I'm learning as I go - but one thing I have always wondered, in bigger corporations does the IT department enter all new hires into active directory / create the exchange mailbox or is there a setup that allows the human resources / managers to add new employees?
I suppose I could develop something where they enter the persons information and it pushes to all necessary systems - but I was wondering if there was a built in method - or is that just something that the IT department does?
Edit Addition:
Currently I am given a copy of the new employees information, put them into all systems (active directory, time and attendance, exchange, etc) and then return the information.
Looking for a better method to accomplish this. The current systems that we use are:
Active directory, Microsoft Exchange, QQest time and Attendance, and MySQL, and then mcafee SAS protection systems.
QQest has active directory integration, but even working with them I have never been able to get it to fully function properly.
McAfee SAS just released an active directory integration feature, but I have heard it still has bugs and am waiting for an update version before trying to implement.
I am planning on using active directory as the login information for the mysql database, we are currently writing a new version of the system for use with that but will be sometime before completed.
Thanks.
It is certainly possible to delegate a limited set of privileges to manage user objects. I work at an educational service provider, and on of our departments deals with a lot of students that are only present for a couple weeks, and they are constantly coming and going. It would be a pain for us to manage the accounts for them. So we delegated privileges to one of the staffers for that program.
We haven't decided not to do it, but we had been investing integrating our payroll system directly into the AD via SIF. It should be possible for the accounts to automatically be created. All the software exists to do this, but since we are not a traditional school it didn't exactly fit our requirements.
If you do choose to delegate this, you may need to evaluate your security requirements. Perhaps you can let HR create the accounts, but don't permit them to modify group membership. That way it requires some kind of request to someone to double check the privileges requested are valid for that person.
One of my AD deployments involves hundreds of overseas employees and a multitude of projects. One of the products we work with also required a separate logon, much as you describe.
I was not able to find a unified way to allow access to the second product. In the end I went with their AD integration as hokey as it is.
Delegating permissions to staff outside of IS became a definitive business requirement. At the end of the day we had a couple levels of delegate access - one which allows non IS users to create projects and do general AD management tasks (limited to one branch of AD) and another for user management including new users, group membership and password resets.
The biggest thing I found is that it is imperative to set permissions on your groups as well. If set up properly your delegated users will be able to move users between common groups without the ability to perform privilege escalation attacks.
Where I've been that would be a task that is completed by the System Administrator using information provided by the HR department through a work order or ticket system.
I have configured Active Roles Server for a help desk I supported which you could use to do what you're trying to do but you'd have to decide if the effort is justified based on your user base.