Solved

Entering user information in Active Directory

Posted on 2007-03-29
5
258 Views
Last Modified: 2010-05-18
Hi!
Our company is growing very fast an I''d like to know if there is anyone here who can help me with the following issues:
- I would like users to access AD so they can fill out all information about themselves (in their user account)
- I would like all users to be able to see some o the information stored on the user account i.e. phone number, location, etc.
- Which utilities can I use and how can I publish this information in a simple web-page
- I guess there is some security issues here so it would be nice if you mention something about that as well

We use Windows 2003 servers.

Gracias!  
0
Comment
Question by:Caperuzzo
5 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 18815842

>  I would like users to access AD so they can fill out all information about themselves
> (in their user account)

We used to have GALMod to do this. I don't think that works so well with AD, it was written for for Exchange 5.5 but doesn't really cover enough of the fields to be useful with Exchange 200x.

Perhaps consider something like DirectoryUpdate to do the job:

http://www.directory-update.com/

> I would like all users to be able to see some o the information stored on the user
> account i.e. phone number, location, etc

Do you use Exchange? If so, all that will be in the Global Address Book.

> Which utilities can I use and how can I publish this information in a simple web-page

I don't know of any out of the box. You could, of course, write something to do it, and it could be fairly simple. It just depends on what you're looking for.

>  I guess there is some security issues here so it would be nice if you mention
> something about that as well

Most of the commercially available applications tend to take these issues into account. If you were doing it yourself it all becomes quite complex with a great deal to try to keep up with.

After all, you don't want to grant your users permission to change the Administrator password.

Chris
0
 
LVL 9

Accepted Solution

by:
herbus earned 500 total points
ID: 18815851
G'day Caperuzzo,

Above all, I'd recommend you steer away from the user access to AD... while you could lock them down to a single OU, if they have the ability to manage their account, they'll be able to change any others in the OU (unless you micro-manage security on each account - bad idea).  On top of that, sure enough they will stuff things up, mis-enter information, probably break things and come looking to IT support to fix it... in short, it will generate more hassle than it's worth - IT should manage AD alone.

That said, if I assume you're running Exchange, then the Global Address List or Public Folders can be maintained (the GAL by IT cos it references info from AD, or PubFolders can be managed by users) to show phone number, location, title, etc etc... this may be the best way to go.  An alternative would be to establish an Intranet that has a staff listing, but this would need some dedicated time, know-how and possibly software to get working.

Again, I'd summarise by saying that as nice an idea it would be to take the pressure off you/IT by having users look after their own info, I couldn't recommend it and you'll likely be asking for more pain than anything...

Cheers,
Herb
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 18815924

Herb makes some really valid points about Security, I just wanted to explain a little more about how such applications work so you can make you choice based on as much information as possible.

Most of the web-based applications for doing this require an account which is a member of the Account Operators group. As you probably know, this account can potentially change a lot of sensitive passwords to elevate it's user rights.

However, if you are constructing a web application to do it you're not reliant on a particular users priviledges, you rely on a service account. You could ensure that you never present an option to change a password, and you could set it so the application was completely unable to touch an Administrator.

Basically security at that point is all down to presenting the absolute minimum number of options to do the job.

Chris
0
 
LVL 4

Expert Comment

by:Klaatu01
ID: 18815987
The following product, "rDirectory", is returned on Microsoft's website via Live Search on the keywords "active directory user self-service" and there is a informative Flash Demo available on the program creator's website.  I am detailing the approach used in locating this information only because it is freely available to the general public via Microsoft's website.

I have not personally used this software so perhaps another Experts Exchange contributor has used and can provide additional information covering all the points mentioned above.  It is likely there are additional recommendations, suggestions and solutions available within Experts Exchange through paid options.
0
 

Expert Comment

by:dbrinkmann
ID: 18826650
Web Active Directory has a product named PeopleUpdate that will allow you to control updates to your directory per attribute.  You can also create views and do reporting with it too.  There is a demo page located: http://livedemo.webactivedirectory.com

http://www.webactivedirectory.com
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now