I've blogged a couple of times about my customer visits in New York City. I want to recount the situation at a insurance company that I visited with. I've worked in IT at a couple of companies including a fairly sizeable one and I've seen a awful lot of bad practices but what I saw there was, in my opinion, out of control.
The company is global. They have operations in many countries around the world. Their Active Directory is set up on a regional basis versus a functional basis. This has come about for a couple of reasons: each region had their own NT domain and each region wanted their own autonomy. OK, sounds somewhat typical of many companies. What's the problem?
Each NT domain is being migrated into a seperate Active Directory forest.
Unfortunately, the regions do not trust headquarters so they are completely against centralization of any control whatsoever. In addition, each region has a CIO that reports into the regional executives but is only dotted line to the global CIO. The result is that each CIO does what they want and what they want is control and control translates to owning their own AD forest.
The folks I talked were basically stating that they were not seeing any benefit to their migration to Active Directory. Even with the security implications of not de-provisioning staff quickly - something that they were already burnt by. At least they were in a position to understand that they weren't getting any benefit but can they make the leap to understanding why??
My prescription:
- Educate senior management on the problem and costs of the current path the company is going down.
- Get a highly experienced Active Directory architect to build the global plan.
- Get a highly experienced project manager to execute the global plan.
- Educate the regions on Active Directory capabilities, engineering and benefits (i.e., delegation).
- Force regional IT take their marching orders from the global CIO's office.
- Reward the regions that move to the global forest by enabling them to keep their budget dollars. Freeze budgets for those that don't within a period of time.
- Start kicking butt and taking names.
Active Directory, Identity Management
No comments:
Post a Comment