The depth and breadth of information that must be accurately published in Active Directory spans the organization from Human Resources to the Telecommunications department. On top of that you have to manage access control based on decisions from data owners and managers.
Trying to coordinate updates from all of these individuals and departments is a nightmare. Moreover skilled administrator time is wasted carrying out what basically amounts to clerical work.
The best solution is self-service administration and access control (more on that below) but AD can't quite pull that off. Thankfully however Active Directory does support delegation of control and provides an excellent audit log. With these 2 features you can spread out responsibility for updating various aspects of user and group information to the people and departments actually responsible for it without losing control.
AD’s delegation of control feature allows you to granularly delegate the ability to update specific fields on users and groups to any other user or group in AD. For instance you can grant the Telecommunications department the authority to update office, mobile and pager telephone numbers while giving Human Resources access to update home phone and address. Delegation also provides ways to streamline access control management and group membership.
Lest you worry about losing control, the events generated by Active Directory are the best designed out of all the events in the Windows security log, so you always have a complete audit trail of who did what and when. In this real training for free webinar I will show you how to streamline maintenance of user, groups and access by using:
* AD advanced permissions
* The security log
* Custom MMCs
Randy's webcasts are always packed with great information so if you have any interest in this topic please check it out!