2

Where I work, almost 40% of our support requests are for account management tasks :

  • Create new account and assign in groups
  • Unlock an account
  • Reset a password
  • Change an account's groups following a change of tasks,responsibilities or location of a user

What are the means and/or tools available to my co-workers for reducing the load to manage accounts ?

Some possible examples :

  • A tool to allow people to unlock and reset their account/password
  • Delegate some power to power-users on external locations to allow account managementt
  • A simple tool for non-technical people to manage account with an approval mechanism from IT.
Ben Pilbrow
  • 12,041
  • 5
  • 36
  • 57
Philippe
  • 191
  • 2
  • 6

2 Answers2

4

There are many tools for allowing users self-service password reset. We're using SSRPM which provides both a msgina.dll replacement, which we install on all client stations, as well as web-based access. The reset questions are customizable and you can build profiles for different OUs or Groups.

Delegation of user administration activity is highly recommended. It's fairly simply (implementation-wise) once you've done your planning and design.

  1. Break out your user account group mappings.
    • e.g. User Management Finance, User Management Sales, User Management Password Reset, etc.
  2. Create AD groups which represent these management delegations.
  3. Delegate access to respective OUs/groups for the management groups.
  4. Populate management groups with approved user accounts.

The biggest time saver for us was connecting AD to our HR and Student Management Systems. As we're a customer of the SSRPM product above, our director bought into another of their products -- URMA. I can't recommend this specific product as it is very painful for someone who is already more-than-comfortable with scripting. But the target of the product is more important. You want to find out how to get data from your HR system and script/hack something to import this into AD on a cyclical basis.

jscott
  • 24,484
  • 8
  • 79
  • 100
  • Definitely. Delegate things like password resets to a capable body. – Mitch Oct 01 '10 at 12:30
  • Be very careful choosing tools that replace the gina! This almost always introduces a painful and difficult to solve problem down the line. – duffbeer703 Oct 01 '10 at 12:56
  • @duffbeer703 The gina replacement is not a requirement. In our testing it has performed without issue. We see more users accessing SSRPM via web interface, almost 3:1. – jscott Oct 01 '10 at 13:00
  • Usually individual GINA replacements work fine, the problem comes in down the line when you *need* another app that also uses a GINA replacement! – duffbeer703 Oct 03 '10 at 01:19
3

This depends widely on the structure of your company. If you have an IT department consisting of several groups, it's common to grant those types of roles to a Help Desk section, usually consisting of lower- to mid-level techs.

It's also possible to delegate these rights to individuals within the departments. Select one or two people in each department to be their "IT Helper" (Please choose a better name) to whom you can Delegate this kind of access to. This is especially easy to manage if you already have your AD structure broken out into department, so that you can assign these individuals to their own OUs without being able to modify those outside of those departments.

These links should help:

gWaldo
  • 11,957
  • 8
  • 42
  • 69