Solved

Entering user information in Active Directory

Posted on 2007-03-29
5
257 Views
Last Modified: 2010-05-18
Hi!
Our company is growing very fast an I''d like to know if there is anyone here who can help me with the following issues:
- I would like users to access AD so they can fill out all information about themselves (in their user account)
- I would like all users to be able to see some o the information stored on the user account i.e. phone number, location, etc.
- Which utilities can I use and how can I publish this information in a simple web-page
- I guess there is some security issues here so it would be nice if you mention something about that as well

We use Windows 2003 servers.

Gracias!  
0
Comment
Question by:Caperuzzo
5 Comments
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

>  I would like users to access AD so they can fill out all information about themselves
> (in their user account)

We used to have GALMod to do this. I don't think that works so well with AD, it was written for for Exchange 5.5 but doesn't really cover enough of the fields to be useful with Exchange 200x.

Perhaps consider something like DirectoryUpdate to do the job:

http://www.directory-update.com/

> I would like all users to be able to see some o the information stored on the user
> account i.e. phone number, location, etc

Do you use Exchange? If so, all that will be in the Global Address Book.

> Which utilities can I use and how can I publish this information in a simple web-page

I don't know of any out of the box. You could, of course, write something to do it, and it could be fairly simple. It just depends on what you're looking for.

>  I guess there is some security issues here so it would be nice if you mention
> something about that as well

Most of the commercially available applications tend to take these issues into account. If you were doing it yourself it all becomes quite complex with a great deal to try to keep up with.

After all, you don't want to grant your users permission to change the Administrator password.

Chris
0
 
LVL 9

Accepted Solution

by:
herbus earned 500 total points
Comment Utility
G'day Caperuzzo,

Above all, I'd recommend you steer away from the user access to AD... while you could lock them down to a single OU, if they have the ability to manage their account, they'll be able to change any others in the OU (unless you micro-manage security on each account - bad idea).  On top of that, sure enough they will stuff things up, mis-enter information, probably break things and come looking to IT support to fix it... in short, it will generate more hassle than it's worth - IT should manage AD alone.

That said, if I assume you're running Exchange, then the Global Address List or Public Folders can be maintained (the GAL by IT cos it references info from AD, or PubFolders can be managed by users) to show phone number, location, title, etc etc... this may be the best way to go.  An alternative would be to establish an Intranet that has a staff listing, but this would need some dedicated time, know-how and possibly software to get working.

Again, I'd summarise by saying that as nice an idea it would be to take the pressure off you/IT by having users look after their own info, I couldn't recommend it and you'll likely be asking for more pain than anything...

Cheers,
Herb
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Herb makes some really valid points about Security, I just wanted to explain a little more about how such applications work so you can make you choice based on as much information as possible.

Most of the web-based applications for doing this require an account which is a member of the Account Operators group. As you probably know, this account can potentially change a lot of sensitive passwords to elevate it's user rights.

However, if you are constructing a web application to do it you're not reliant on a particular users priviledges, you rely on a service account. You could ensure that you never present an option to change a password, and you could set it so the application was completely unable to touch an Administrator.

Basically security at that point is all down to presenting the absolute minimum number of options to do the job.

Chris
0
 
LVL 4

Expert Comment

by:Klaatu01
Comment Utility
The following product, "rDirectory", is returned on Microsoft's website via Live Search on the keywords "active directory user self-service" and there is a informative Flash Demo available on the program creator's website.  I am detailing the approach used in locating this information only because it is freely available to the general public via Microsoft's website.

I have not personally used this software so perhaps another Experts Exchange contributor has used and can provide additional information covering all the points mentioned above.  It is likely there are additional recommendations, suggestions and solutions available within Experts Exchange through paid options.
0
 

Expert Comment

by:dbrinkmann
Comment Utility
Web Active Directory has a product named PeopleUpdate that will allow you to control updates to your directory per attribute.  You can also create views and do reporting with it too.  There is a demo page located: http://livedemo.webactivedirectory.com

http://www.webactivedirectory.com
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now