Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Entering user information in Active Directory

Posted on 2007-03-29
Medium Priority
Last Modified: 2010-05-18
Our company is growing very fast an I''d like to know if there is anyone here who can help me with the following issues:
- I would like users to access AD so they can fill out all information about themselves (in their user account)
- I would like all users to be able to see some o the information stored on the user account i.e. phone number, location, etc.
- Which utilities can I use and how can I publish this information in a simple web-page
- I guess there is some security issues here so it would be nice if you mention something about that as well

We use Windows 2003 servers.

Question by:Caperuzzo
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 71

Expert Comment

by:Chris Dent
ID: 18815842

>  I would like users to access AD so they can fill out all information about themselves
> (in their user account)

We used to have GALMod to do this. I don't think that works so well with AD, it was written for for Exchange 5.5 but doesn't really cover enough of the fields to be useful with Exchange 200x.

Perhaps consider something like DirectoryUpdate to do the job:


> I would like all users to be able to see some o the information stored on the user
> account i.e. phone number, location, etc

Do you use Exchange? If so, all that will be in the Global Address Book.

> Which utilities can I use and how can I publish this information in a simple web-page

I don't know of any out of the box. You could, of course, write something to do it, and it could be fairly simple. It just depends on what you're looking for.

>  I guess there is some security issues here so it would be nice if you mention
> something about that as well

Most of the commercially available applications tend to take these issues into account. If you were doing it yourself it all becomes quite complex with a great deal to try to keep up with.

After all, you don't want to grant your users permission to change the Administrator password.


Accepted Solution

herbus earned 1500 total points
ID: 18815851
G'day Caperuzzo,

Above all, I'd recommend you steer away from the user access to AD... while you could lock them down to a single OU, if they have the ability to manage their account, they'll be able to change any others in the OU (unless you micro-manage security on each account - bad idea).  On top of that, sure enough they will stuff things up, mis-enter information, probably break things and come looking to IT support to fix it... in short, it will generate more hassle than it's worth - IT should manage AD alone.

That said, if I assume you're running Exchange, then the Global Address List or Public Folders can be maintained (the GAL by IT cos it references info from AD, or PubFolders can be managed by users) to show phone number, location, title, etc etc... this may be the best way to go.  An alternative would be to establish an Intranet that has a staff listing, but this would need some dedicated time, know-how and possibly software to get working.

Again, I'd summarise by saying that as nice an idea it would be to take the pressure off you/IT by having users look after their own info, I couldn't recommend it and you'll likely be asking for more pain than anything...

LVL 71

Expert Comment

by:Chris Dent
ID: 18815924

Herb makes some really valid points about Security, I just wanted to explain a little more about how such applications work so you can make you choice based on as much information as possible.

Most of the web-based applications for doing this require an account which is a member of the Account Operators group. As you probably know, this account can potentially change a lot of sensitive passwords to elevate it's user rights.

However, if you are constructing a web application to do it you're not reliant on a particular users priviledges, you rely on a service account. You could ensure that you never present an option to change a password, and you could set it so the application was completely unable to touch an Administrator.

Basically security at that point is all down to presenting the absolute minimum number of options to do the job.


Expert Comment

ID: 18815987
The following product, "rDirectory", is returned on Microsoft's website via Live Search on the keywords "active directory user self-service" and there is a informative Flash Demo available on the program creator's website.  I am detailing the approach used in locating this information only because it is freely available to the general public via Microsoft's website.

I have not personally used this software so perhaps another Experts Exchange contributor has used and can provide additional information covering all the points mentioned above.  It is likely there are additional recommendations, suggestions and solutions available within Experts Exchange through paid options.

Expert Comment

ID: 18826650
Web Active Directory has a product named PeopleUpdate that will allow you to control updates to your directory per attribute.  You can also create views and do reporting with it too.  There is a demo page located: http://livedemo.webactivedirectory.com


Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question