I had a meeting here in Dresden with a CIO from a 500,000 employee German company. The basis for the meeting was to listen to the CIO's biggest pain points and determine how our company could help them.
The discussion was very interesting overall but especially interesting for me when he started describing the problems he was having with Active Directory identity management. When I started to drill into the problem he was completely unable to tell me who or what was changing Active Directory. In their environment it was simply impossible to know who (or what) was making changes.
The company is so political that he can't even get departments or divisions to answer the simple question of: "If you have a program or process that is creating, updating or deleting attributes or objects from Active Directory please describe."
Traditionally, our role as an ISV is to sell a product and start rationalizing the identity "crisis" for that customer. But what happens when you can't even identify who or what is making changes to an identity repository? Do you simply respond with a train load of consultants to start doing interviews and mapping processes? I guess that's an answer but how long will that take and will it be accurate and complete? (Even if it is accurate and complete I can assure you it will probably be out of date the next day/week/month)
So what do you do to help in this situation? Is there a role for an identity management "detective"?
Quest Software, identity management