Allowing users to update their own AD user information dis..

On Mon, 18 Aug 2008 18:29:12 +0200, "Jorge de Almeida Pinto [MVP -
DS]" <SubstituteThisWithMyFullNameSeparatedByDots.DeleteThis@gmail.com> wrote:

>even the HR people can make a mess of it

True, but there are fewer of them and it's not as difficult to get
them to conform.

>it depends on what is import for you for users not to screw it up or what
>you do not care about.

What you don't care about doesn't belong in a directory.

>A way to mitigate a risk is to create some kind of
>self service web page that does not checks and also provides informational
>examples of possible entries

If you don't care there's no risk, is there?

If, at some time in the future you/do/ decide to care you'll have a
big cleanup job to undertake.
---
Rich Matheisen
MCSE+I, Exchange MVP

"Ed Crowley [MVP]" <curspice DeleteThis @nospam.net> wrote in message
news:uHX9vIWAJHA.1180@TK2MSFTNGP04.phx.gbl...
> Yeah, but if the HR people do make a mess of it it's their problem.
> --
> Ed Crowley MVP


I agree. What we do in one large corp I work at is HR submits an employee
initiation form to IT security (AD folks) and they create the user and
populate data based on SOP. If any changes are required, HR or the user
submits a service request, it's evaluated for viability and need, and
reacted on whether it gets updated or denied, once again based on SOP.

Standardization, consistency and central control all based on SOP.

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations

is true. but it also depends on what you care about being consistent,etc..
If you do not care about mobile phone numbers you can let the user do that
him/herself.

I agree if it would a name change you would have to submit to HR or someone
to validate (e.g. when someone gets married and because of that the name
changes and the person wants to use that name)


--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Ace Fekay [MVP Direcrtory Services]" <firstnamelastname.DeleteThis@hotmail.com> wrote
in message news:571E7D0E-F77C-4E3C-9C8E-D5F0FD626149@microsoft.com...
>
> "Ed Crowley [MVP]" <curspice.DeleteThis@nospam.net> wrote in message
> news:uHX9vIWAJHA.1180@TK2MSFTNGP04.phx.gbl...
>> Yeah, but if the HR people do make a mess of it it's their problem.
>> --
>> Ed Crowley MVP
>
>
> I agree. What we do in one large corp I work at is HR submits an employee
> initiation form to IT security (AD folks) and they create the user and
> populate data based on SOP. If any changes are required, HR or the user
> submits a service request, it's evaluated for viability and need, and
> reacted on whether it gets updated or denied, once again based on SOP.
>
> Standardization, consistency and central control all based on SOP.
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Infinite Diversities in Infinite Combinations
>

"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots.TakeThisOut@gmail.com> wrote in message
news:%237D2TjCBJHA.5316@TK2MSFTNGP04.phx.gbl...
> is true. but it also depends on what you care about being consistent,etc..
> If you do not care about mobile phone numbers you can let the user do
> that him/herself.
>
> I agree if it would a name change you would have to submit to HR or
> someone to validate (e.g. when someone gets married and because of that
> the name changes and the person wants to use that name)

Even mobile #s. It's a strict shop. Due to the nature of the business, there
are some fed guidelines that must be followed. I'm not saying a mobile #
would fall under such scrutiny, but without saying much further, they're
requirements are tight.

maybe for that company..
I have seen company that allow to update all kinds of things.

Not every company is the same

It is all about requirements and company policies (or what is important or
not)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Ace Fekay [MVP Direcrtory Services]" <firstnamelastname DeleteThis @hotmail.com> wrote
in message news:6B3AB43D-331F-4A7A-A0B4-005FF9280565@microsoft.com...
>
> "Jorge de Almeida Pinto [MVP - DS]"
> <SubstituteThisWithMyFullNameSeparatedByDots DeleteThis @gmail.com> wrote in message
> news:%237D2TjCBJHA.5316@TK2MSFTNGP04.phx.gbl...
>> is true. but it also depends on what you care about being
>> consistent,etc.. If you do not care about mobile phone numbers you can
>> let the user do that him/herself.
>>
>> I agree if it would a name change you would have to submit to HR or
>> someone to validate (e.g. when someone gets married and because of that
>> the name changes and the person wants to use that name)
>
> Even mobile #s. It's a strict shop. Due to the nature of the business,
> there are some fed guidelines that must be followed. I'm not saying a
> mobile # would fall under such scrutiny, but without saying much further,
> they're requirements are tight.
>

Don't waste your time on expensive solutions. The best I have found so far
is this:

http://www.turbo-it.com

It is called SMOP and allows users to reset their own passwords-they have to
do a simple registration and answer some questions and then they get to
unlock their own accounts and change their own passwords - one bonus this
thing has is that it allows to change passwords also from web based form.

"Barkley Bees" wrote:

> What is the most recommended tool/solution for allowing users to effectively
> update their own Active Directory user information (all informational
> fields) that is displayed in the GAL? Thank you.
>
> *note: All 2003 environment (AD, Exchange and Outlook).
>
>
>