Tweet
I apologize in advance as my question is in some ways more about AD design and process, but please bear with me as Hyena does play a role.
In trying to clean up a rather crusty domain and finding numerous old groups with unknown rights, I started looking for best practices for group management. What was suggested was for every group to assign a manager (in the "managedby" attribute) who could, in theory, confirm a group's purpose and/or necessity at a later date. The "managedBy" attribute is paired with a "managedObjects" user attribute, so the suggestion was to not disable/remove any user until their managedObjects attribute was cleared (with still relevant groups reassigned to an appropriate user).
I like this suggestion, but the managedObjects attribute is not so easy to work with. It's not visible in any form in the Users and Computers MMC. Hyena can display it in the List Window if I manually specify the attribute and add it to a user query, but the field give the full AD path (i.e. cn=oldgroup,OU=HR,OU=...) and that makes it a real PITA to see if a user has more than one group that they manage without exporting.
So I guess I have two questions...
1) Does anyone here have any alternative suggestions for managing groups?
2) Is there any way to get Hyena to display just the group names (CN=) that a user manages? Having a "managedObjects" tab in the user properties window with an display much like that for the "Groups" tab would be enormously helpful. (Feature Request, anyone?)
Thanks,
casper
In trying to clean up a rather crusty domain and finding numerous old groups with unknown rights, I started looking for best practices for group management. What was suggested was for every group to assign a manager (in the "managedby" attribute) who could, in theory, confirm a group's purpose and/or necessity at a later date. The "managedBy" attribute is paired with a "managedObjects" user attribute, so the suggestion was to not disable/remove any user until their managedObjects attribute was cleared (with still relevant groups reassigned to an appropriate user).
I like this suggestion, but the managedObjects attribute is not so easy to work with. It's not visible in any form in the Users and Computers MMC. Hyena can display it in the List Window if I manually specify the attribute and add it to a user query, but the field give the full AD path (i.e. cn=oldgroup,OU=HR,OU=...) and that makes it a real PITA to see if a user has more than one group that they manage without exporting.
So I guess I have two questions...
1) Does anyone here have any alternative suggestions for managing groups?
2) Is there any way to get Hyena to display just the group names (CN=) that a user manages? Having a "managedObjects" tab in the user properties window with an display much like that for the "Groups" tab would be enormously helpful. (Feature Request, anyone?)
Thanks,
casper
Comment