSCSI high-availability solution
Daemon doesn't start at boot - how can I debug this?
Upload everything with Knife
Vim SCP parameter with private public key pair