Ask the Expert

Active Directory update: User self-service security concerns

Our company allows us to update our own Active Directory user data via an intranet preferences page. Are there identity management issues with allowing users to update AD themselves? What should the best practice be for updating AD data?

Requires Free Membership to View

While I'm all about self-service, when it comes to an Active Directory update, user changes should be carefully planned and monitored. After all, AD isn't just the Global Access List (GAL) for exchange: Active Directory is an enterprise access repository. This means that while it has public information, it also grants/denies access to a multitude of applications. In addition, a directory is only as good as the data it stores, so you should have controls over what users input as information. Telephone numbers should have a set value (usually area code), titles should be HR-style titles (I remember one engineer who made his title, "Emperor of the Universe" from a self-service interface), and other user data should follow similar controls.

From an identity management perspective, if Active Directory is being used for access and as the repository-of-record for user data for applications, the inconsistencies mentioned above can greatly affect how applications function. Incomplete, unacceptable and just plain wrong information may cause an application using that data to malfunction, or worse, grant invalid access rights (whether denying authorized users or allowing unauthorized users).

The best practices are simple: Treat Active Directory as an enterprise repository. That means architect and plan what fields will be managed by end users, and put in place the controls needed for consistent/valid data (whether the control is an Active Directory control, a process or even training for the end users).

Having users maintain their own information can be great for administrative cost savings, but if left uncontrolled, can cause more expenditures than what it saves.

This was first published in May 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: