Problem solve Get help with specific problems with your technologies, process and projects.

Active Directory update: User self-service security concerns

While allowing employees to update their Active Directory information themselves might sound like a great time-saver, it could cost more in the long run. Learn more about AD user self-service security concerns in this expert response from Randall Gamby.

Our company allows us to update our own Active Directory user data via an intranet preferences page. Are there identity management issues with allowing users to update AD themselves? What should the best practice be for updating AD data?
While I'm all about self-service, when it comes to an Active Directory update, user changes should be carefully planned and monitored. After all, AD isn't just the Global Access List (GAL) for exchange: Active Directory is an enterprise access repository. This means that while it has public information, it also grants/denies access to a multitude of applications. In addition, a directory is only as good as the data it stores, so you should have controls over what users input as information. Telephone numbers should have a set value (usually area code), titles should be HR-style titles (I remember one engineer who made his title, "Emperor of the Universe" from a self-service interface), and other user data should follow similar controls.

From an identity management perspective, if Active Directory is being used for access and as the repository-of-record for user data for applications, the inconsistencies mentioned above can greatly affect how applications function. Incomplete, unacceptable and just plain wrong information may cause an application using that data to malfunction, or worse, grant invalid access rights (whether denying authorized users or allowing unauthorized users).

The best practices are simple: Treat Active Directory as an enterprise repository. That means architect and plan what fields will be managed by end users, and put in place the controls needed for consistent/valid data (whether the control is an Active Directory control, a process or even training for the end users).

Having users maintain their own information can be great for administrative cost savings, but if left uncontrolled, can cause more expenditures than what it saves.

This was last published in May 2010

Dig Deeper on Active Directory security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.