Serving the Exchange & Active Directory market since 1997, Imanami's 500+ customers give a great view of who is using AD for what.  That's what we blog about.

Twitter RSS Twitter flickr

Imanami GroupID

Active Directory Whitepaper DownloadFree 30 Day TrialGroupID Free Trial

Exciting New Video!

accurate AD group.

Get all the latest via email!

Your email:
Loading

Latest Posts

get-group History

SharePoint or AD groups poll?

SharePoint groups poll

Active Directory and Identity Blogs

Current Articles | RSS Feed RSS Feed

Automated provisioning and deprovisioning

Posted by Edward Killeen on Mon, Sep 26, 2011
 

When Microsoft first released Forefront Identity Manager (FIM), they described an alarming statistic:

On average, every new user needs to be added to 16 directories upon hire; upon fire, the average user is only taken out of 9 directories.

Wow.  I don't know the source of that statistic, but if it's true then the average user is still floating around in 7 directories after leaving a company (I assume they mean directories and databases).  To be fair, these might be completely benign data repositories like Active Directory, the badge sytem, payroll, who knows what.  Or they could be important :) .

automated provisioning and deprovisioningI just know that I want ex-users completely deprovisioned to the point they cannot do anything on my network.  I can't imagine that MSFT meant they were inactive users on those directories because our own Active Directory research shows something else alarming: it takes an average of 9 days for organizations to deprovision a user from Active Directory after termination.

9 days of access, what could a bad guy do with that?  Steal all your CRM data?  Book a flight to Paraquay?  Steal source code?  Plant a virus?  Prank call customers from within your phone system?  This is a big deal.

The obvious answer is to create an automated provisioning and deprovisioning process.  GroupID Synchronize allows you to create bi-directional provisioning and deprovisioning jobs with almost any database or directory as a source or destination.  GroupID does not use a meta-directory, instead writing directly to the source DB/directory. 

Find the authoritative source (usually HR) and go from there.  Once you identify all the systems where a user needs to have accounts, simply provision them using GroupID.  During their hopefully long and productive career, use GroupID to synchronize changes in their identity (department, shoe size, title, etc).  Once they are terminated, use the reverse of the provisioing jobs and deprovision them from the destinations.  You can even daisychain these jobs to be sure that all data is passed along (for example, HR doesn't have an email address until provisioned in AD/Exchange).

If you fear that there might be ex-users sitting in 7 directories on your network, schedule a demo of GroupID or download a free 30 day trial.  And, don't take 9 days to do it!

automated provisioning and deprovisioning trial

Tags: , ,

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics