[THIN] Re: OT: HR info in AD
- From: George Yobst <george.yobst@xxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Mon, 24 Oct 2005 15:02:40 -0700
Infoworld just did a few articles on what they call Identity Management.
http://www.infoworld.com/print_issue/archive/2005_41.html
On 10/21/05, Tom Howarth <tom.howarth@xxxxxxxxx> wrote:
>
> if the HR Application is LDAP or AD integrated you could utilise
> openldap. MIIS is quite expensive and has a heavy leaning curve.
>
> On 21/10/05, Jeremy Saunders <jeremy.saunders@xxxxxxxxxxx> wrote:
> >
> >
> >
> >
> > Use a provisioning tool such as MIIS (Microsoft Identity Integration
> > Server). When someone has been Terminated, and a value/flag has been
> > changed in the HR system, it could automatically disable their accounts,
> > etc.
> >
> > It's very cool software, but not cheap.
> >
> > The other way of doing it is to get the HR system to do some database
> dump
> > to a CSV file. Then write a script to read from that file, look for that
> > flag, and then disable the account, change their title, etc, in AD.
> >
> > Cheers.
> >
> > Kind regards,
> >
> >
> >
> > Jeremy Saunders
> > Senior Technical Specialist
> >
> > ceruleanTM
> > an IBM Australia Company
> > formerly known as Logicalis
> >
> > Level 2, 1060 Hay Street
> > West Perth WA 6005
> > AUSTRALIA
> >
> > Visit us at
> > http://www.cerulean.com.au/
> >
> > P: +61 8 9261 8412 F: +61 8 9261 8536
> > M: TBA E-mail:
> > Jeremy.saunders@xxxxxxxxxxx
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > "Evan Mann"
> > <emann@pinnaclefi
> > nancial.com <http://nancial.com>> To
> > Sent by: <thin@xxxxxxxxxxxxx>
> > thin-bounce@freel cc
> > ists.org <http://ists.org>
> > Subject
> > [THIN] Re: OT: HR info in AD
> > 21/10/2005 11:37
> > PM
> >
> >
> > Please respond to
> > thin
> >
> >
> >
> >
> >
> >
> > I like the web page idea, I may have to do that. My HR department likes
> to
> > change titles in the custom DB we use but not set the flag to "notify"
> > which is how I get updates and update AD. If they have a web page that
> can
> > update the appropriate AD fields, I can put full responsibility on them,
> > which is the way I like it.
> >
> > You can use a few different methods of scripting to automatically create
> > and/or delete AD accounts. You just need to have something that runs on
> a
> > trigger (such as an e-mail) and then picks out info and populates fields
> in
> > AD.
> >
> > I would not automated deletion of accounts, but rather automate removal
> of
> > all their logon hours or disable the account (disabling on E2000 or
> E2003
> > stops e-mail deliver as well, unless you give permission to external
> > sender, so I suggest remove logon hours and perhaps hide it).
> >
> > Auto creation isn't a big deal, but it can become a huge task depending
> on
> > your setup. I have 80 offices, different lists for each, different lists
> > based on division within the company, office, and job title. There's A
> LOT
> > of logic to process to automate it in my situation, and it hasn't been
> > worth the time to figure it out. I find it easier to just do it
> manually.
> > Heck, I don't even setup my E2003 recipient policies properly to auto
> > populate the appropriate 1 of 15 e-mail domains, even though that's
> easy.
> > I guess I'm a stickler for the hard way sometimes.
> >
> > From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
> > Behalf Of Roger Riggins
> > Sent: Friday, October 21, 2005 11:26 AM
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: OT: HR info in AD
> >
> > That's a valid point about where the responsibility should lie. I think
> > Matt's idea of a custom DB that HR and AD pull from is a good idea. I
> > suppose it could be entered via a webpage that only HR can access. Can
> it
> > somehow automatically create the account when they submit it? Do you see
> > any security risk in doing so?
> >
> > Is anyone already doing this?
> >
> >
> >
> > Roger Riggins
> > Network Administrator
> > Lutheran Services in Iowa
> > w: 319.859.3543
> > c: 319.290.5687
> > http://www.lsiowa.org
> >
> >
> >
> > -----Original Message-----
> > From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
> > Behalf Of Evan Mann
> > Sent: Friday, October 21, 2005 10:05 AM
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: OT: HR info in AD
> >
> > I'd suggest you take the info from HR's system and not have HR's
> > system take your information. IT should have no responsibility for
> > accuracy of that information.
> >
> > At my company, we have an automated system that checks for new
> > entries in HR's sytem and sends an e-mail. The HR system is not the
> > actual system (ADP) but a custom database system our MIS department
> > created and it's a SQL backend I take the info from the e-mail and
> > create a new user account. The e-mail provides the office,
> > department, and title. I also type in the phone number for that
> > office and the address.
> >
> > If the info comes over incorrectly from HR, then it goes into AD
> > incorrectly, and HR is at fault, not IT.
> >
> > I've had over 3000 hires/terminations in the past 3 years, and I
> > still do it all by hand, just me, with occasional help from 1 person.
> > Automating it would probably save me 2 hours time per week, but I
> > just haven't gotten around to it.
> >
> > From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
> > Behalf Of Roger Riggins
> > Sent: Friday, October 21, 2005 10:48 AM
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] OT: HR info in AD
> >
> >
> > Sorry for the OT, just trying to find out how others are doing this:
> >
> >
> > We're having some growing pains. Our process for new
> > hires/terminations is not working very well. We have an HR package
> > that maintains all user demographics and is entered when the employee
> > is hired. Then they come to us to create an account for them, which
> > has no demographic information. When the employee is terminated, we
> > sometimes aren't even notified so the accounts aren't removed in a
> > timely manner. Then we add them to a web based phonebook, so that
> > staff are able to locate each other. Obviously we're entering the
> > same data more than once.
> >
> >
> > I'd like to see all demographic information in AD, but am unsure if I
> > should pull it from the HR package or enter it into AD and then pull
> > it into the HR package. How are you doing the imports/exports? It'd
> > be helpful to have this info in AD. I'd also like to find out what
> > processes you guys are doing to automate or streamline account
> > creation/removal when employees are hired/terminated and ensure that
> > none are missed.
> >
> >
> > Thanks for any info you're willing to share.
> >
> >
> > Roger Riggins
> >
> >
> > Network Administrator
> >
> >
> > Lutheran Services in Iowa
> >
> >
> > w: 319.859.3543
> >
> >
> > c: 319.290.5687
> >
> >
> > http://www.lsiowa.org
> >
> >
> >
> >
> >
>
>
> --
> Tom at home
> ********************************************************
> This Weeks Sponsor: Cesura, Inc.
> Know about Citrix end-user slowdowns before they know.
> Know the probable cause, immediately.
> Know it all now with this free white paper.
> http://www.cesurasolutions.com/landing/WPBCForCitrix.htm?mcWETBCC
> ********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ThinWiki community - Excellent SBC Search Capabilities!
> http://www.thinwiki.com
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
>
--
--------------------------------------------------------------------------
George Yobst, Library Technology Analyst phone: 503.723.4890
Library Information Network of Clackamas County fax: 503.794.8238
16239 SE McLoughlin Blvd, Suite 208 web: http://www.lincc.lib.or.us
Oak Grove, OR 97267-4654 email: george.yobst@xxxxxxxxx
"...it is impossible for anyone to begin to learn
what he thinks he already knows." - Epictetus
Other related posts:
