Académique Documents
Professionnel Documents
Culture Documents
White Paper
Copyright 2004 Quest Software, Inc. and Quest are registered trademarks of Quest Software. The information in this publication is furnished for information use only, does not constitute a commitment from Quest Software Inc. of any features or functions discussed and is subject to change without notice. Quest Software, Inc. assumes no responsibility or liability for any errors or inaccuracies that may appear in this publication. Last revised March, 2004
QUEST SOFTWARE, INC. 8001 Irvine Center Drive Irvine, CA 92618 Inside U.S.: Outside U.S.: Email: URL: 1.800.306.9329 1.949.754.8000 info@quest.com www.quest.com
CONTENTS
INTRODUCTION ........................................................................................................ 5 UNDERSTANDING EXCHANGE ADMINISTRATION EFFORT................... 6 QUANTIFYING EXCHANGE ADMINISTRATION COSTS ............................ 8 IDENTIFYING THE CHALLENGES FOR IT ........................................................ 8 IDENTIFYING THE RISKS FOR THE BUSINESS ............................................. 10 SOLUTION FOR IT ADMINISTRATORS ........................................................... 11 SOLUTION FOR BUSINESS ADMINISTRATORS................................................. 13 ACCESS CONTROL AND AUDITING................................................................ 14 QUEST MANAGEMENT SUITE FOR EXCHANGE ......................................... 15 ABOUT THE AUTHOR ........................................................................................... 16 ABOUT QUEST SOFTWARE ................................................................................ 17
INTRODUCTION
Administering group membership presents significant challenges for IT managers and inherent risk to the business. Every employee in a company has group membership for accessing resources or email distributions. Creating groups and assigning rights to those groups is widely acknowledged as a best practice for enabling consistent, efficient administration and access. However, the challenge of accurately maintaining membership in a dynamic environment can introduce so much additional effort, that any productivity gains are erased. This paper will discuss ways to proactively manage this issue to reduce administrative effort while increasing security and user responsiveness.
To better understand the factors driving the volume of change, consider the following. In a typical organization, each employee has group membership based on:
Department for managers to communicate with their staff Location for branch or regional managers to relay relevant
information
Mail Server for administrators to notify employees of planned outages Title, pay class, benefits class, program enrollment, employment
status, et cetera for HR to communicate policy and deadlines
Whether the end-user requests come in through a help desk or directly to the Exchange administrators, the volume, knowledge, and administrative access required to respond creates significant load on IT operational staff. Assuming that companies dedicate administrative staff to this function in order to reduce the impact on maintenance, they will have introduced additional overhead and expense. The act of making changes to distribution groups is not particularly complex in its own right, but the risk of making a mistake or improperly using the elevated security privileges is significant. The result is that highly skilled, highly paid administrators are allocated to menial labor which they are likely to abandon in favor of more challenging opportunities. Even if it is possible to justify the economics and motivate the staff, the likelihood for error is quite high since it is a largely repetitive task that requires manually transferring data from one application (or human) to another. Again, the larger the company, the more likely the opportunity for mistakes. The presence of redundant and unused lists creates unnecessary load on production servers. Distribution groups account for a large percentage of the total number of items in the Exchange GAL (Global Address List). In some companies there are literally more distribution groups than there are individual employees. Because of the burden required to replicate this useless information, not enough bandwidth is available to efficiently deliver messages. IT departments are no different from other groups in their need to have accurate distribution group membership, particularly when they need to communicate quickly to large groups of employees about system outages or planned maintenance. Whether the task is maintenance to be performed on the messaging system or any other heavily used application, IT relies on accurate distribution group membership to communicate effectively with employees to give them specific and timely instructions. Its hard enough to get end-users to follow directions when you are communicating directly over the phone. If the instructions never reach them, it is impossible and the consequences for inaction may jeopardize the maintenance activity.
10
With so much cost, effort, and risk to manage, companies must explore alternatives to manual administration of group membership. Automation comes in different forms to fully meet the needs of both the IT administrator and the business user. Next, well discuss the different solutions necessary to address this problem, which has reached epidemic proportions in Exchange networks.
11
Once the location of the attributes is known it is necessary to define a schedule of the updates. Each distribution group must have a definition of the attributes that define it, their location, any explicit exceptions, the frequency of updates and the scope of the group (which well discuss later). The Exchange administrator needs this level of flexibility to securely and accurately automate this process. In addition to flexible definitions of how to construct a single list, the system must also comply with any system or corporate policies with respect to large distributions of mail. While end-users desire a single, comprehensive list it may be necessary to create multiple, smaller groups for more efficient expansion and delivery of messages. The system must respect the needs of both and represent a single group entry in the directory that intelligently breaks apart the distribution for optimal performance. Access to groups that contain large numbers of users must also be considered in order to avoid Corporate SPAM. Additional complexity must be considered when aggregating groups or combining groups. For instance a Division distribution group should simply be an aggregate of the Department distribution groups that make up its component parts. The system must allow for the definition of these relationships and any exceptions as well. To further simplify administration, an automated system should allow for the creation of new distribution groups based on a new value encountered in an attribute. For instance, in order to manage geography-based distributions, the system should create and maintain groups for every value listed in the City attribute. If a new value were entered in one or more employees attributes (as a result of a move or new office) then a new distribution group would be automatically created for those employees. In this way, moves, adds and changes are dictated by the facilities group, and updates to Exchange occur automatically that evening (or on a scheduled basis) so that employees are up and running the moment they occupy the new location. Of course this new group should also be automatically included in the aggregated group for State or Region. The real value is not just in reduced administrative effort; rather employee satisfaction is key. The business is able to continue communicating efficiently during times of change (which is when communication is most critical). In order to further enhance the businesses satisfaction there should also be a system in place to allow for delegating the administration of distribution groups that are not able to be automated through defined policies and attribute values. There will still be the need for ad hoc groups and groups which employees choose to subscribe to individually.
12 Automating Group Membership Administration
15
16
www.quest.com info@quest.com
1.800.306.9329 1.949.754.8000
Please refer to our Web site for regional and international office information. For more information on the Quest Management Suite for Exchange or other Quest Software solutions, visit www.quest.com. Quest Software, Inc 8001 Irvine Center Drive Irvine CA 92618
17