Thursday, January 2, 2014

Managing SharePoint Security with Dynamic Active Directory Security Groups

Have you ever needed to create security groups based upon Department, Physical Location (1st floor, 2nd floor, east/west, etc) or any other criteria whose values exist as an AD profile attribute? For example, let's say we have user A who works in Accounting but is now transferring to Marketing. This change in responsibilities probably means user A no longer requires access to shares/data/sites/etc. accountants utilize, however, user A will now require access to Marketing Resources.

Active Directory Groups are as dynamic as their members: they need to change as users switch responsibilities, roles and locations. The problem is that distribution lists and security groups are often manually maintained by the Exchange or Active Directory administrator. This type of access update can be very tedious and time-consuming. Dynamic AD Groups to the rescue!

Dynamically maintain groups based on rules that are applied to your directory data. When user information changes, GroupID Automate automatically updates the appropriate distribution lists and security groups. Your groups will never be out of date again.

Groups are generally managed one of three ways: negligently, IT-centric, or user-centric. This means they either don’t manage groups, have a highly paid administrator manually manage groups, or have end users manage groups. All of these solutions have a cost that far outweighs creating dynamic groups through PowerShell.

By automating these Active Directory groups, you can ensure they will always be accurate. Increase productivity by giving employees access to the right systems and information immediately upon hiring or promotion. Increase security by granting access to only the systems you want and denying access immediately upon any change in status. Use Active Directory’s group structure to your benefit with GroupID Automate.

Luckily, there are a few people who have strung together the PS cmdlets needed to pull this off.
Take a look at Baldwin D's post here:  http://baldwin-ps.blogspot.com/2013/05/dynamic-ad-security-groups.html

No comments:

Post a Comment