Self-service portal and the comprehensive management of Active Directory in the City of Warsaw

COMPANY: Warsaw City Hall

INDUSTRY: Government

LOCATION: Warsaw, Poland

ABOUT THE COMPANY: Warsaw is the capital and largest city of Poland. Warsaw is an Alpha– global city, a major international tourist destination and an important economic hub in Central Europe. It is also known as the "phoenix city" because it has survived so many wars throughout its history. As of 2012, Warsaw was ranked the 6th largest city of the European Union, and belonged to a list of top 100 cities termed "best in terms of quality of living"

Warsaw City Hall encompasses 18 districts that are located in the area of 517 km, which supports 1.8 million residents. The office employs close to 7500 employees.

“ADManager Plus is easy-to-use, fully accessible from your browser and a cost-effective tool for managing AD. The application allowed us to effectively and quickly maintain the integrity of the AD. The reporting module provides us with valuable information concerning you in our organization.”

- Michael Kaźmierczyk, Senior Specialist, Ministry of Environment

Introduction:

Warsaw City Hall encompasses 18 districts that are located in the area of 517 km, which supports 1.8 million residents. The office employs close to 7500 employees.

  • The office has its own infrastructure, which consists of 270 servers including 20 domain controllers.
  • It consists of 18 organizational units (districts).
  • The infrastructure is managed by 5 server administrators, 4 network administrators, and 40 AD employee resource managers.
  • The domain has over 4,500 active user accounts.

Resource working on Active Directory accounts optimally utilized:

Environmental management of AD’s complex structure posed a huge challenge to the IT team. Tasks such as unlocking accounts, reset passwords of AD user accounts, took up a considerable part of their time. This situation prevented implementation of advanced administrative tasks and limited the growth of the organization.

To solve this problem, organizational changes were implemented, combined with implementation of tools supporting new division of tasks.

The new division of tasks included:

  • transfer of minor administrative tasks in AD to administrators of individual business areas of the city
  • transfer management of passwords and data in AD to helpdesk technicians or users themselves

The new division of tasks included (Contd):

  • notifying users about the impending expiry of the password in AD
  • the possibility of self-change passwords and unlock user accounts
  • the possibility of self-editing of user data in AD
  • the possibility of auditing changes in AD, including in groups and administrative units
  • the ability to quickly identify the source of attack if break in to the domain is detected
  • Polish user interface

Solution

To achieve the defined tasks, following solutions from ManageEngine were used:

The decision was arrived at based on the fact that

  • the products comply with all requirements
  • use simple and clear user interface
  • have low implementation and maintenance cost

Full implementation of the solution took around two months, most of the time in AD selfservicePlus and that’s mainly because, it had not been Polonized at the time of implementation. But we approached it as an advantage we did the translation on our own and customized it exactly to suit our office terminology. Translation and adaptation of applications took the administrators couple of days, allowing the solution to match user expectations.

We used the ADManager Plus tool to manage Active Directory domains. In a simple and convenient way we created five roles for delegating powers to 49 professionals overseeing 18 units, to make it easier and faster.

Achieved complete control over the powers and delegation of tasks at the employees bureau of information. Adminis- trators can delegate the power to create accounts for people outside the IT Department, including staff, and provide a single standard for all accounts created on the domain and to avoid confusion using defined templates. As a result of the new distribution of roles helpdesk specialists have obtained permission to change passwords and unlock user accounts.

These changes, designed for advanced administrative projects have allowed the organization to save 20% of the time.

We used ADAudit Plus to monitor changes in a domain environment. It helped set up notifications about changes in key safety groups and make control changes in administrative units.

"Now, as soon as you change the group the Domain Admins are notified. The tool also helped detect login attempts in the system. Very quickly, administrators noticed on the main view hundreds of attempts to login to the domain. After having verified the logs it turns out that at the office in one of the districts was trying to log on hundreds of times to one of the domain controllers. This made it possible to detect the virus logging into the account in the domain and isolate specific computers to remove the virus. "

ADSelfService Plus Rebranding   ADSelfService Plus Rebranding

Allowing users to independently change their information in AD, resulted in an increase in timeliness by 30% annually.

For password management we used ADSelfService Plus, thanks to the Polanized version, which is configured according to the requirements of the Authority, a self-service portal is now available to all domain users.

With automatic alert to users about password expiration date and the possibility of self-unlocking the accounts without contacting the specialists, involvement of employees in the IT support for password incidents could be reduced by 40%.

