Solved

Entering user information in Active Directory

Posted on 2007-03-29
5
261 Views
Last Modified: 2010-05-18
Hi!
Our company is growing very fast an I''d like to know if there is anyone here who can help me with the following issues:
- I would like users to access AD so they can fill out all information about themselves (in their user account)
- I would like all users to be able to see some o the information stored on the user account i.e. phone number, location, etc.
- Which utilities can I use and how can I publish this information in a simple web-page
- I guess there is some security issues here so it would be nice if you mention something about that as well

We use Windows 2003 servers.

Gracias!  
0
Comment
Question by:Caperuzzo
5 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 18815842

>  I would like users to access AD so they can fill out all information about themselves
> (in their user account)

We used to have GALMod to do this. I don't think that works so well with AD, it was written for for Exchange 5.5 but doesn't really cover enough of the fields to be useful with Exchange 200x.

Perhaps consider something like DirectoryUpdate to do the job:

http://www.directory-update.com/

> I would like all users to be able to see some o the information stored on the user
> account i.e. phone number, location, etc

Do you use Exchange? If so, all that will be in the Global Address Book.

> Which utilities can I use and how can I publish this information in a simple web-page

I don't know of any out of the box. You could, of course, write something to do it, and it could be fairly simple. It just depends on what you're looking for.

>  I guess there is some security issues here so it would be nice if you mention
> something about that as well

Most of the commercially available applications tend to take these issues into account. If you were doing it yourself it all becomes quite complex with a great deal to try to keep up with.

After all, you don't want to grant your users permission to change the Administrator password.

Chris
0
 
LVL 9

Accepted Solution

by:
herbus earned 500 total points
ID: 18815851
G'day Caperuzzo,

Above all, I'd recommend you steer away from the user access to AD... while you could lock them down to a single OU, if they have the ability to manage their account, they'll be able to change any others in the OU (unless you micro-manage security on each account - bad idea).  On top of that, sure enough they will stuff things up, mis-enter information, probably break things and come looking to IT support to fix it... in short, it will generate more hassle than it's worth - IT should manage AD alone.

That said, if I assume you're running Exchange, then the Global Address List or Public Folders can be maintained (the GAL by IT cos it references info from AD, or PubFolders can be managed by users) to show phone number, location, title, etc etc... this may be the best way to go.  An alternative would be to establish an Intranet that has a staff listing, but this would need some dedicated time, know-how and possibly software to get working.

Again, I'd summarise by saying that as nice an idea it would be to take the pressure off you/IT by having users look after their own info, I couldn't recommend it and you'll likely be asking for more pain than anything...

Cheers,
Herb
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 18815924

Herb makes some really valid points about Security, I just wanted to explain a little more about how such applications work so you can make you choice based on as much information as possible.

Most of the web-based applications for doing this require an account which is a member of the Account Operators group. As you probably know, this account can potentially change a lot of sensitive passwords to elevate it's user rights.

However, if you are constructing a web application to do it you're not reliant on a particular users priviledges, you rely on a service account. You could ensure that you never present an option to change a password, and you could set it so the application was completely unable to touch an Administrator.

Basically security at that point is all down to presenting the absolute minimum number of options to do the job.

Chris
0
 
LVL 4

Expert Comment

by:Klaatu01
ID: 18815987
The following product, "rDirectory", is returned on Microsoft's website via Live Search on the keywords "active directory user self-service" and there is a informative Flash Demo available on the program creator's website.  I am detailing the approach used in locating this information only because it is freely available to the general public via Microsoft's website.

I have not personally used this software so perhaps another Experts Exchange contributor has used and can provide additional information covering all the points mentioned above.  It is likely there are additional recommendations, suggestions and solutions available within Experts Exchange through paid options.
0
 

Expert Comment

by:dbrinkmann
ID: 18826650
Web Active Directory has a product named PeopleUpdate that will allow you to control updates to your directory per attribute.  You can also create views and do reporting with it too.  There is a demo page located: http://livedemo.webactivedirectory.com

http://www.webactivedirectory.com
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Computer account cleanup 90 128
What the steps to diagnose DC replication? 3 35
Finding machines using a specific DNS server 6 27
AD and SQL Server 2016 2 29
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question