We have a centralized security department, and we used to
do group management this way. As you found, it gets to be a chore, and the
security people really don't know what the groups are for
anyway.
What we ended up doing was creating an OU structure that
mimics our business unit divisions[1]. Each unit's groups are stored under their
OU. We have one person at each business called a "security administrator". Each
security administrator has rights to manage all the groups in their OU. Their
job is to accept security related requests from their users and either handle
them themselves (in the case of group management), or forward to corp security
(new user setup, etc).
[1]. We use alias names for each business unit (ie bu01,
bu02, etc) because business units have a nasty habit of changing
names.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, June 28, 2005 10:05 PM
To: [email protected]
Subject: [ActiveDir] Group Management
Hi all, sorry up front for the long post.
I'm curious how larger organizations manage groups in AD, with respect to authorizing users to be added to/removed from a group. I don't mean the security around the administration, but the supporting business processes and workflows.
We've just centralized security administration, and this has created a problem with group administration on quite a large scale.
Our security admins will get a request to add UserA to GroupA. Since they have inherited the job, there isnt a clear 'owner' of GroupA, be it an IT owner like the SQL group, or a business owner like the Radiology dept. If its a group that ultimately get you admin rights on all SQL servers or access to patient data...you can see the problem developing here. The problem is really two-fold, the security aspects, as well as the time it takes to complete the request. (multiply it by 1500 requests a day and the admins are really backed up)
I'm wondering if anyone has had success with a self-service web-based request system, or something similar, and what made it successful? Ideally, the goal here is to get a detailed request into the admin group with all the info and approvals already in it.
Thanks in advance,
rb
