[THIN] Re: OT: HR info in AD
- From: Tom Howarth <tom.howarth@xxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Fri, 21 Oct 2005 21:52:13 +0100
if the HR Application is LDAP or AD integrated you could utilise
openldap. MIIS is quite expensive and has a heavy leaning curve.
On 21/10/05, Jeremy Saunders <jeremy.saunders@xxxxxxxxxxx> wrote:
>
>
>
>
> Use a provisioning tool such as MIIS (Microsoft Identity Integration
> Server). When someone has been Terminated, and a value/flag has been
> changed in the HR system, it could automatically disable their accounts,
> etc.
>
> It's very cool software, but not cheap.
>
> The other way of doing it is to get the HR system to do some database dump
> to a CSV file. Then write a script to read from that file, look for that
> flag, and then disable the account, change their title, etc, in AD.
>
> Cheers.
>
> Kind regards,
>
>
>
> Jeremy Saunders
> Senior Technical Specialist
>
> ceruleanTM
> an IBM Australia Company
> formerly known as Logicalis
>
> Level 2, 1060 Hay Street
> West Perth WA 6005
> AUSTRALIA
>
> Visit us at
> http://www.cerulean.com.au/
>
> P: +61 8 9261 8412 F: +61 8 9261 8536
> M: TBA E-mail:
> Jeremy.saunders@xxxxxxxxxxx
>
>
>
>
>
>
>
>
>
>
>
>
>
> "Evan Mann"
> <emann@pinnaclefi
> nancial.com> To
> Sent by: <thin@xxxxxxxxxxxxx>
> thin-bounce@freel cc
> ists.org
> Subject
> [THIN] Re: OT: HR info in AD
> 21/10/2005 11:37
> PM
>
>
> Please respond to
> thin
>
>
>
>
>
>
> I like the web page idea, I may have to do that. My HR department likes to
> change titles in the custom DB we use but not set the flag to "notify"
> which is how I get updates and update AD. If they have a web page that can
> update the appropriate AD fields, I can put full responsibility on them,
> which is the way I like it.
>
> You can use a few different methods of scripting to automatically create
> and/or delete AD accounts. You just need to have something that runs on a
> trigger (such as an e-mail) and then picks out info and populates fields in
> AD.
>
> I would not automated deletion of accounts, but rather automate removal of
> all their logon hours or disable the account (disabling on E2000 or E2003
> stops e-mail deliver as well, unless you give permission to external
> sender, so I suggest remove logon hours and perhaps hide it).
>
> Auto creation isn't a big deal, but it can become a huge task depending on
> your setup. I have 80 offices, different lists for each, different lists
> based on division within the company, office, and job title. There's A LOT
> of logic to process to automate it in my situation, and it hasn't been
> worth the time to figure it out. I find it easier to just do it manually.
> Heck, I don't even setup my E2003 recipient policies properly to auto
> populate the appropriate 1 of 15 e-mail domains, even though that's easy.
> I guess I'm a stickler for the hard way sometimes.
>
> From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
> Behalf Of Roger Riggins
> Sent: Friday, October 21, 2005 11:26 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: OT: HR info in AD
>
> That's a valid point about where the responsibility should lie. I think
> Matt's idea of a custom DB that HR and AD pull from is a good idea. I
> suppose it could be entered via a webpage that only HR can access. Can it
> somehow automatically create the account when they submit it? Do you see
> any security risk in doing so?
>
> Is anyone already doing this?
>
>
>
> Roger Riggins
> Network Administrator
> Lutheran Services in Iowa
> w: 319.859.3543
> c: 319.290.5687
> http://www.lsiowa.org
>
>
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
> Behalf Of Evan Mann
> Sent: Friday, October 21, 2005 10:05 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: OT: HR info in AD
>
> I'd suggest you take the info from HR's system and not have HR's
> system take your information. IT should have no responsibility for
> accuracy of that information.
>
> At my company, we have an automated system that checks for new
> entries in HR's sytem and sends an e-mail. The HR system is not the
> actual system (ADP) but a custom database system our MIS department
> created and it's a SQL backend I take the info from the e-mail and
> create a new user account. The e-mail provides the office,
> department, and title. I also type in the phone number for that
> office and the address.
>
> If the info comes over incorrectly from HR, then it goes into AD
> incorrectly, and HR is at fault, not IT.
>
> I've had over 3000 hires/terminations in the past 3 years, and I
> still do it all by hand, just me, with occasional help from 1 person.
> Automating it would probably save me 2 hours time per week, but I
> just haven't gotten around to it.
>
> From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
> Behalf Of Roger Riggins
> Sent: Friday, October 21, 2005 10:48 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] OT: HR info in AD
>
>
> Sorry for the OT, just trying to find out how others are doing this:
>
>
> We're having some growing pains. Our process for new
> hires/terminations is not working very well. We have an HR package
> that maintains all user demographics and is entered when the employee
> is hired. Then they come to us to create an account for them, which
> has no demographic information. When the employee is terminated, we
> sometimes aren't even notified so the accounts aren't removed in a
> timely manner. Then we add them to a web based phonebook, so that
> staff are able to locate each other. Obviously we're entering the
> same data more than once.
>
>
> I'd like to see all demographic information in AD, but am unsure if I
> should pull it from the HR package or enter it into AD and then pull
> it into the HR package. How are you doing the imports/exports? It'd
> be helpful to have this info in AD. I'd also like to find out what
> processes you guys are doing to automate or streamline account
> creation/removal when employees are hired/terminated and ensure that
> none are missed.
>
>
> Thanks for any info you're willing to share.
>
>
> Roger Riggins
>
>
> Network Administrator
>
>
> Lutheran Services in Iowa
>
>
> w: 319.859.3543
>
>
> c: 319.290.5687
>
>
> http://www.lsiowa.org
>
>
>
>
>
--
Tom at home
********************************************************
This Weeks Sponsor: Cesura, Inc.
Know about Citrix end-user slowdowns before they know.
Know the probable cause, immediately.
Know it all now with this free white paper.
http://www.cesurasolutions.com/landing/WPBCForCitrix.htm?mc=WETBCC
********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Excellent SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
Other related posts:
