Self Service Group and Directory* Management
Managing Active Directory group membership, users, contacts, and attributes is a tedious job for administrators. Giving a web-based identity and access management option allows administrators to delegate active directory administration to end users. But you need controls. GroupID enables end users to update their own directory information and manage groups based on controls the administrators set.
“Before Imanami, I had to staff several employees just to make changes. That is no longer the case. The products were easy to install, Imanami was great to work with and the systems virtually run themselves.”
“What more could you ask for?”
City of Atlanta’s CIO
GroupID Self Service increases productivity for both IT and the business. To take advantage of Active Directory, the information within it needs to be accurate. Users need to have a quick, easy and secure way to update their pertinent personal information. Some attributes should be editable by the user (mobile phone, home address), some should be editable by the user’s manager (title, location) and some should only be editable by IT (email address). GroupID Self Service gives all of these options with the additional ability to create workflows to give IT even more control, without more work.
According to a survey by Osterman Research, 81% of organizations manage their groups manually. This means that 4 out of 5 organizations have IT manually adding users to groups every time an employee is hired or changes positions. This takes up, on average, 6 hours per week per 1000 employees and, according to the same survey, 42% of users are still in the wrong distribution lists or security groups.
GroupID Self Service delegates that burden onto a resource that has a vested interest in managing these groups, the users. A group owner can create a group, manage the membership, and make sure that the group is always accurate. The group owner can also open their group to allow other users to opt-in to the group. Managers should be able to attest to their staffing, transfer or terminate those people no longer under their stewardship. IT can control the whole process with simple to set workflow.
One of the issues of opening groups up to users is the proliferation of groups, something we call group glut. If there are no controls in place, too many groups are created or worse yet, once useful groups are left “cobwebbed” in the Global Address List. The solution to this is group lifecycle. There are four steps to a group’s useful life:
Give workflow to ensure that group is approved and/or meets naming conventions
During a group’s useful life allow owners to manage groups and users opt-in and opt-out of groups
Define a lifecycle for group renewals and enforce that the owner has to actively renew a group to continue to using it. Group owner(s) are notified before the expiration, giving them time to renew it or let it expire
Once a group has expired and the owner has not renewed it, wait a set period of days to delete it, giving the owner a chance to “get it back”
Ensuring that a manager is correctly assigned and that direct reports are accurate is an important task if role based access is to be automated. Frequently, company staff will work on multiple projects and quite often on a temporary basis. This will lead to having a reporting responsibility to a secondary manager in many cases. A “dotted line” form of organizational relationship. Ensuring that those relationships are up to date requires that IT managers ensure that staff is able to self-declare their connections with workflow oversite of any changes.
- Compel users in the directory to validate their profile. Attest to their manager and any direct reports that work for them.
- Specify which specific attributes need to be populated with free-form entry or from pre-determined values. Which attributes must be attested defined by the role in which the user fulfills. For more sensitive attributes, attach workflow to the change request.
- Transfer and Terminate
- When a direct report no longer works for someone, use Self Service to transfer them to a new manager. Attach workflow to these changes so that correct authoritative person approves of such changes.
- Expire and Delete
- When a user fails to attest or when a manager terminates the user, expire (disable) the user object for later deletion consideration or automate the deletion of the object after a set period of time.
GroupID Self Service gives IT a complete group and user lifecycle solution, allowing users to manage their own groups, their own profile, and their direct reports but giving IT the control to keep it from getting out of hand. This group lifecycle solution allows you to control group glut on both security groups and distribution lists. When you expire a security group, GroupID will back-up the membership and then remove all members, effectively disabling the group until the group owner(s) renew it. When you expire a distribution list, the group is un-mail-enabled so that messages will bounce. In both cases, the group is appended with an exp- prefix and hidden from the ability to opt in or out. The user lifecycle solution allows you to control your own directory profile and those who work for you. Ongoing profile validation ensures the accuracy of active user objects in your organization and can extend based on role, the ability for managers to attest to those who report to them.
GroupID Self Service is a web-based portal that gives an intuitive front-end to Active Directory. Users and Administrators can update user attributes and create distribution lists and security groups based on permissions and workflow designed by IT. GroupID Self Service improves on Active Directory in that it allows for multiple owners of groups, workflow on any attribute changes, security settings on view/edit with field-level security, customizable branding, and differing security settings on groups.
The simple to use MMC administrative interface allows IT to create multiple portals, manage workflow and group lifecycle, and easily brand the Self service portal. Giving access and control of user data to the users helps the organization be more nimble and productive; having control of who can do what helps keep the organization more secure. GroupID Self Service gives you both.
