We have a challenge in our enterprise, where we have at least a few different storage locations for employee information. We are trying to get this all consolidated as much as possible so there is one place to go and look up / edit employee information such as name, address and phone number.
Since 90+% of employees have active directory accounts, we are thinking AD is a good place to make the master source of information - to pull from there / make edits there.
The rest will be updated / pulled from a second HR system (the HR system is limited however, and not user friendly for MIS or other non HR staff to go in and out of and make edits on a regular basis). These are employees that are short term and most likely not worth the effort of constantly editing by MIS.
So, I am looking for suggestions on how to allow certain key users (specific managers or HR staff for example) to be given access to some sort of utility or interface to edit active directory users (or possibly even add them if possible).
However, I of course do not want to allow any non MIS staff to be able to edit the access information such as group memberships. They should only be able to edit personal information such as name, address, phones and similar.
One possibility I am looking at is SpiceWorks - I already use it, and synchronize with AD. I know it has an ability to write changes back to AD, so maybe that will work. Anyone else use SpiceWorks, or any other utility to do this (or have other suggestions)?
Respuesta1
If you want to delegate Modify or write to specific attributes. You can do this through the Active Directory Delegation Wizard. You would make a group for HR and delegate the appropriate permissions to them. They would then be able to edit the info using ADUC or you could write a custom web interface, which isn't all that difficult to do if you don't want them to use ADUC for some reason.
Respuesta2
Well, seriously- whoever thinks AD is a good source database to run your central HR information is someone you should get a ercomendation... one to work for your competitor (a.k.a. fire him).
It is way too low level and technical to b a logical business side master system.
I think the approach is brkoen - you will end up doping tons of setup for little gain. AD is very technical, you need a higher level logical application.