Second of a series

A 6,500 employee company that provides professional services and technology solutions in energy and climate change to government and commercial clients had a problem. The scripts that they relied on to manage accounts in Active Directory, based on twice daily PeopleSoft dumps, were becoming tedious to maintain and with the imminent departure of the head programmer, an off the shelf solution became imperative.

The details of the requirements were quickly relayed and a proof of concept was established in the client’s environment. Basically the information from PeopleSoft was utilized to implement account lifecycle management for employees while web forms were created to manage contractors. Employees needed an Active Directory account, Exchange 2007 mailbox, a base set of group memberships, and the proper OU container, were to be based on location codes. Approximately 10 attributes including office address and phone number need to be set as well.

As information in the file changes, such as location or specific attributes, the AD account needed to be updated and if necessary, re-provisioned with new groups and moved to a different OU. If the terminate date field was set in PeopleSoft, the account needed to be disabled, hidden form the GAL and moved to a specific OU. Every time an account is created, modified or disabled, an export file is generated by User Management to feed back relevant data to PeopleSoft.

While the automated process easily handled the direct employees, the company also had a large population of contractors that were never entered into PeopleSoft. To address this, web forms were created and deployed to hiring managers. The form contained the fields necessary to create an AD and, if required, Exchange mailbox. All contractor accounts are set to expire after 90 days and the hiring manager is notified 2 weeks before account expiration. A second form is available to allow the manager to easily extend the timeframe. If no action is taken, the account is disabled automatically and the hiring manager is again notified.

All told, the implementation of both the automated process and the web forms required about 3-4 days of work by a Tools4ever consultant. After through testing, the product was tolled out company wide. As an added benefit, the customer was able to implement Tools4ever’s Self Service Reset Password Manager to reduce the most common call to the help desk.

Group Management and Auditing

Welcome to my blog. As the managing director of Tools4ever Inc., I have involvement at some level with virtually every prospect and client that we have in the eastern half of the United States. Over time, I will endeavor to explain some of our clients unique situations and how were able to assist. To protect our clients and confidential information, I will not disclose the companies’ names. Feel free to contact me via this blog to learn more.
The first situation I would like to discuss involves a medium-sized financial institution located in the northeast. When they approached us, they were in need of a web-based system for group management compliance auditing. Every 90 days, they required managers to sign off a paper report indicating the members of distribution and security groups they managed were accurate. Obviously, the shortfalls were many. When the paper was returned, IT admins need to go into Active Directory and make edits as required. Other times managers simply ignored the paper work leaving potential security breaches.
After a thorough analysis of the requirements, we presented a solution that delivered what the client was looking for and also provided suggestions on how to expand the use of the product. A decision to move ahead was made by the client and we set about delivering a proof of concept, at no risk, to prove the capabilities.
In the end, the client was satisfied with the proof of concept and purchased the solution. Basically, the end result provided the following:
For Managers

1. Automated email notification to managers that a review of their groups was pending.
2. A website to allow managers to view all of their groups and the members thereof.
3. The ability to add / remove individuals from each group as appropriate.
4. The ability to electronically sign off on the accuracy.

For IT

1. Consolidated reporting on who has/ has not verified the groups
2. Automatic escalation procedure when a review has not occurred within a defined timeframe. (15, 30 and 60 days)
3. A portal to provide easy modification of group ownership when a manger departed.
4. Ability to maintain white lists of groups that should never need verification.

For all employees

1. An easy method to view what groups they belong to.
2. Ability to request membership in other groups (requires managerial / IT approval)

In the end, we were able to implement a web-based solution for this client in approximately 40 hours of remote consulting services. Thorough testing in their environment and modifications to the original scope resulted in another 10 hours of work. The client now has a fully automated solution to time consuming issue and can generate audit reports on demand. The project was delivered on time and under budget