GroupID is the industry’s most complete end to end group management solution. Manage a group from creation to its usage to expiration and on to deletion. Give your end users the ability to manage their groups with IT’s control.
Set an expiration policy on any and all groups. Group owner’s are notified before a group expires and is given the ability to renew them. Make sure a group is still useful for the business before allowing it to clutter up your GAL with an old unwanted group. Group lifecycle works on both AD security groups and Exchange distribution lists.
Manage your own groups
Group owners can manage the membership, lifecycle, and delivery restrictions on their groups. Add workflow to join groups, create restrictions on who can send to the group, and add/delete members.
Join & Leave groups
Users can opt in or opt out of groups depending on their security levels.
Any amount of groups or users can manage a group. All owners receive the same rights. All owners receive workflow notifications. Have an assistant manage your group or delegate it to your favorite employee!
Workflow on group creation
Allow users to create groups but give IT or their manager a chance to approve what they’re doing. Enforce naming conventions or security levels.
Enforcable naming conventions
Force a prefix (or even create a drop down list) onto all group names to standardize your GAL or distinguish groups in different departments.
Group security settings
Private: nobody can join
Semi-private: the owner has to approve the new member
Semi-public: the owner is notified that there is a new member
Public: anybody can join
Delegated user attribute management
Allow end users to manage their own attributes, change passwords, and manage workflow requests through a customizable web interface into Active Directory.Complete customization
GroupID Self Service allows you to set any fields to view, edit, or hide depending on a highly customizable set of roles. Allow only the users you want to manage attributes to manage them.
Notification & workflow
Create workflow on any attribute changes with approvals going to managers, HR, help desk or admins. Very customizable and powerful workflow gives IT confidence in delegating.
Bad Word Filter
Apply a customizable list of bad words onto any attribute on any object to keep users from polluting the GAL with objectionable wording.
Allow end users to reset their own password.
Use Active Directory Security Groups to control access to resources in SharePoint. In many cases, SharePoint groups are redundant to existing Active Directory Security Groups, so why duplicate the management of permissions? Most IT AD administrators however would rather not delegate control to SharePoint Administrators or give access to the directory using Microsoft Windows Server administrative tools such as ADUC (Active Directory Users and Computers) or ADAC (Active Directory Administrative Center). Instead, they can safely delegate access to security group management in Active Directory with GroupID Self Service’s friendly web-based portal. SharePoint administrators may also extend the portal with native integration by adding a button in the ribbon. Read more in the blog: A better way to manage AD or SharePoint group permissions.
A common use for GroupID Self Service is that of a web-based directory based on the content of your Active Directory. Easily deployable as an intranet solution for your organization, the “Phonebook” role of Self Service allows users to search and list content of users and contacts in the directory but not allow modifications.
Dynamic schema detection
Attributes in your Active Directory are exposed in the GroupID Self Service portal. Choosing which attributes to display or allow to be modified is configurable. If you have extended the schema through common methods such as that which is extended by Microsoft with the deployment of Exchange or through a custom schema extension, these attributes can be exposed for use within the GroupID Self Service portal.
Cross forest support
GroupID Self Service is designed to work in many disparate environments and includes built-in support for organizations with a cross-forest configuration. Administrators can delegate control over groups and users in environments where there are forests with established trust relationships.
- Microsoft® Windows® Server 2003 family
- Microsoft® Windows® Server 2008 family (including 2008 R2)
- Microsoft® Windows® Server 2012 family (including 2012 R2)
- Microsoft® Windows® Server 2016 family
- Microsoft® Windows® 7
- Microsoft® Windows® 8
- Microsoft® Windows® 8.1
- Microsoft® Windows® 10
- Microsoft® Windows® 10 Anniversary Update
- Microsoft® Windows® 10 Creators Update
- Microsoft® Internet Information Server 6.0, 7.0
- Microsoft® .NET 4.6 required
Directory services supported
- Microsoft® Active Directory® with Exchange Server 2003
- Microsoft® Active Directory® with Exchange Server 2007
- Microsoft® Active Directory® with Exchange Server 2010
- Microsoft® Active Directory® with Exchange Server 2013
- Microsoft® Active Directory® with Exchange Server 2016
- Microsoft® Active Directory®
- Microsoft® Active Directory® with Office 365
- Microsoft® Active Directory® with Google Apps (G Suite)
- Microsoft Edge
- Microsoft IE 8.0 or higher (recommended but not required)
- 2GHz Pentium® IV or higher (or the minimum CPU required to run the operating system, whichever is higher)
- 8GB RAM or higher (or the minimum RAM required to run the operating system, whichever is higher)
- 200MB or more of hard drive space available for execution (in addition to the requirements of the Microsoft .NET Framework Redistributable)