From an identity management perspective, if Active Directory is being used for access and as the repository-of-record...
for user data for applications, the inconsistencies mentioned above can greatly affect how applications function. Incomplete, unacceptable and just plain wrong information may cause an application using that data to malfunction, or worse, grant invalid access rights (whether denying authorized users or allowing unauthorized users).
The best practices are simple: Treat Active Directory as an enterprise repository. That means architect and plan what fields will be managed by end users, and put in place the controls needed for consistent/valid data (whether the control is an Active Directory control, a process or even training for the end users).
Having users maintain their own information can be great for administrative cost savings, but if left uncontrolled, can cause more expenditures than what it saves.
Dig Deeper on Active Directory and LDAP Security
Related Q&A from Randall Gamby
Enterprise SSO products have matured over the years, so what's the state of eSSO today? Expert Randall Gamby discusses.continue reading
Enterprises need a full understanding of the FIDO authentication framework before switching to its technology. Expert Randall Gamby looks at the most...continue reading
A self-managed HSM appliance may be the safer external key management system to use with your organization's encryption keys. Here's why.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.