ADSelfService Plus Rebranding   ADSelfService Plus Rebranding

Managerial Benefits:

  • Cross-sectional reports
  • Tracking trends
  • Monitoring and planning change management
  • Automation of routine activities for AD Administrators
  • Optimization of working time of the administrators
ADSelfService Plus Rebranding   ADSelfService Plus Rebranding

Administrative Benefits:

ADManager Plus helped achieve the following results:

  • Main administrators do not have to spend time on routine tasks, because they have been delegated to business administrators (districts)
  • The introduction of full supervision in the management of AD objects - delegation of power and control
  • Increase in 20% of the time for general administrative duties
  • The possibility of posting rights to non-IT people to create user accounts (Department of Personal Data)
  • Helpdesk team having permission to unlock and reset user passwords
  • Prepared a convenient naming template of accounts based on the location
  • Automated process of creating user accounts by using appropriate pre-defined templates
  • Possibility of defining password policy in the templates that is made available to business administrators
  • Generate reports of expiring accounts of the staff, allowing you to react quickly and take the appropriate steps
  • Generate a report on the accounts that are inactive for an extended period and transfer these accounts into a special container
  • Rapid implementation of orders such as creation of 100 accounts for the EU project using a CSV file
  • Supports Export of reports in the following formats: PDF, HTML, XLS, CSV
  • Generate reports by schedule with the ability to send as an attachment via email
  • Managing the attributes of Exchange 2007 and 2010 (a common console for AD and EX)
  • Advanced reporting and a clear main view
  • Ability to modify the collective attributes, using a CSV file or filtering mechanisms

ADSelfService Plus helped achieve the following results:

  • Improve the quality of data collected in the AD - the annual 30% increase in correct and timely information
  • Updating the domain by using configurable data
  • A password change that can reflect on computers that are not part of the domain.
  • Reduced number of applications to the helpdesk in connection with changes of passwords, account data, or reset
  • Alerts the user about impending password expiry
  • Address Book for users in the domain
  • Ability to personalize the application
  • The possibility of having a Polish interface

ADAudit Plus helped achieve the following results:

  • Aggregation of all significant security events of all 20 domain controllers
  • Fast and accurate determination of cause and source locking the user account. The application lets you quickly detect virus attacks by blocking the source and scope of the attack of user accounts
  • Current auditing of user accounts: login errors, login time, the name and controller of the station where the login takes place, log in to multiple stations simultaneously
  • Current auditing process of managing user and computer account in AD
  • The current audit management process of groups in AD: who, what and when to change
  • The current audit process of Group Policy management: create, delete, change links
  • Current auditing process of managing organizational units in the AD
  • A full analysis of the error log
  • In the event of certain events the system can send a message to the administrator (for example, a change in the member of a Domain Admins group)
  • To send periodic reports of assumed accounts, incorrect logins, etc.
  • Improving the quality of service for event requests on the city’s AD objects - 99% of changes to different types of objects like users, groups, containers and GPOs are audited

Summary:

Implementation of this solution combined with organizational change definitely improved the quality and efficiency of the work of the Office of Information. The results achieved a level for 20 to 40 percent improvement gave grounds for further development of functional and quantification of the system.

Implementation of this solution, combined with an organization level change, definitely improved the quality and efficiency of work. The results achieved a level for 20 to 40 percent improvement, that gave grounds for further functional development of the system. Currently the installation of AD tools, is one of the largest in Europe.

About ADSelfService Plus

case_study_img2

ManageEngine ADSelfService Plus is a secure, web-based password reset program for domain users to perform self-password reset, self-account unlock and self-update of personal details in Active Directory. It helps on a large scale to eliminate the leading source of helpdesk calls and associated expenses by automating password resets and account unlocks thereby optimizing employee productivity. Learn more about ADSelfService Plus from our website.

About ManageEngine

case_study_img3

ManageEngine provides a suite of powerful Enterprise Management products, including network utilization, performance, security, helpdesk management, email archive management and real-time QoS management among others, aimed at making your business more effective and efficient. With a wide array of products that can be easily integrated, enterprise wide optimization is easily possible. Complementary products provide users with the ability to choose and incorporate features that they need a la' carte!

About MWT Solutions:

MWT Solutions sp z o.o. is a supplier and distributor of IT service management, business continuity, risk management and security management. For over 10 years the company has expanded its practice skills in IT management, initially focusing on outsourcing and IT management would consequently become a supplier of solutions in this field.​

MWT Solutions customers include companies from many sectors of the economy - in particular the financial sector, energy production facilities and offices of central and local government.

我们的客户