I think Jackson bring up a great point. It is not necessarily related just to self administration but really to anyone who has a role of 'data administrator'. There needs to be a way to mandate data structures, format, use of 'acceptable values' etc. Without these key components along with very granular delegation the choice would be to revert back to single point of administration being help-desk or something to that effect. This does not mitigate the opportunities to corrupt data it just centralizes the effort to corrupt the directory <G>.
We need our ADs to be available to use as not only an authentication mechanism but a storage of data that we can rely on for application support, GAL, etc. and if we can't trust the integrity of the data it will never grow into the enterprise directory it is architected for and has the capacity for. Workflow and an approval based workflow, I think about often. We have many customers for which this is very important to them. The idea of, for example, requesting membership to a group, having the whole process of email generation and delivery and acceptance and provisioning done in the back end is great. It takes a few touches out of the scenario which makes for a cleaner environment with less 'dirty data'. For the business value it also adds to the ROI by "Doing More with Less". There are lots of pieces of data that are present on the directory that I definitely do not want users having access to especially write access to. The solution needs to be flexible enough to create custom interfaces which only expose the data that you approve, have full support for enforcement of workflow rules, business rules and data structure validation rules. Simple solutions are often just that simple, the issues and pains of Active Directory administrators are not simple and they need to be addressed with solutions that can wrap around their needs. Regards, Kevin Sullivan -----Original Message----- From: Jackson Shaw [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 11:09 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Self-service User Managment I was recently surprised by the number of customers who did not want to implement such a facility as self-service. Why? They felt that allowing the employees to change data in the directory would lead to "dirty" data - for example, addresses all in lowercase, using "Ave." instead of "Avenue", etc. Sure, a sophisticated package could probably work around all this stuff. Either way, I was surprised by the reaction. I'm curious how others feel about this kind of a tool (with or without workflow). -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shad Gunderson Sent: Wednesday, October 29, 2003 6:30 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD Self-service User Managment Hello all, I'm looking for feedback on products that may provide users a self-service application that will allow employees to register/request an Active Directory domain account and, with some workflow, those accounts will be created. Nothing beyond those specific features are required at this point (i.e. not looking for full-blown LDAP provisioning). Does anyone here use such tools or have any experience they'd care to share? Regards, Shad Gunderson List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/