Programmatic Management of Active Directory Groups

Management of security group memberships in midsize and larger organizations has always been a problematic issue. If individuals are not in the correct groups, they usually need to call the company's security department, explain the issue, and get approval to gain access to the security group before they can perform job related tasks. For large companies with high turnover this can result in hundreds of security requests per week. The impact to the bottom line of a company due to lost productivity and salaries for the additional help desk personnel required to handle these requests can be significant. I currently work at a company with a base of 160,000+ active computer users. Using some homegrown Perl code that I have written along with our metadirectory solution, we have automated our group provisioning / deprovisioning process where possible. This paper goes into some detail to explain the solution that was developed and includes the Perl code in the appendices. Although the code is designed to work with Critical Path's MetaConnect product as a constructed attribute, I have also included a program that can be used to 'manually' call the subroutine so the only real requirements to use the code are an LDAP [4] accessible data store and Perl.