Optimizing Infrastructure: The Relationship Between IT Labor Costs and Best Practices for Identity and Access Management with Active Directory
Here are some of the specific best practices cited in the paper:
- PCs managed by Group Policy Objects (GPOs) (labor savings of $120 per
PC per year). Requires PCs to authenticate into Active Directory and individual PCs to receive configuration, software installation, and desktop configuration through GPOs.
- Comprehensive directory solution (labor savings of $120 per PC per year).
Requires a single directory for authentication, single sign-on capability for all computing resources, and automated password reset.
- Reduction of third-party application directories (labor savings of $90 per
PC per year). Requires the use of a single directory service both for operating system management and for application directory services. Very few companies in this study reached this goal, but those that did achieved significant IT labor savings.
- Automated user provisioning (labor savings of $50 per PC per year). Requires single directory or synchronized directories with a metadirectory service and IT processes for automated user provisioning. Users are provisioned (including adds, removes, and changes) once in a primary directory, and the changes are propagated to all related directories.
What are the interesting messages in the numbers above??
- Group Policy is far more beneficial than automating user provisioning! You've read previous posts about Group Policy and how much I think companies should be using it. Here's yet another proof point. Plus, Quest Software has built some excellent software that can help you manage Group Policy.
- Consolidating your directory infrastructure is far more beneficial than automating user provisioning! That's exactly what Vintela Authentication Services enables. Then throw on top Vintela Group Policy to extend your Group Policy benefits to Linux/Unix for added value.
- Getting more applications to use Active Directory is far more beneficial than automating user provisioning! This follows the directory consolidation story.
- User provisioning is a last step! I'm a big fan of less moving parts. If you follow #1-#3 above you can reduce your need for a metadirectory, get significant savings and probably pay less for that metadirectory software you're looking at. Of course, Quest's ActiveRoles Server is available to help you here.
I won't bank on the numbers in the Microsoft/IDC paper but I really do like the contrast in the value of the best practices: Simplify and consolidate first, provision last.
p.s. With Microsoft's "ILM 2007" product if you include provisioning a certificate for a user part of your solution then you'll be paying even more and saving even less which makes #1-#3 above even more important.Technorati Tags:
Active Directory, identity management, MIIS