Monday, September 05, 2005

Assessing an AD Implementation

A co-worker recently contacted me asking if I have any documentation he can use to assess a client’s Active Directory implementation. I do, but because I’d not used the template myself in several months I thought I should review it before sending it out. I’m so glad that I did!

Although I’d used this particular format many times in the past, I found that upon reviewing it, I was not at all happy with the assessment criteria. In the past I had tended to look at an AD assessment in terms of People, Processes, and Tools. Now, however, I find those categories inadequate.

With only a bit of reflection, here are my initial thoughts on changing these high-level assessment categories that I use when evaluating the maturity and effectiveness of an AD implementation:

  • Further define the People category to look for efficient and cost-effective staffing models, alongside my previous evaluation criteria that included experience levels, skills, people care, salary bands, and so on.
  • Abandon the Processes category altogether, in favor of two new categories: Standards and Workflows.
  • Also—and perhaps it’s a nit—replace Tools with Automation. In my mind, “tools” are products and by themselves hold little value. It’s the use of the tools to efficiently and cost-effectively enable automated administration or automated workflows that provides the real value.

Why do I see the need to change the way I view an Active Directory implementation? Primarily because the demands on AD have evolved. In the past, we mostly tended to view AD as a more scalable OS directory, a single sign-on mechanism, or maybe just as a prerequisite for implementing Exchange. (Go back and read your early business cases for implementing AD. I bet those are among the primary reasons cited for adopting Active Directory.) Now I tend to view AD in terms of: 1) identity and access management, and 2) policy-based management of object classes.

Should I be putting Active Directory in the identity management category? I have to, because that is what the market demands of it. Is AD up to the job? Perhaps not, if I consider AD only as an “out-of-the-box” product. But when combined with RC2, Vintela, and MIIS, I believe identity management using AD can be accomplished quite nicely. These are my early musings…I still have to refine the new assessment criteria.

Now what really intrigues me is an implementation that fully automates identity and device provisioning via SMS and BizTalk. But that is an entirely different topic and best saved for another day.