Managing AD users getting easier -- once you figure out who they are

Managing user directories can be complicated, but certainly not impossible. Part one of this two-part series delves into some of the issues IT managers face and identifies some ways to get around them.

This is the first in a two-part series by Kevin Ferguson on the use of multi-platform management tools to unify heterogeneous environments under Active Directory.

When it comes to managing user directories, making things easier is never simple. This is particularly true when single directories include Unix, Linux, Macintosh and Windows users.

With the growing popularity of multiple-platform managers, such as Centrify Corp.'s DirectControl and Quest Software Inc.'s Vintela Authentication Services -- both used to unify heterogeneous environments under Microsoft Active Directory -- and IBM Corp.'s Tivoli Directory Server, the task has become far simpler.

But everything is relative, and enterprise users are finding that challenges -- some technical, some political -- remain, though they are hardly insurmountable.

Identifying multiple user identities is biggest challenge

The biggest challenge, according to Jeremy Moskowitz, author of the recently released Windows and Linux Integration and a Wilmington, Del.-based Windows consultant, is in first identifying the multiple identifications that users often have on a network.

Related info
10 tips in 10 minutes: Windows IT management
"You could have multiple pockets of Unix authentication on, say, NIS [Network Information Services], NIS+, Open LDAP, any number of Unix authentications. And then on the back end you have lots of NFS [Network File System], which is where stuff is stored. And that's where these products come in. They are able to help you, once you know what you have. They're able to then help you have a unified identity on Active Directory."

Habitat for Humanity brings Mac users under one roof

Dmitri Thorpe, network engineering manager for Habitat for Humanity International, Americus, Ga., understands all too well the initial difficulty in locating non-Windows users. "I started here Nov. 1, and it was a serious problem trying to locate the Unix and Mac users because no one really knew, and nothing was documented," said Thorpe. "I knew we had AppleTalk traffic so I knew it was out there. Being international made it a little difficult, as well. It took a lot of internal communication to get a grasp of who had what."

Habitat for Humanity, which chose Centrify DirectControl, expects to finish deploying in its Georgia offices by the end of May, and internationally by the end of August, according to Thorpe.

Meanwhile, Habitat for Humanity had other concerns, too: attitudes. The non-profit agency's 100 Mac users became quite piqued recently when told they would need to log-on and be authenticated like the 900 or so Windows users. Because the Macs were beyond the central scope of network efforts, their users were all treated as network administrators with easy network access.

That is changing. "They had the ability to do as they please," said Jim Thie, who became Habitat for Humanity's first chief information officer in 2005. "I want everyone to understand that this is Security 101. For us it wasn't an option. It was something that needed to be done. We had no way of knowing who was logging in and logging out."

About 50 of the Macs in question are deployed internationally, including Bangkok, Thailand. "With Centrify, we'll know who logs in and be able to protect resources accordingly," said Thie. "Secondly, we wanted something that integrated easily into the Active Directory structure. And thirdly, we wanted something that was easy to deploy. I would say we're achieving all three of those with Centrify."

VISA: ISP's Linux users weren't everywhere they needed to be

Similar success was reported by Centrify user Atlantech Online Inc. The Silver Spring, Md.-based Internet service provider operates a heterogeneous network with nearly 50 servers, just over half of them running Red Hat or Free BSD. Each time a need for a new application arose, the ISP would typically just add another server. "We have several different variants of Linux Red Hat and Free BSD," said H.F. Chou, chief technology officer for Atlantech Online.

That became time-consuming and risky when an employee left the company. "Every server had its own user database," Chou said. "Making changes became very tedious. It took two or three people the entire day to do it. Pretty soon we weren't sure what [IDs were] on the servers." Whenever a new Linux system was introduced, Atlantech added each user manually to each system on an as-needed basis.

Atlantech had another reason as well: Visa International had formalized stiff requirements for businesses wanting to be authorized to process credit card transactions. In order to comply with its requirements Atlantech needed to ensure that the company implemented appropriate policies, and that its systems had sufficient security to protect cardholder information.

For both reasons, the answer for Atlantech was Centrify DirectControl. Using DirectControl, when new administrators need to log in to a system, their profiles in Active Directory are configured to let them connect to the Linux host without touching the Linux system. They use their Active Directory credentials to connect, and DirectControl automatically creates a home directory for them on the system, Chou said. Since he deployed DirectControl a year ago, Chou has been able to streamline and secure user authentication.

Chou, too, has encountered glitches, however. "One of the few challenges had to do with geographically diverse deployment," Chou said. "One of the behaviors we detected with Centrify is that if there are any connection issues with Active Directory, it ramps up authentication [requirements]." While Chou stressed that there are no security concerns, he said that sometimes he has difficulty making a connection with 10 remote Unix servers over the company's virtual private network.

The quest for simplicity

Southern Company, an Atlanta-based energy company, had concerns similar to those of Atlantech — but on a much larger scale. It has about 20,000 Windows desktops and 800 Windows servers companywide, as well as 350 Unix servers. With no centralized process or technology to manage access and identities on Unix systems, basic password management tasks were falling to tier-three support people rather than the help desk.

Southern Company found that password expirations weren't being enforced. Moreover, password change and maintenance was taking place manually at each server, resulting in a long delay between an employee's termination and complete Unix de-provisioning, according to Robert Morgan, information services lead, at Southern Company.

Southern Company now uses Quest Vintela Authentication Services to bring Unix and Windows user-authentication under one umbrella.

Kevin Ferguson is a freelance writer living in Arlington, Mass.

Dig deeper on Microsoft Active Directory Tools and Troubleshooting

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close