Subject: Grouper Developers Forum
- From: Tom Barton <>
- To: Grouper Dev <>
- Subject: [Fwd: Manage groups more efficiently]
- Date: Fri, 09 Jan 2009 08:00:50 -0600
Interesting point of comparison. -Tom
--- Begin Message ---
- From: Peter Jalaff <>
- To: "" <>
- Subject: Manage groups more efficiently
- Date: Thu, 8 Jan 2009 23:18:02 +0000 (GMT)
Get IT Administrators to do More with Less!
Manage your groups more efficiently.
In This Issue
Dynamic distribution groups for Exchange 2007
Give users the power to manage their own groups
Enforcing group membership in dynamic groups
Learn about Securitay
First of all Happy New Year! Here is a quick article that will introduce you to some no-nonsense technical ideas that may help you manage your Windows security groups and email distribution groups more effectively and efficiently.
There's also a new product on the scene to give end users control over their own groups. See Group Management Portal for more information.
Give Your IT Admins a Break!
With the economic downturn here now, companies are squeezing every penny in hopes of staying afloat. "Do more with less", weve all heard this before, except now it could be life or death for your organization. Everyone is getting a frustrated trying to figure out how best to keep the organization humming while not giving your administrators a migraine.
Key: Either delegate the duties or automate the tasks of managing groups.
Automating as many processes is the name of the game when it comes to reducing administrative burden. In most enterprises there are generally two different types of Windows groups: Security Groups and Email Distribution Groups (or DL). In an article below well touch more on dynamic security groups, but here well dive into dynamic DLs.
This functionality was originally introduced in Exchange 2003. It was a great idea how to keep group membership of a DL up to date and more importantly automatically. At the time the feature was called Query Based Distribution Groups. It allowed the admin to define a DL based on certain attributes of a user, such as City=Houston or State=Texas. As new users are created the system will automatically query AD and include those users that met the criteria.
With Exchange 2007, the name has been changed to Dynamic Distribution Groups and the administrative interface has changed also.
To learn how to create dynamic DLs in Exchange 2007 click here
This tip comes from SearchExchange.com
How To Get Your End Users To Manage Their Own Groups using Group Management Portal
Are you tired of hearing your IT departments complain they don't have time to do the real important stuff?
Are you sick of listening to end users scream about the time it takes to join a security group or email DL?
Do you want an easy way to let the business section handle their own groups?
Then read on...
As mentioned earlier some distribution groups can be created and maintained dynamically. Unfortunately many groups are not dynamic, but static and must be handled manually.
For IT administrators, adding and deleting users from security and email distribution group can be the most miserable task. Countless hours are wasted where they could be doing more strategic projects.
Securitay understands this pain and has created a tool to help. It called Group Management Portal (or GMP).
The Group Management Portal application grew from knowledge and long use of a similar application that has long been used internally at Microsoft. Built as an internal proof-of-concept application many years ago, it allows any employee to create and manage their own e-mail distribution lists and Active Directory security groups. Over time, it has also become a key enabling technology and business-critical application at Microsoft that allows instant collaboration and delegated management of security policies all the way down to the lowest levels of the business units. The application has saved Microsoft IT administrators countless hours of performing mundane management tasks.
This tool works for security groups as well as distribution groups.
GMP has the following features:
- Integrates seamlessly with Microsoft Active Directory and Microsoft Exchange
- Supports any size organization
- Simple to use and understand by even minimally trained employees
- Usage quotas preclude employee abuse
- Comprehensive workflow capabilities including approval and notification
- Application configuration through simple and intuitive web-based management interfaces
- Constrain object creation to pre-configured Organizational Units
Companies using GMP will see the following benefits:
- Improved business processes for ad-hoc collaboration
- Better security management of distributed information
- Reduced Administrative and Help Desk costs
- Empowered and more productive employees
- Improved auditability
For a white paper on Self Service Group Management click here
Enforcing Group Membership
Did you know?
Speaking of helping out administrators, heres another tip around groups: enforcing group membership. Many administrators have already discovered the benefits of using dynamic groups. It reduces the burden on administrators of having to manually keep group memberships up to date.
