By Erick Engelke and Bruce Campbell Starting Point Top Level Structure People Organization People Administered by WatIAM Second account for elevated privileges Elevated account is applicationspecific ID: 597091
Download Presentation The PPT/PDF document "Active Directory Structure" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Active Directory Structure
By Erick
Engelke
and Bruce CampbellSlide2
Starting PointSlide3
Top Level StructureSlide4
People OrganizationSlide5
People
Administered by
WatIAM
Second account for
elevated
privileges
Elevated account is application-specific
Eg
. ability to change people’s pay in DB
Use of smartcards for some people
Like passport –
userids
cannot be shared
Use other mechanisms to share data
Userid
/password equivalent to a signature
Offer optional lower security account for
use on public
workstationsSlide6
Groups OrganizationSlide7
Groups
Very useful for managing access to data
WatIAM
will manage some groups
Faculty, staff, student lists
Course lists
Delegated access to groups OUSlide8
Naming Conventions
Groups, servers, print queues need names
ECE: Electrical & Computer Engineering or Early Childhood Education
We need a shared naming convention
One of the first duties of the new committee
Will look at existing ADS and Nexus naming conventionsSlide9
Workstations OrganizationSlide10
Workstations
subtree
follows organization of university workstation management
IST manages many administration PCs
Library and residences have own IT shops
Much software purchased and policies set at faculty level
Non-windows machines also in the treeSlide11
Unix
Use
AD for password authentication
Possible to use AD to store
uids
,
gids
, home directories, shells, etc.
Problem: multiple jurisdictions with distinct
uid
/
gid
and home directory systems
Various possible solutions
Use NIS or password files (but not passwords)
Virtual directories with different values for each jurisdictionSlide12
Macintoshes
Many Macs participate in Nexus already
Prefer using Apple
OpenDirectory
which is a virtual directory that gets
userids
/passwords, groups, etc. from AD
Called
Magic Triangle
MacTUG
group involvement on Mac related issuesSlide13
Software Delivery
GPOs, Systems Center, etc.
Nexus has a wealth of software packages
Would like to move to self-serve for offices
Web based, automated delivery in future
Encourage transforms rather than new packagingSlide14
Common Applications
Software commonly needed
FireFox
, Acrobat reader, Flash, etc
Set timetable for updates
Have early testers before general releaseSlide15
Security Considerations
Continue protective measures on DCs
Want VPN to limit access from Internet, wireless, residences, etc.
‘reverse
turing
test’
like CAPTCHAs, audio, etc.
- centralized
people-tester – Google does this too
Certificates for user
signing
Two factor authentication for someSlide16
Summary
Domain should be as simple as possible while reflecting the structure of UW
Future services like video conferencing and digital signing will make use of AD
Economize effort, minimize duplication
Take the best of ADS and Nexus