Article

Economic downturns call for Active Directory proficiency

Margie Semilof
As corporations downsize employee rosters in a soft economy, IT managers must draw on their skills as administrators of directories and identity assets to maintain corporate data security.

Laid off employees, particularly disgruntled ones who may have had access to key corporate repositories, can threaten an organization. IT managers need global knowledge -- from knowing the enterprise directories and extranet directories and the location of repositories, to knowing the people in charge of directory access and which ones have super user privileges.

    Requires Free Membership to View

More on Active Directory management 
Expert eyes Active Directory changes in Windows Server 2008

Active Directory FAQs
Earl Perkins, a vice president at Gartner Inc., the Stamford, Conn.-based consulting firm, said that when faced with a large corporate layoff, it's smart to immediately create a skeleton team of administrators to focus on the transition and to shut off a terminated employee who may have had super access to corporate information.

Contingency planning

Perkins told managers to function as if they were managing through a disaster. Now is the time to choose new people to have administrator privileges, he said. "You have to know your stuff, know your people, know how to prioritize the use of directories and protect the key access points," he said. Perkins suggests taking the following steps:
  • Create a super user management process. Allocate new privileges and new rights to new people and shut down access to former employees.
  • Re-evaluate the role of the directory and the automated account workflow. Make sure you know where the directory is being used during new account creation or during the retirement of an account.
  • Know the location of your current organizational assets that are related to assets and maintenance. You may have a good idea of where things are in the data center but not when you fan out into the wider enterprise. Audit your identity assets.
  • Assess the relationship between the extranet directory and the enterprise directory so you can determine the level of synchronization. Hackers don't take a holiday. There could be a threat during the downturn, and the links between the inside and outside will be at risk. Make sure it's secure.
  • Know what brands and versions of administration tools are available and how they work.

Don't delete

During a corporate downsizing, don't delete accounts. Disable them instead, said Jeremy Moskowitz, principal at GPanswers.com, a Group Policy trainer based in Philadelphia.

"If you delete an account, it's a long road to getting access rights for the next person who may take over," Moskowitz said. "When you are downsizing, someone still has to do that job in the interim. By deleting an account you are losing the link to everything that person was doing."

Disable the account temporarily, he said, and find out who is taking over the job role and then give the account a new name and password. "It may not be a good long-term strategy, but it's a good interim strategy for business continuity," he said. "Life has to go on for those roles and responsibilities."

In some cases, a company has to lay off desktop support staff and then change the local administrator passwords on the machines. Moskowitz said IT managers should know there is a new, easy-to-automate method of resetting desktop administrator permissions in Group Policy.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: