Allow non-IT staff to edit AD data
Maintaining address data in Active Directory is not an easy task for non-IT employees. At least not with the Active Directory Users and Computers console.
As a result, IT professionals must (still) maintain the address data.
IT admins and master data maintenance
IT admins take care of the master data maintenance in many systems and applications. And this basically has 2 reasons. On the one hand, the systems need to be handled with care due to security standards. On the other hand, most of these applications and systems are just not user-friendly for non-IT personnel. Other staff would need training for the usage and knowledge of the wording used in these programs. (And in the worst case, an idea about how to use parameters or how to script…)
If you want non-IT staff to maintain data with a software solution, the tool should
- be clear and
- easy to understand
- not need any support of the IT staff (or as little as possible)
- only be accessible and editable, what has been previously specified (limited access)
Standard tools for Active Directory do not match these requirements or only in a very limited way.
But it still makes sense to think about the delegation of AD administration, because
- IT specialists should maintain systems in the first place (not the data in the databases/directories)
- data to be changed is not owned by the IT, but by other departments
- time and money can be saved
In the next chapter I want to explain how to enable non-IT staff to edit AD data in Active Directory without great financial expanse, using FirstWare IDM-Portal.
Preparation and configuration of FirstWare
First, you should clarify what tasks the non-IT employee shall take care of. What are the attributes to edit? Is there something you must not do?
In the following example, we enable the human resources department to edit AD data, create user accounts and to maintain group memberships.
Firstware-FreeEdition includes an Admin Role, to create AD user accounts. (→ more about roles in FirstWare-FreeEdition)
The Admin Role itself must be defined outside the software by an Active Directory admin.
Define the Admin-Role
Requirements for a well-planned use of FirstWare-FreeEdition are Active Directory and a clustered OU structure.
Think about the following OU structure:
- User accounts
- Admin accounts
- Service accounts
The Advantage of an OU structuring is that some branches can be hidden. This leads to a better overview and security, because you can limit what parts of the AD are accessible for delegation purposes. If you need help with this, we are happy to get your message.
FirstWare-F/en/company/contact/reeEdition uses an admin or service account to write data in Active Directory.
If you provide FirstWare-FreeEdition as a web application, the person who uses the Admin Role of FirstWare is limited by the permissions of the service account.
In short: An IT admin should create a service account with all read and write permissions that the non-IT coworker should maintain at maximum.
The privileges of this account are the absolute maximum permissions with which the software can work.
Other limitations in the software made by:
- the account with which the user logs on
- the role of the user in the software (Admin Role / User Role)
- the number of editable attributes in the software
Web Server Installation of FirstWare
After you created a service account and checked the OU structure for suitability, you can install FirstWare.
At the end of the installation you will get a link to access the application. You just need to send this link to the non-IT colleagues, to let the access the portal.
Each employee must log in with his own AD account.
If “Enable Integrated Windows Authentication” is enabled, the non-IT staff is automatically logged in with his/her Windows account.
Log in and Search Root
After logging in with the Admin Role the master data owner can start working.
Verify that he/she really uses the Admin Role. Otherwise, he/she can only edit his/her own data with the (User Role).
(left: User Role / right: Admin Role)
With a click on “Config” you can set the search root / AD entry point.
Staff using FirstWare with the Admin Role (Non-IT staff) can now edit and maintain AD master data.
Non-IT staff and Active Directory
Editing address and user data in Active Directory is easy and intuitiv with FirstWare. There is no training necessary.
Once set up, you enable Non-IT staff to edit AD data.
Let Non-IT staff update AD master data
A non-IT staff can easily update address data. And here is how:
- User: Brian Wood
- Street old: 85 Denham St.
- Street new: 115 Green Ave
- Run FirstWare (type the URL or use a bookmark in your browser)
Search for “Brian”
- Click Manage to edit Brian Wood
- Click in the field (attribute) you want to change, here: Street
- Enter the new street – click save and it’s done.
The new Non-IT admin can of course edit any other AD address data as well.
If you want him/her to maintain additional attributes, that may come from a schema extension, just contact us – we’ll adjust FirstWare for you.
Change the group membership of a user
It is as easy to add a user to an Active Directory group. (→ group management)
Possible applications of AD groups:
- Belonging to the department (more)
- Folder permissions (more)
- Mail distribution lists (more)
- Software distribution
- other authorizations…
Example – User changes departments:
- User Brian Wood
- Old Department: Logistics
- New Departmenet: Planning
- Avoid over permissioning! Remove Logistics group membership
- Search user “Brian Wood” and click “Manage” to edit
- Click the “Group Membership” tab, to see all groups, the user is member of
- Search the group of the new department “Planning” and Drag & Drop it to the right side
- To avoid over permissioning: Remove the user from the old department “Logistics”
- Finally click “Save” – done
Enabling Non-IT staff to edit AD data such as department group memberships or address data is a small part of the opportunities that Active Directory offers.
With groups and attributes you can control a lot of permissions and applications. If you want to know more about it, we are happy to get your message.
Get your test license now
You can test FirstWare IDM-Portal 2017 SmartEdition for 30 days and see if it fits your needs. We are happy to provide you with further information.