During every implementation of Directory Manager an Identity Mapping exercise is completed, linking ESR records to Active Directory (AD) user accounts. When preparing data for this I ask “How many employee records do you have?” and then “and how many user accounts are there on AD?” The answers given always raise an eyebrow, revealing a disparity that can often be 1.5x or greater. This issue of having 100s or often 1,000s of active, redundant user accounts on AD is a cause of many directory and infrastructure problems:
- Consider licencing – this is often based on a count of active users so organisations with redundant accounts will be paying more than needed.
- Consider storage – if 1,000 redundant accounts each have a 1GB mailbox and a 2GB personal folder, then that’s 1TB of Exchange data and 2TB of files that must be stored and backed up each day! What is the cost of having to purchase more storage to provide more space unnecessarily?
- And above all else is the security aspect – any one of the still-active accounts can be used to access the network.
In my experience the problem is caused by a lack of process around staff leavers. The starter process has all the focus – ensuring the account is ready on time, ensuring it has access to the right areas, setting up an email address – but what about when they leave? There is often no process in place and the organisation relies on ad-hoc methods to resolve this – either depending on the manager letting ICT know the person has left (and how often does this happen!) or on leaver reports being generated by HR. Neither process is reliable resulting in the leavers going unactioned and continuing to remain active on AD.
One of the greatest benefits of implementing Directory Manager (DM) is the creation of an automated process to continually manage leavers. By using the employee’s termination date, stored in ESR, DM is able to highlight and process their user account as a leaver. This happens daily, requires no additional processes from HR or ICT and puts in place a solution for resolving all the issues with redundant accounts. That list of many 1,000s of redundant accounts unable to be matched becomes a thing of the past.
As an example, during the recent implementation of DM at Kings College Hospital in London, the figures for the Identity Mapping exercise highlighted a number of accounts that could not be linked to an active HR record. It was estimated these accounted for about 20-25% of the Trust’s personal storage usage. After implementing DM, the previous method for identifying leavers was compared to the new automated leaver list – there were an extra 16 employees listed on the first weekly list produced by DM, 300% more than would have been captured before.
Greg is the Product Manager at BDS Solutions and has worked on the implementation of Directory Manager at over 30 NHS organisations. Read more about Directory Manager here.