I agree that MIIS is expensive but the SQL Server requirement is what irks me. We have had this conversation multiple times but if MSFT has to have it on their own tech DB then put it on ESE. Make it black box, you shouldn't have to require a SQL DBA to properly run your AD for their provisioning product. The security model isn't good because now instead of just DAs having extensive rights in the org, it is likely the DBAs will as well through proxy. I haven't really looked hard into compromising MIIS assuming I have DBA level access rights into the SQL Server but I fully expect there are holes. I am semi afraid to start poking into it specifically because I expect to find those holes and hate finding holes (bugs and security issues) in MSFT products because I feel honor bound to chase them into MSFT and find someone to fix them and I don't have the time.
But anyway, basic provisioning doesn't require MIIS or any syncing tool. You just need something that could output basic data files for the new objects or the object changes and feed those into basic scripts that validate and shove them into AD. And in front of it you have some basic web page, a web form for a new user with no validation could be done in minutes, if you validate users you add a little javascript or add some code to the backend. And note, this could be done on any flavor web server on any OS, doesn't require Windows. If you aren't big on writing AD Update code you then need a tool that could move that info into the directory and one of the most flexible tools I have seen to date and I have seen multiple times now filling roles like this as well as group management roles is LDSU (http://h20219.www2.hp.com/services/cache/11212-0-0-225-121.html). I only learned about it within the last 18 or so months, I don't recall ever hearing about it prior to that though it was available and used in many large companies. The advertising for it is nil but I know the developer quite well and he is good[1]. If joeware got big enough that I could go hire additional programmers, this guy is one of the guys I would go looking to get. One time (at band camp heh) I got called in to figure out how to make a well known's vendor's auto group management tool work and we only had like a week to figure it out before there were going to be penalties from the customer and the delivery folks had been trying to work out the issues for a couple of months. I spent a day on it trying to reverse how it worked (i.e. I sat down with the tool and manipulated it and watched the network traces - what every good integrator should be doing for every AD Application) and then sent a nice big bulleted list of issues to someone I knew at the vendor who supplied the tool. There were no easy fixes nor workarounds that could be implemented within a week so we switched to LDSU. Within 2 days everything was up and configured and running perfectly. Also run time for batch updates that occurred once per day had reduced from >12 hours to under 30 minutes and that was with the full set of groups, not the small pilot set that couldn't get working under the previous tool. It isn't as full featured and flashy as the big name sync tools in terms of building in workflow and RAD development of rules, etc but it is considerably cheaper than an MIIS or the other tools Brian mentioned. If someone was looking to build a provisioning system quickly and only wanted to worry about the front end initially, this would be a great backend. joe [1] I think he is good both because he is actually very bright and done a great job and because when he doesn't know something, he admits it and goes and finds the answer. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, July 01, 2006 1:33 AM To: [email protected] Subject: RE: [ActiveDir] Schema Question Yeah, until the price of MIIS [1] comes down from its stratospheric level, and until I can look customer in the eye and say "yes, you can use mySQL or such", I won't touch MIIS with a long pole. [1]Yes yes, MIIS is just one of many provisioning solutions. I've seen a few, and the engineering that goes into making them work at all is so intensive that I don't like to offer them as "solutions". Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com <http://www.readymaids.com> - we know IT www.akomolafe.com <http://www.akomolafe.com> -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 6/30/2006 1:28 PM To: [email protected] Subject: RE: [ActiveDir] Schema Question You mean as in copying in ADUC... What are you crazy?? Provisioning is the new cool key word Deji. ;) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Friday, June 30, 2006 3:11 PM To: [email protected] Subject: RE: [ActiveDir] Schema Question Listen to what they say.... But if you really have to set attributes, consider using user templates and populating the relevant settings that you need. Then do your user account creation using the templates. Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com <http://www.readymaids.com> - we know IT www.akomolafe.com <http://www.akomolafe.com> -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: Brian Desmond Sent: Fri 6/30/2006 10:58 AM To: [email protected] Subject: RE: [ActiveDir] Schema Question And anyway you should be putting quotas either in a recipient policy or manually on the attributes that control them... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, June 30, 2006 12:42 PM To: [email protected] Subject: RE: [ActiveDir] Schema Question No. Your provisioning system (e.g. MIIS, etc) should be doing this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 30, 2006 12:38 PM To: [email protected] Subject: [ActiveDir] Schema Question All, Let me start with, I'm a total newb when it comes to Schema and Schema modifications. Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our Exchange guys would like extensionAttribute5 to be populated automatically with 100, which is the default mailbox size. Is this possible? It seems like it would be, but as I warned, I'm a newb. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
