RE: [ActiveDir] Group Management

[Brian Desmond]

Did you consider using SQL to store all the metadata for the groups? That’s what I’m doing now, or planning to, but I’d be interested to hear if you debated this what the final reasoning was.   Thanks, Brian Desmond [EMAIL PROTECTED]   c - 312.731.3132     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 28, 2005 10:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Group Management   We do the vast majority of our group management via a custom web interface.  The system is self-service and requires no approval process for creating a group.  We do enforce some semantics and business rules though.  For example, we enforce specific naming conventions, require a sponsor to be named (manager+ level internally), 2+ owners (can be valid users or other security groups) and a valid description.  We allow users to create security groups, mail-enabled distro groups or mail-enabled security groups.   Owners can modify or delete the group.  Name changes are not allowed after creation.    We also support email change notifications for different types of events, an expiration process where groups have to be renewed periodically and a background process that ensures that groups maintain the business rules enforced by the UI in the event that sponsors and owners leave the organization or owner groups are deleted.   This app manages about 60K groups in a single domain with about 110K users.  It works really well for us.  The original web app took about 2 months for 2 guys to build and is 100% ASP.NET.  Note that all of the security in the app is “application-managed”, in that a super user account makes all of the modifications and enforces the security policy in the business rules.  We chose this approach to prevent people from using AD U&C to modify groups or any other LDAP code.  We also use custom schema for representing all of the security attributes instead of DACLs as DACLs are a PITA to program and can’t be queried effectively (which groups do I own or sponsor? etc.).   Joe K.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 28, 2005 10:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Group Management   Hi all, sorry up front for the long post. I'm curious how larger organizations manage groups in AD, with respect to authorizing users to be added to/removed from a group.  I don't mean the security around the administration, but the supporting business processes and workflows.   We've just centralized security administration, and this has created a problem with group administration on quite a large scale.   Our security admins will get a request to add UserA to GroupA.  Since they have inherited the job, there isnt a clear 'owner' of GroupA, be it an IT owner like the SQL group, or a business owner like the Radiology dept.  If its a group that ultimately get you admin rights on all SQL servers or access to patient data...you can see the problem developing here.  The problem is really two-fold, the security aspects, as well as the time it takes to complete the request.  (multiply it by 1500 requests a day and the admins are really  backed up) I'm wondering if anyone has had success with a self-service web-based request system, or something similar, and what made it successful?  Ideally, the goal here is to get a detailed request into the admin group with all the info and approvals already in it. Thanks in advance, rb This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.