project database

C--Users-Killeee-Desktop-active directory web interfaceNo.  And yes.

Of course, those are both lame answers but there is no good answer to the broad question of having an Active Directory web interface.  Because you very rarely want to have full admin rights to Active Directory available to anyone other than, say, full admins.  And they are probably happy with ADUC.

What you do want is limited access to Active Directory (either reading or writing) for selected sets of users via the web.  We call this field level security around these parts.  Based on your relationship to the “object” you are viewing, you can have different levels of access to that “object”.  This makes more sense with examples:

  • You are viewing your own Active Directory profile: you should be able to edit things like your mobile number; you should be able to edit your office number with workflow approval from your direct manager; you should be able to view your title.
  • You are viewing your direct report’s profile: you should be able to change mobile number, office number, etc.  Maybe you can change their title or department with HR approval.
  • You are viewing somebody else’s profile: you can view everything but the car license attribute is hidden since HR keeps some confidential data in there.

These field level permissions can vary by your role also.  If you are a helpdesk user you might be able to edit/view more fields.  As an admin, you can do even more.

I am a firm believer that you should start with workflow on everything.  Make somebody approve every change at first and slowly release control as you see what works for your organization.  Very quickly, you’ll see that you don’t want to approve home phone changes since the approver really has no input into that.  But by defaulting to all changes need approval, you won’t be shocked to learn that an employee WILL try to change their title if given the chance!

Active Directory self service is an incredibly valuable tool if you have controls in place like this.  It frees up the help desk, makes group management infinitely easier, and makes your Active Directory a valuable identity store with accurate, timely information.  Often times, Active Directory becomes authoritative for certain attributes and is used to update HR.

If you do it right, you will want an Active Directory web interface.  Just a very controlled one.  Take a look at GroupID Self-Service, it might just make you want to do it now.

Active Directory web interface free trial