if the HR Application is LDAP or AD integrated you could utilise openldap. MIIS is quite expensive and has a heavy leaning curve. On 21/10/05, Jeremy Saunders <jeremy.saunders@xxxxxxxxxxx> wrote: > > > > > Use a provisioning tool such as MIIS (Microsoft Identity Integration > Server). When someone has been Terminated, and a value/flag has been > changed in the HR system, it could automatically disable their accounts, > etc. > > It's very cool software, but not cheap. > > The other way of doing it is to get the HR system to do some database dump > to a CSV file. Then write a script to read from that file, look for that > flag, and then disable the account, change their title, etc, in AD. > > Cheers. > > Kind regards, > > > > Jeremy Saunders > Senior Technical Specialist > > ceruleanTM > an IBM Australia Company > formerly known as Logicalis > > Level 2, 1060 Hay Street > West Perth WA 6005 > AUSTRALIA > > Visit us at > http://www.cerulean.com.au/ > > P: +61 8 9261 8412 F: +61 8 9261 8536 > M: TBA E-mail: > Jeremy.saunders@xxxxxxxxxxx > > > > > > > > > > > > > > "Evan Mann" > <emann@pinnaclefi > nancial.com> To > Sent by: <thin@xxxxxxxxxxxxx> > thin-bounce@freel cc > ists.org > Subject > [THIN] Re: OT: HR info in AD > 21/10/2005 11:37 > PM > > > Please respond to > thin > > > > > > > I like the web page idea, I may have to do that. My HR department likes to > change titles in the custom DB we use but not set the flag to "notify" > which is how I get updates and update AD. If they have a web page that can > update the appropriate AD fields, I can put full responsibility on them, > which is the way I like it. > > You can use a few different methods of scripting to automatically create > and/or delete AD accounts. You just need to have something that runs on a > trigger (such as an e-mail) and then picks out info and populates fields in > AD. > > I would not automated deletion of accounts, but rather automate removal of > all their logon hours or disable the account (disabling on E2000 or E2003 > stops e-mail deliver as well, unless you give permission to external > sender, so I suggest remove logon hours and perhaps hide it). > > Auto creation isn't a big deal, but it can become a huge task depending on > your setup. I have 80 offices, different lists for each, different lists > based on division within the company, office, and job title. There's A LOT > of logic to process to automate it in my situation, and it hasn't been > worth the time to figure it out. I find it easier to just do it manually. > Heck, I don't even setup my E2003 recipient policies properly to auto > populate the appropriate 1 of 15 e-mail domains, even though that's easy. > I guess I'm a stickler for the hard way sometimes. > > From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On > Behalf Of Roger Riggins > Sent: Friday, October 21, 2005 11:26 AM > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Re: OT: HR info in AD > > That's a valid point about where the responsibility should lie. I think > Matt's idea of a custom DB that HR and AD pull from is a good idea. I > suppose it could be entered via a webpage that only HR can access. Can it > somehow automatically create the account when they submit it? Do you see > any security risk in doing so? > > Is anyone already doing this? > > > > Roger Riggins > Network Administrator > Lutheran Services in Iowa > w: 319.859.3543 > c: 319.290.5687 > http://www.lsiowa.org > > > > -----Original Message----- > From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On > Behalf Of Evan Mann > Sent: Friday, October 21, 2005 10:05 AM > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Re: OT: HR info in AD > > I'd suggest you take the info from HR's system and not have HR's > system take your information. IT should have no responsibility for > accuracy of that information. > > At my company, we have an automated system that checks for new > entries in HR's sytem and sends an e-mail. The HR system is not the > actual system (ADP) but a custom database system our MIS department > created and it's a SQL backend I take the info from the e-mail and > create a new user account. The e-mail provides the office, > department, and title. I also type in the phone number for that > office and the address. > > If the info comes over incorrectly from HR, then it goes into AD > incorrectly, and HR is at fault, not IT. > > I've had over 3000 hires/terminations in the past 3 years, and I > still do it all by hand, just me, with occasional help from 1 person. > Automating it would probably save me 2 hours time per week, but I > just haven't gotten around to it. > > From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On > Behalf Of Roger Riggins > Sent: Friday, October 21, 2005 10:48 AM > To: thin@xxxxxxxxxxxxx > Subject: [THIN] OT: HR info in AD > > > Sorry for the OT, just trying to find out how others are doing this: > > > We're having some growing pains. Our process for new > hires/terminations is not working very well. We have an HR package > that maintains all user demographics and is entered when the employee > is hired. Then they come to us to create an account for them, which > has no demographic information. When the employee is terminated, we > sometimes aren't even notified so the accounts aren't removed in a > timely manner. Then we add them to a web based phonebook, so that > staff are able to locate each other. Obviously we're entering the > same data more than once. > > > I'd like to see all demographic information in AD, but am unsure if I > should pull it from the HR package or enter it into AD and then pull > it into the HR package. How are you doing the imports/exports? It'd > be helpful to have this info in AD. I'd also like to find out what > processes you guys are doing to automate or streamline account > creation/removal when employees are hired/terminated and ensure that > none are missed. > > > Thanks for any info you're willing to share. > > > Roger Riggins > > > Network Administrator > > > Lutheran Services in Iowa > > > w: 319.859.3543 > > > c: 319.290.5687 > > > http://www.lsiowa.org > > > > > -- Tom at home ******************************************************** This Weeks Sponsor: Cesura, Inc. Know about Citrix end-user slowdowns before they know. Know the probable cause, immediately. Know it all now with this free white paper. http://www.cesurasolutions.com/landing/WPBCForCitrix.htm?mc=WETBCC ******************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm ThinWiki community - Excellent SBC Search Capabilities! http://www.thinwiki.com *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm