Active Directory: Dealing with Reorganizations

The health care sector is undergoing various reorganizations. These require a change in the organizational hierarchy as well as the merging or separation of organizational units. A properly configured Active Directory structure is a precondition for dealing with organizational changes in a flexible way. If the organization has opted for a branched OU structure that is closely aligned with the organizational model, a major effort may be required to modify this structure in case of changes.

The structure depicted below provides an idea of how you can set up Active Directory in such a way that IT can conveniently implement organizational changes, while sufficient room is left for security mechanisms. This structure is based on the assumption that it is possible to retrieve cost centers, functional codes, departments and locations from the HR system (e.g. Meditech or Lawson).

- Administration
-|- Service accounts
-|- Administration accounts
- Organization
-|- Computers
-|- Users (1 OU for all user accounts)
-|- Groups
-|-|- Cost centers (HR interface)
-|-|- Functions (HR interface)
-|-|- Departments (HR interface)
-|-|- Locations (HR interface)
-|-|- Data (nested in the above groups)
-|-|- Mail (nested in the above groups)
-|-|- Applications (nested in the above groups)

In this way, the user accounts can be made a member of one or more functions, departments, cost centers and/or locations. Resources such as data, mail and applications are linked to these user accounts in turn. In case of organizational changes, it will suffice to create additional HR groups. It is up to IT to link the right resources to these groups. Using Tools4ever´s UMRA solution to set up a link with the HR system allows you to link any user to the right HR group(s). Added to which, IT will be in control over the assigned resources.

It is possible to create each HRL group in a proprietary OU by, for example, using UMRA in the event more GPO capabilities are required because all users are now accommodated in a single OU. In that case it will be possible to roll out a GPO for each HR object. If you use, say, RES PowerFuse, comprehensive GPO settings are usually not required. You will be able to accommodate all HR objects in a single OU and to distinguish them, e.g. through their naming.

To learn more about this application of Identity Management and many others, please visit our website; Tools4ever, Inc.