Here are 3 solutions that can help you:
1- Windows 2003 (with Exchange 2003/2007). Out of the box, Microsoft offers dynamic group functionality for distribution groups (see above).
a. Pro. Comes out of the box in Windows 2003 Active Directory. Very simple tool.
b. Con. Because it is focused on AD, it cant do multiple directories, or for that matter multiple AD forests. Furthermore, this only works with email distribution groups and not security groups.
2- ILMv2. The soon to be released product of Microsoft will include dynamic functionality. Mark Gabarra talks in depth on this subject see his blog entry http://blogs.msdn.com/markgabarra/archive/2008/08/21/automating-group-management-a-dynamic-group-primer.aspx
a. Pro. ILMv2, like ILMv1 is a meta-directory engine. It is meant to bring together multiple directories by synchronizing attributes. This includes synchronizing multiple Active Directory forests.
b. Con. One issue using this approach is the synchronization latency that happens with all synchronization solutions. Depending on your environment this could take on average of an hour up to a day. Another piece to consider is the implementation time of ILM2. Typically ILM2 is part of an enterprise identity management project, not for the faint of heart. Much planning and consulting is needed to ensure a successful implementation. Another limitation is the fact that using an ILM product assumes you have more than one directory. So this wont work if you have a single forest.
3- Virtual Directory. Optimal IdM offers a nice Virtual Directory thats built on Microsoft .NET technology. It has many more benefits than just managing dynamic groups, but thatll be for another email. Find out more about this here http://www.optimalidm.com/products/VIS/Default.aspx
a. Pro. Being a Virtual Directory there is no synchronization latency, because they dont synchronize directories. All the information is served up in a Virtual directory that is updated immediately. Furthermore, it can be used in a single forest or multiple forests/directories. Finally the icing on the cake is the little amount of time to deploy the product. Typically it can be up and running within 8 hours! Dont believe me, then ask for your own POC and verify for yourself!
b. Con. Regarding managing group membership, I havent come across a con yet. Though in general it is not meant to replace solutions like ILMv2, as virtual directories do not provision / de-provision user accounts. Thats ILMs job!
c. Added bonus: Many people are frustrated that solutions around dynamic groups cant be audited easily. Well look no further than Optimal IdMs solution as it comes with an easy tool for reporting and auditing. http://www.optimalidm.com/products/VIS/VISReportsforAD.aspx
Who is Securitay?
Securitay was founded by two former Microsoft employees: David Mowers and Jeff Spelman.
David brings over twelve years of security expertise to Securitay with deep knowledge and experience in authentication protocol design and implementation, authorization, cryptography, PKI, and Active Directory. David is an expert on the implementation and use of Microsoft Windows Security Services. He holds multiple patents for technology invented and delivered in the Windows Client and Server Operating Systems. During the period 2003-2006 David led the efforts at Microsoft to create an end-to-end Identity and Access Management Solution culminating in the publication of the Identity and Access Management Solution Series of which he was the architect and lead writer.
Jeff is an accomplished security technologist and developer with over 16 years of experience in cryptography and authentication protocol design and implementation. Jeff's contribution to Windows Security includes significant parts of the Windows cryptographic libraries, including implementation of Elliptic Curve Cryptography algorithms, co-developer of the Windows Kerberos V5 authentication protocol implementation, technical lead for the Federal Information Processing Standard (FIPS) 140-1 validation effort, and architect/lead developer for the Active Directory Federation Services feature of Windows 2003 R2. Jeff holds multiple patents covering various aspects of security including cryptographic services and authentication.
To find out more please visit www.securitay.com
As a winter promotion, purchase Group Management Portal and receive 25% off current price till end of January 2009. Please contact Peter at or call 813-333-1735 and mention this email.
Note: if you wish to be removed from this list please reply with remove me in the body.
--- End Message ---
- [Fwd: Manage groups more efficiently], Tom Barton, 01/09/2009
Archive powered by MHonArc 2.6.16.