reactionary007 Posted February 18, 2015 Share Posted February 18, 2015 I would appreciate your thoughts on using an employee number as the user name standard. We are likely going to implement this soon and there has been a lot of push back. We have between 8 and 10 thousand users across several different divisions. Recently consolidated all of our disparate Active Directories, but have several standards in the directory. Once you go out across other systems, it is a real jumbled mess. Using employee number as a user name will resolve a lot of issues. However, it raises some. It would be great to hear from those who work in an environment like this or have been through a conversion to a similar standard. All input is welcome. Thanks! Some thoughts... Benefits: Cleaner and easier rules and workflow in Identity Management system Never have to change user name for nicknames, marriage and divorce, or any other name changes Guaranteed unique - no duplicates - like having 10 Anne Smiths, etc. You always know you have the right account when performing administrative tasks Downfalls: In systems that do not show a display name (Unix, etc.) admins always have to correlate back to a name in a separate system Less personalized to the user Might make manual human processes a bit more prone to error as it would be easier to mistake one account for another on sight, transpose numbers and still get a valid account, etc. Link to comment Share on other sites More sharing options...
reactionary007 Posted February 18, 2015 Author Share Posted February 18, 2015 Also - when I say pushback - it is from others in I.T. - not so much the business Link to comment Share on other sites More sharing options...
sc302 Veteran Posted February 19, 2015 Veteran Share Posted February 19, 2015 user defaults are either firstinitiallastname or firstname.lastname. You could even do something like firstname.middleinitial.lastname This usually falls in line with their email addess as it is usually easier for users to remember. This isn't about you or your thoughts it is about users and their ability to cope/understand/use the systems. Employee number is not something that should ever be used, imo. If you ask me it is an administrative headache especially when trying to get to user profiles on the system. You can easily tell what user profile is what by looking at it without going to a database and figuring it out. Keep administration simple, don't over complicate it (using a numerical id will over complicate things tremendously.) DConnell, goretsky and astropheed 3 Share Link to comment Share on other sites More sharing options...
BajiRav Posted February 19, 2015 Share Posted February 19, 2015 user defaults are either firstinitiallastname or firstname.lastname. You could even do something like firstname.middleinitial.lastname This usually falls in line with their email addess as it is usually easier for users to remember. This isn't about you or your thoughts it is about users and their ability to cope/understand/use the systems. Employee number is not something that should ever be used, imo. If you ask me it is an administrative headache especially when trying to get to user profiles on the system. You can easily tell what user profile is what by looking at it without going to a database and figuring it out. Keep administration simple, don't over complicate it (using a numerical id will over complicate things tremendously.) ditto. Link to comment Share on other sites More sharing options...
astropheed Veteran Posted February 19, 2015 Veteran Share Posted February 19, 2015 user defaults are either firstinitiallastname or firstname.lastname. You could even do something like firstname.middleinitial.lastname This usually falls in line with their email addess as it is usually easier for users to remember. This isn't about you or your thoughts it is about users and their ability to cope/understand/use the systems. Employee number is not something that should ever be used, imo. If you ask me it is an administrative headache especially when trying to get to user profiles on the system. You can easily tell what user profile is what by looking at it without going to a database and figuring it out. Keep administration simple, don't over complicate it (using a numerical id will over complicate things tremendously.) Link to comment Share on other sites More sharing options...
goretsky Supervisor Posted February 19, 2015 Supervisor Share Posted February 19, 2015 Hello, I think you should go ahead with it, as long as (1) it's not a problem that employee's accidentally receive email not intended for them (HR, accounting, sales, executives, etc.); and (2) it's okay if lower-privileged users occasionally get added as a domain admin, superuser or whatever higher-privileged accounts are used. After all, what's possibly the worst that could happen? Actually, I'm just being sarcastic. You're not only likely increasing the chance of data exfiltration, but malware infiltration as well. Not to mention the fact that if this company is in a regulated industry, it is likely going to get into some trouble during the next security audit. I am not a lawyer, of course, but it seems to me this roll-out could be useful in a shareholder lawsuit against the company as evidence of incompetence on the part of the executives or the board, gross neglect, malfeasance, etc.. Regards, Aryeh Goretsky sc302 and DConnell 2 Share Link to comment Share on other sites More sharing options...
reactionary007 Posted February 24, 2015 Author Share Posted February 24, 2015 Thanks everyone. We took your thoughts to heart along with all of the other feedback received and went with something more traditional and personal. No employee #. Link to comment Share on other sites More sharing options...
Dot Matrix Posted February 24, 2015 Share Posted February 24, 2015 Where I work, employee IDs are a unique letter/number combo. AD is setup to associate this with a FirstName.LastName@company.com Exchange identity. User's use their unique letter/number combo for system sign-ons. It may not be "personalized" much, but it gets the job done. Link to comment Share on other sites More sharing options...
reactionary007 Posted February 24, 2015 Author Share Posted February 24, 2015 We will be populating the employeeID attribute and the employeeType attribute on all accounts with this new standard - we don't use Exchange. Link to comment Share on other sites More sharing options...
Adam1V Posted March 16, 2015 Share Posted March 16, 2015 Surely having an ID or number will make manage exchange delivery difficult since you'll be mapping numbers to email addresses? Link to comment Share on other sites More sharing options...
sc302 Veteran Posted March 16, 2015 Veteran Share Posted March 16, 2015 irrelevant with exchange delivery. Exchange works via user account, not by logon. You assign bob smith an exchange mail box, the email will be bob.smith@company.com. The user id for bob smith is 12345678, bob uses 12345678@company.local to logon. As an admin, we do not see bob smith logging on, we see 12345678. It is very hard to determine by looking at it who is 12345678 when looking at login logs, access logs, or any other logs that pertain to user authentication/access. Link to comment Share on other sites More sharing options...
Gareth Chamberlain Posted April 8, 2015 Share Posted April 8, 2015 If you are a large organization with a rather large OU then i think managing users in this manner will get messy quickly. If you are a small outfit with a small medium OU then i cant see a problem. Administering a large OU with a high staff turnover will get messy this way with making sure you have the correct number and disabling the account when starting. Also you are relying on Human Resources to be correct in the employee number. Yes you can add comments in to the AD field but when users are joining and leaving the outfit then it could get messy We use the following standard over a 5,000 userbase AD Country, Last name, First name, and if they are the first with that name and country 01 and duplicate 02 so on so forth so it looks like this "GBCG01" Link to comment Share on other sites More sharing options...
binaryzero Posted April 9, 2015 Share Posted April 9, 2015 <First letter of name><surname to 8 characters> is ours - jsmith. E-Mail is first.lastname@domain. Link to comment Share on other sites More sharing options...
c.grz Posted June 1, 2015 Share Posted June 1, 2015 For us John Smith's ID would be johsmi0601@company.com and email would be both john.smith@company.com and jsmith@company.com with john.smith@company.com being his default smtp address. Link to comment Share on other sites More sharing options...
Haggis Veteran Posted June 1, 2015 Veteran Share Posted June 1, 2015 our is 6 of surname plug first initial an a number if duplicate names Work well Emails are firstname.surname@domain.com Link to comment Share on other sites More sharing options...
Recommended Posts