Allow Non-IT staff to edit AD data

Maintain address data in Active Directory is not an easy thing for non-IT employees. At least not with Active Directory Users and Computers.

As a result, IT professionals must (still) maintain the address data.

 

 

IT admins and master data maintenance

IT admin take care of the master data maintenance in many systems and applications. And this basically has 2 reasons. On the one hand, the systems need to be handled with care due to security standards. On the other hand, most of these applications and systems are just not usable for non-IT personell. Other staff would need training for the usage and knowledge of the wording used in these programs. (and in the worst case an idea about how to use parameters or how to script…)

If you want Non-IT staff to maintain data with some piece of software, the tool should

  • be clear and
  • easy to understand
  • not need any support of the IT staff (or at less as possible)
  • only be accessible and editable, what is predefined (limited access)
     

Standard tools for Active Directory do not match these requirements or only in a very limited way.

But it still makes sense to think about the delegation of AD administration, because

  • IT specialists should maintain systems in the first place (not the data in the databases/directories)
  • Data to be changed is not owned by the IT, but by other departments
  • Time and money can be saved
     

In the next chapter I want to explain you how to enable Non-IT staff to edit AD data in Active Directory without costs, using FirstWare.

 

Preparation and Configuration of FirstWare

First, you should clarify what tasks the non-IT employee shall take care of. What are the attributes to edit? Is there something you must not do?

In the following example, we enable the human resources department to edit AD data, create user accounts and to maintain group memberships.

Firstware-FreeEdition includes an Admin Role, to create AD user accounts. ( more about roles in FirstWare-FreeEdition)
The Admin Role itself must be defined outside the software by an Active Directory admin.

 

Define the Admin-Role

Requirements for a well-planned use of FirstWare-FreeEdition are Active Directory and a clustered OU structure.

Think about the following OU structure:

  • User accounts
  • Admin accounts
  • Service accounts

The Advantage of an OU structuring is that some branches can be hidden. This leads to a better overview and security, because you can limit what parts of the AD are accessible for delegation purposes. If you need help with this, we are happy to get your message.

FirstWare-FreeEdition uses an admin or service account to write data in Active Directory.

If you provide FirstWare-FreeEdition as a web application (IIS Installation), the person who uses the Admin Role of FirstWare is at latest limited by permissions of the service account.

In short: An IT admin should create a service account with all read and write permissions for all that, what the non-IT coworker should maintain at maximum.

The privileges of this account are the absolute maximum permissions with which the software can work.
Other limitations in the software made by:

  • the account with which the user logs on
  • the role of the user in the software (Admin Role / User Role)
  • the number of editable attributes in the software

 

Web Server Installation of FirstWare

After you created a service account and checked the OU structure for suitability, you can install FirstWare. ( Download)

Web Server Installation

Select Web server installation

 

FirstWare Web Server Installation Service Account

A definierte service account

At the end of the installation you will get a link to access the application. You just need to send this link to the non-IT colleagues, to let the access the portal.
Each employee must log in with his own AD account.
If “Enable Integrated Windows Authentication” is enabled, the non-IT staff is automatically logged in with his/her Windows account.

 

Log in and Search Root

After logging in with the Admin Role the master data owner can start working.

Verify that he/she really uses the Admin Role. Otherwise, he/she can only edit his/her own data with the (User Role).

Screen-Benutzer-Rolle   Screen-Admin-Rolle

 (left: User Role / right: Admin Role)

Non-IT staff is not owner of the Admin Role

With a  click on “Config” you can set the search root / AD entry point.

Staff using FirstWare with the Admin Role (Non-IT staff) can now edit and maintain AD master data.

 

Non-IT staff and Active Directory

Editing address and user data in Active Directory is easy and intuitiv with FirstWare. There is no training necessary.

Once set up, you enable Non-IT staff to edit AD data.
 

Let Non-IT staff update AD master data

A non-IT staff can easily update address data. And here is how:

Example:

  • User: Brian Wood
  • Street old: 85 Denham St.
  • Street new: 115 Green Ave

 

  1. Run FirstWare (type the URL or use a bookmark in your browser)
    Search for “Brian”

     
  2. Click Manage to edit Brian Wood
    UserManagement-Manage-User-Accounts

     
  3. Click in the field (attribute) you want to change, here: Street
    User Management - Change street
     
  4. Enter the new street – click save and it’s done.
    USer Management - change street 2

The new Non-IT admin can of course edit any other AD address data as well.
If you want him/her to maintain additional attributes, that may come from a schema extension, just contact us – we’ll adjust FirstWare for you.

 

Change the group membership of a user

It is as easy to add a user to an Active Directory group. ( group management)

Possbible applications of AD groups:

  • Belonging to the department (more)
  • Folder permissions (more)
  • Mail distribution lists (more)
  • Software ditribution
  • other authorizations…

 

Example – User changes departments:

  • User Brian Wood
  • Old Department: Logistics
  • New Departmenet: Planning
  • Avoid over permissioning! Remove Logistics group membership
  1. Search user “Brian Wood” and click “Manage” to edit
    Add group membership

     
  2. Click the “Group Membership” tab, to see all groups, the user is member of
    group membership tab
     
  3. Search the group of the new department “Planning” and Drag & Drop it to the right sideadd new department group

     
    new department added

     

  4. To avoid over permissioning: Remove the user from the old department “Logistics”avaoid over permissioning group membership
     
  5. Finally click “Save” – done
    remove department group membership

 

Enabling Non-IT staff to edit AD data such as department group memberships or address data is small part of the opportunities that Active Directory offers.
With groups and attributes you can control a lot of permissions and applications. If you want to know more about it, we are happy to get your message.

 

 

 

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*
Website

Time limit is exhausted. Please reload CAPTCHA.