RE: [ActiveDir] Group Management

[Ken Cornetet]

Brian, I have a perl CGI script that allows the owner of a group to manage it's members. We use it for distribution lists, but it would work for any groups.   It might take a few mods to work in your environment, but you are welcome to it if you like. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, June 28, 2005 10:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Group Management I wish we had a system to do that here. I won’t create any group without the managed by attribute being populated. This way I can then pass off the membership management to whomever. I haven’t really identified yet the magnitude of the problem here, but, we’re going to figure out a way to get that attribute populated on as many groups as possible and then it will tie into a web portal for AD mgmt that we’re developing in house. IMHO that’s the way to go.   Thanks, Brian Desmond [EMAIL PROTECTED]   c - 312.731.3132     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 28, 2005 10:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Group Management   Hi all, sorry up front for the long post. I'm curious how larger organizations manage groups in AD, with respect to authorizing users to be added to/removed from a group.  I don't mean the security around the administration, but the supporting business processes and workflows.   We've just centralized security administration, and this has created a problem with group administration on quite a large scale.   Our security admins will get a request to add UserA to GroupA.  Since they have inherited the job, there isnt a clear 'owner' of GroupA, be it an IT owner like the SQL group, or a business owner like the Radiology dept.  If its a group that ultimately get you admin rights on all SQL servers or access to patient data...you can see the problem developing here.  The problem is really two-fold, the security aspects, as well as the time it takes to complete the request.  (multiply it by 1500 requests a day and the admins are really  backed up) I'm wondering if anyone has had success with a self-service web-based request system, or something similar, and what made it successful?  Ideally, the goal here is to get a detailed request into the admin group with all the info and approvals already in it. Thanks in advance, rb