We are in a situation where we would like to offer our customers to be able to manage their users themselves. It is around 300 customers with up to a total of 10.000 users.
Besides creating, updating and removing users, they will very often read information about users for statics and other useful informations available. All this functionality, should be available from an Intranet web page (.NET Framework 4) that the users will access through Citrix or similar.
Now the problem is that we would really like the users not to query AD directly for each request, but rather make them hit a database that is synchronized with AD.
It would be sufficient to run this synchronization a few time each day (maybe every 5. hour). When they create a user, it should not be available right away, but reviewed and then created within two days (the next step would be to remove this manual review, but that's out of scope for this question).
What do you think about this synchronization of AD? Does anyone have any experience with it and is it something that is done in other organizations, where you will have lots of requests which is better handled by a database than AD (I presume)?
Are there any techniques out there for writing such a script that synchronizes AD with database tables? My primary concern is the groups/members relations which can be rather complicated. Or are there software that synchronizes AD with a database?
Any comments will be much appreciated. Thank you.
Best Answer
You can setup Lightweight Directory Services (used to be ADAM) to replicate the AD schema and objects into an external LDAP DB that users can query and get the information you are talking about. This allows you to be specific about what you expose externally by only synchronizing those objects you want to publish and not exposing other AD objects.