[THIN] Re: OT: HR info in AD
- From: Jeremy Saunders <jeremy.saunders@xxxxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Sat, 22 Oct 2005 04:33:07 +0800
Use a provisioning tool such as MIIS (Microsoft Identity Integration
Server). When someone has been Terminated, and a value/flag has been
changed in the HR system, it could automatically disable their accounts,
etc.
It's very cool software, but not cheap.
The other way of doing it is to get the HR system to do some database dump
to a CSV file. Then write a script to read from that file, look for that
flag, and then disable the account, change their title, etc, in AD.
Cheers.
Kind regards,
Jeremy Saunders
Senior Technical Specialist
ceruleanTM
an IBM Australia Company
formerly known as Logicalis
Level 2, 1060 Hay Street
West Perth WA 6005
AUSTRALIA
Visit us at
http://www.cerulean.com.au/
P:Â +61 8 9261 8412 F:Â +61 8 9261 8536
M:Â TBA E-mail:
Jeremy.saunders@xxxxxxxxxxx
"Evan Mann"
<emann@pinnaclefi
nancial.com> To
Sent by: <thin@xxxxxxxxxxxxx>
thin-bounce@freel cc
ists.org
Subject
[THIN] Re: OT: HR info in AD
21/10/2005 11:37
PM
Please respond to
thin
I like the web page idea, I may have to do that. My HR department likes to
change titles in the custom DB we use but not set the flag to "notify"
which is how I get updates and update AD. If they have a web page that can
update the appropriate AD fields, I can put full responsibility on them,
which is the way I like it.
You can use a few different methods of scripting to automatically create
and/or delete AD accounts. You just need to have something that runs on a
trigger (such as an e-mail) and then picks out info and populates fields in
AD.
I would not automated deletion of accounts, but rather automate removal of
all their logon hours or disable the account (disabling on E2000 or E2003
stops e-mail deliver as well, unless you give permission to external
sender, so I suggest remove logon hours and perhaps hide it).
Auto creation isn't a big deal, but it can become a huge task depending on
your setup. I have 80 offices, different lists for each, different lists
based on division within the company, office, and job title. There's A LOT
of logic to process to automate it in my situation, and it hasn't been
worth the time to figure it out. I find it easier to just do it manually.
Heck, I don't even setup my E2003 recipient policies properly to auto
populate the appropriate 1 of 15 e-mail domains, even though that's easy.
I guess I'm a stickler for the hard way sometimes.
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Roger Riggins
Sent: Friday, October 21, 2005 11:26 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: OT: HR info in AD
Thatâs a valid point about where the responsibility should lie. I think
Mattâs idea of a custom DB that HR and AD pull from is a good idea. I
suppose it could be entered via a webpage that only HR can access. Can it
somehow automatically create the account when they submit it? Do you see
any security risk in doing so?
Is anyone already doing this?
Roger Riggins
Network Administrator
Lutheran Services in Iowa
w: 319.859.3543
c: 319.290.5687
http://www.lsiowa.org
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Evan Mann
Sent: Friday, October 21, 2005 10:05 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: OT: HR info in AD
I'd suggest you take the info from HR's system and not have HR's
system take your information. IT should have no responsibility for
accuracy of that information.
At my company, we have an automated system that checks for new
entries in HR's sytem and sends an e-mail. The HR system is not the
actual system (ADP) but a custom database system our MIS department
created and it's a SQL backend I take the info from the e-mail and
create a new user account. The e-mail provides the office,
department, and title. I also type in the phone number for that
office and the address.
If the info comes over incorrectly from HR, then it goes into AD
incorrectly, and HR is at fault, not IT.
I've had over 3000 hires/terminations in the past 3 years, and I
still do it all by hand, just me, with occasional help from 1 person.
Automating it would probably save me 2 hours time per week, but I
just haven't gotten around to it.
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Roger Riggins
Sent: Friday, October 21, 2005 10:48 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] OT: HR info in AD
Sorry for the OT, just trying to find out how others are doing this:
Weâre having some growing pains. Our process for new
hires/terminations is not working very well. We have an HR package
that maintains all user demographics and is entered when the employee
is hired. Then they come to us to create an account for them, which
has no demographic information. When the employee is terminated, we
sometimes arenât even notified so the accounts arenât removed in a
timely manner. Then we add them to a web based phonebook, so that
staff are able to locate each other. Obviously weâre entering the
same data more than once.
Iâd like to see all demographic information in AD, but am unsure if I
should pull it from the HR package or enter it into AD and then pull
it into the HR package. How are you doing the imports/exports? Itâd
be helpful to have this info in AD. Iâd also like to find out what
processes you guys are doing to automate or streamline account
creation/removal when employees are hired/terminated and ensure that
none are missed.
Thanks for any info youâre willing to share.
Roger Riggins
Network Administrator
Lutheran Services in Iowa
w: 319.859.3543
c: 319.290.5687
http://www.lsiowa.org
Other related posts:
