Tony is 1000% correct. Trying to force validation through
ADUC will only help you validate data being sent in by people who follow the
rules or even know them, at that point you can ask yourself why aren't they just
following the data validation rules when using the default ADUC. To restate the
reasons... It is because they 1. Don't want to follow them 2. Don't think
they apply to them 3. Don't know them.
The only foolproof way to do this validation and have
certainty that your directory has valid data is to remove the ability for people
to make the mods themselves natively (so they can't use scripts, default ADUC,
or any other program they choose to use) and then use some proxy tool. The
easiest being some web front end. Depending on your rules it may be easier for
you to write a dot NET web page to do it or find some third party. The web page
or third party tool takes the modifier's requests, goes through some central
server(s) to validate them, then shoots the validated data into the
directory.
From the DEC Conference (this is why you should go to this
thing...), it seems that the MS direction isn't to make AD smarter and more
flexible in terms of rules/triggers/etc. They seem to be pushing the "logic" out
to MIIS. MIIS will beome a full provisioning tool so you can look at that as
your solution from MS, or you can whip up your own system from scratch, or you
can buy something from someone else.
User objects are the most likely arena for this type of
system, companies do this on a regular basis. They have some sort of a
front end that takes feeds for changes from the users themselves (for some
changes that the user is allowed to make), from user admins (for more changes),
from high level user admins (more changes), from automated HR systems like
PeopleSoft. These all get proxied into the environment.
Machine objects aren't quite as likely but people are
working that way to get standardization in naming and to make sure accounts get
placed into the correct OUs for GPO's, or to validate the machine prior to
allowing it into the domain [1], or want strict reporting on who is requesting
and adding the objects, etc.
Group objects are another that isn't quite as obvious. But
again you want standarization of naming, say you want it to be allowed to
everyone in the company but controlled. Say you want to make sure people
aren't making DL's or say Universal Groups. Possibly say you just want it to
control membership in some way shape or form, someone wants to join a group so
they click on something asking to be added and the system has a ruleset to
determine if the new person can automatically be added or someone has to be
emailed and get a positive response. This is called a subscription based system.
Look for this functionality out of MIIS in the future as they integrate
AutoGroup into it.
Now one that a lot of admins don't think about locking down
is the ability to create OUs and Containers. If you delegate the ability to
someone to create OUs to logically structure something, what have you given them
the ability to do? Just about anything under that structure is the correct
answer. If you create an OU (or Container) you are creator/owner and can now
modify the ACL to your hearts delight and actually have full control so once you
create that OU or container, you can create anything else under that you want.
For third party tools, go look at the stuff from Aelita,
Quest, NetIQ, etc.
joe
[1] Say you want a machine to have certain SPs or OS loads
or software or is the load created by your internal company (i.e. no vanilla
loads), you can make part of the process the fact that the person has to have
the machine online with an Admin ID and password that they give the automated
system and the system will reach out and verify that machine prior to letting it
join the network.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Sunday, May 02, 2004 5:42 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ADUC Customization / Input Validation
Hi Ian
I think the main problem with modifying ADUC is that you
really need to ensure tight version control afterwards. For example
if, as you state, data entry validation is one of your goals then how do you
ensure people are not using uncontrolled, non-modified versions of ADUC?
One approach that works quite well is to develop a web
font-end and proxy all your admin tasks through that. This has a number of
advantages, e.g
-
Tight version control. With a limited and controlled distribution you know everyone is using the same version.
-
Good data entry validation. You can specify exactly the validation that you need.
-
The ability to use a separate (proxy) account to perform tasks. For example, if an admin creates a computer object, this sets the admin's account as the owner of the object and this confers certain rights. You may not want this for a variety of reasons, so it is better to have one account as the owner for all computer objects.
The resources involved in developing a solution such as
this are quite high, but the benefits to larger organisations are obvious.
Also, the developer resources available now are much better than they were a few
years ago. Many people have done this before, so you should be able to
find good samples on the web for what you need to achieve.
There are some good third party solutions available, but
these may not provide you with the granularity of control you require
(IMHO).
Tony
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IAN FRASER
Sent: Samstag, 1. Mai 2004 20:25
To: [EMAIL PROTECTED]
Subject: [ActiveDir] ADUC Customization / Input Validation
Has anyone done much work with customizing ADUC to include new tabs,
drop down fields, radio buttons etc.
I'm interested in data entry validation in ADUC, or a similar
interface. We really need consistancy in data being entered into AD, and I dont
think that the current system is fool proof enough for a larger
organisation.
From what I can see, the MS SDK and some C++ experience is the only
way around this, or to modify the display specifiers, and drop this out
to a WSH script (which is OK, but not my ideal option)
Guidance on available 3rd party tools / customization ideas / experience would be greatly appreciated.
Ian Fraser
Cancer Research UK
drop down fields, radio buttons etc.
I'm interested in data entry validation in ADUC, or a similar
interface. We really need consistancy in data being entered into AD, and I dont
think that the current system is fool proof enough for a larger
organisation.
From what I can see, the MS SDK and some C++ experience is the only
way around this, or to modify the display specifiers, and drop this out
to a WSH script (which is OK, but not my ideal option)
Guidance on available 3rd party tools / customization ideas / experience would be greatly appreciated.
Ian Fraser
Cancer Research UK
