Active Directory Structure

By Erick Engelke and Bruce Campbell

Starting Point

Top Level Structure

People Organization

People• Administered by WatIAM• Second account for elevated privileges• Elevated account is application-specific

– Eg. ability to change people’s pay in DB• Use of smartcards for some people• Like passport – userids cannot be shared• Use other mechanisms to share data• Userid/password equivalent to a signature• Offer optional lower security account for use on public

workstations

Groups Organization

Groups

• Very useful for managing access to data• WatIAM will manage some groups

– Faculty, staff, student lists– Course lists

• Delegated access to groups OU

Naming Conventions

• Groups, servers, print queues need names• ECE: Electrical & Computer Engineering

or Early Childhood Education• We need a shared naming convention

– One of the first duties of the new committee– Will look at existing ADS and Nexus naming

conventions

Workstations Organization

Workstations

• subtree follows organization of university workstation management

• IST manages many administration PCs• Library and residences have own IT shops• Much software purchased and policies set

at faculty level• Non-windows machines also in the tree

Unix

• Use AD for password authentication• Possible to use AD to store uids, gids,

home directories, shells, etc.• Problem: multiple jurisdictions with distinct

uid/gid and home directory systems• Various possible solutions

– Use NIS or password files (but not passwords)– Virtual directories with different values for each jurisdiction

Macintoshes

• Many Macs participate in Nexus already• Prefer using Apple OpenDirectory which is

a virtual directory that gets userids/passwords, groups, etc. from AD

• Called Magic Triangle• MacTUG group involvement on Mac

related issues

Software Delivery

• GPOs, Systems Center, etc.• Nexus has a wealth of software packages• Would like to move to self-serve for offices

– Web based, automated delivery in future

• Encourage transforms rather than new packaging

Common Applications

• Software commonly needed– FireFox, Acrobat reader, Flash, etc

• Set timetable for updates• Have early testers before general release

Security Considerations• Continue protective measures on DCs• Want VPN to limit access from Internet,

wireless, residences, etc.• ‘reverse turing test’ like CAPTCHAs,

audio, etc. - centralized people-tester – Google does this too

• Certificates for user signing• Two factor authentication for some

Summary• Domain should be as simple as possible

while reflecting the structure of UW• Future services like video conferencing

and digital signing will make use of AD• Economize effort, minimize duplication• Take the best of ADS and Nexus