Manage active directory groups specific to an application within an application

Question

Is it a good or bad practice to manage active directory groups specific to an application within an application?

My development team has written a Sharepoint application that has groups and teams (these are terms unique to the application and is not related to AD groups or Sharepoint groups). Once users are added to these groups and teams, they also have to be added to AD groups so that they can access the application itself. This second step is becoming more and more cumbersome as usage of the application grows because the management of the AD groups is a manual process and thus prone to errors. E.g. the users that set up the application groups and teams can forget to setup the AD groups or forget how to setup the groups. Also, often times the user setting up groups and teams is not a technical user.

We feel we can simplify the process by updating AD whenever a user is added to one of these groups or teams by managing AD groups from within the application itself. However, we are getting strong push back from the admins that AD groups should not be managed from within an application in this case, but rather manually. I'm looking for best practices to this issue.

Answer 1

Have you ever looked at Active Directory Lightweight Directory Services (AD LDS)?

It's like AD - only you can install it e.g. on a dev box (your XP machine), and it's geared towards offering somewhat the same services (e.g. groups, OU's, users and so forth) like AD - only it can be "local" to your application and independant of other applications.

That might fit your bill - it works, talks, quacks like AD - only it's AD LDS :-)

Marc