RE: [ActiveDir] Group Management

[joseph.e.kaplan]

ADAM would have been cool if it had existed when we built this.  There are a bunch of things I would do differently now if ADAM had been an option sooner.  Our crazy certificate system comes to mind.   I actually started off with an ACL model for security and eventually had to ditch it as they are essentially opaque to LDAP queries and made it impossible to do things like list all of the groups a user can modify in the system.  We ultimately determined also that we did not want them to actually be able to modify groups directly since there were business rules we need to enforce that AD could not do for us (limiting max size of a group for example).   There actually is part of a web services interface to the system for allowing programmatic updates.  This never went very far because there weren’t any people who needed to actually use it when we started building it.  However, the architecture of the app makes it very simple to bolt on other UI’s and interfaces to the core business logic classes.  There are also some tools in the web UI for doing bulk imports and exports of membership lists to help some of the laborious chores.   Speaking of logging, that is another great benefit of this system.  Every single operation is audited in a separate system (this one SQL-based) to keep a change history of what took place.  This audit function is a centralized system for all I&AM apps in the company so that all of the contacts, users and service accounts histories are all logged to the same system.  This is especially nice because I can get a comprehensive history of all updates to any of the managed objects this way.   Joe K.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, June 30, 2005 7:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Group Management   I agree with JoeK, keep this info all together. I have visualized a system that synced back and forth to AD/AM though. But that was to set it up so that the ACL manipulations were in AD/AM and then any changes in AD/AM were doublechecked, logged, and then shot over to AD so you knew exactly when changes occurred. Of course you can also do this through a web interface but if you have anyone who manages large numbers of groups, they themselves will probably want some programmatic mechanism to do updates. This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.