One to many accounts for Active Directory (Admin/Business users) RRS feed

  • General discussion

  • Hey all,

    I'm wondering how you handle this situation: in a lot of environments where I come some people require multiple AD accounts. For instance a lot of IT staff members have a regular account and an admin account.

    In the past I've done projects where HR is linked to AD over FIM and where the FIM Portal acts as a source for Admin accounts. In this approach each "warm body" is represented twice in the MetaVerse.

    Now I was wondering whether it would be a good idea to have two AD MA's (for one domain) where one MA manages the OU's with the Admin users, and another MA manages the OU with the regular users.

    Is there any reason not to do this?

    Friday, July 19, 2013 12:43 PM

All replies

  • One reason not to do this is if you want the admin users to be in the same groups as business users, and are managing these groups using FIM.

    In order to be in a group the members must exist in the connector space of the same MA.

    Monday, July 22, 2013 9:09 AM
  • I believe there are problems with multiple AD MAs for the same forest if you are using PCNS.  FIM may not know which connector space to find the user whose password was changed and needs to be synchronized. 

    If any of those admin accounts are specially privileged (Domain Admins, etc.), you may have to elevate the AD MA service account to a similar level to be able to manage those accounts.  Once upon a time my ILM service account was a domain admin, but we haven't used that level of access in the automation system for some time.

    An alternative would be to write some kind of custom MA (or maybe use the PowerShell MA) to handle the admin user OU.  Or if you like custom workflows you could make calls out to AD to create, enable, disable and delete the admin accounts as if they were just resouces rather than fully managed obects of their own.  I'd think you'd still want to have an MA to confirm their existence and signal it with a flag attribute so you knew it needed to be deprovisioned later.  Whether workflow or MA based, an attribute of the main identity that can be updated in the Portal could trigger the creation of that second account.

    That said, at my "day job" they just handle the admin accounts manually.  The amount of work FIM would save probably wouldn't balance well against the possibility of the domain admins losing access in a crisis because of a configuration error or bad data.


    Tuesday, July 23, 2013 2:41 PM