How is your Active Directory (AD) being managed? Do you have any orphaned groups (groups without owners)? Are there groups that have outlived their purpose? Do you have users that are members of groups and they no longer need to be part of these groups? An ongoing attestation of groups is key to answering these questions. Group objects in your directories tend to…
Active Directory provisioning is a vague abstract term. Is a user provisioned once they have an AD account? Once they have an Exchange mailbox? Once they are in a few security groups? Or once they can do their job? I posit that it is once they can do their job. And that’s where the rub…
Nobody’s Active Directory is perfect. And by “perfect” I mean with accurate identity information. Users are an ever-changing group, they switch jobs, last names, phone numbers, cubicles, departments, and projects. The users know this information but, guess what, IT doesn’t always. So Active Directory gets lonely and out of date. Eventually, nobody’s identity information is…
I was recently talking to a customer about the best practice for deprovisioning a terminated employee in Active Directory. Delete or disable? Microsoft doesn’t give the clearest direction on this but common sense does. The case for deleting an account is that, BOOM, no more access. No ifs ands or buts, if there is no…
In any organization, there are numerous users’ objects including employees, managers, and clients, in active directory and azure active directory, with certain attributes assigned to them within HR database. All these users need to have appropriate active directory permissions within organization’s identity and access management framework, to allowing employees access resources on the network, so they can do their jobs effectively. They cannot be held back by needing to request access each time…
I am constantly reminded by prospects and customers how complex identity management projects are. They have complex requirements, complex visio diagrams, complex regression analysis on ROI, complex sounding project names, and complex acronyms for everything. All in the name of making sure that an employee can sign on to his/her computer in the morning and…
Everybody knows you have to get users in Active Directory. With the incredible market share that Active Directory has, it’s just the first step to doing anything for the vast majority of organizations. When an employee starts, you want that employee as a user in Active Directory immediately so they can start working. Incredibly, this…
I follow Twitter pretty closely. I use it to keep up with what the intelligentsia are saying about Active Directory, what new products are coming out, and generally the scuttlebutt on the industry. I follow analysts, customers, writers and most importantly directory services MVPs. So I was a little surprised to see this comment recently:…
I am the kind of person that thinks that a person can never know too much. Clearly I am not the person who should be in charge of securing the enterprise! I was reminded of this in a great slideshow which says 87% of organizations think that their employees have too much access to information…
I worked in the HR world for quite some time. As I made the transition to a more IT focused role I was surprised at how similar some of the conversations are. Both HR and IT are striving to deliver new services and more value to the business lines they serve faster and at lower…