Avoid Active Directory Pitfalls

Windows NT domains tied security and administration processes to the domain, and each domain administrator implemented ways to maximize security and efficiency at the local level. Active Directory (AD) replaces this structure with a central enterprise security model, allowing security authority and administration processes to become independent of prior domain boundaries. As a result, upgrade projects must include explicit decisions on how and why administration authority and process get assigned throughout the organization. Coming to agreement on these contentious issues will involve lots of people with lots of different objectives that are difficult to reconcile.

AD deployments are far-reaching and affect a number of people who are accountable for critical IT objectives, such as security, service levels and cost management. Projects that ignore these stakeholders will meet with significant organizational resistance. Plans that incorporate these objectives, solicit participation by stakeholders and propose technology solutions that limit the need for compromise will be more successful.

But be prepared for a tug of war. Security and visibility objectives tend to pull administration processes and authority to the center, while IT service-level and efficiency objectives tend to push and distribute administration outward. You need to focus on higher-level enterprise IT objectives and develop strategies on how the AD deployment can help achieve them.

Centralized Security Objectives. The obvious challenge facing the deployment team is to create a controlled and auditable enterprisewide security structure that protects corporate information from appropriation and misuse by unauthorized internal users. Ensuring tight security requires both a well-designed administration rights model and consistent administration processes.

Overly broad permissions or inconsistent execution of daily administration activities expose information assets and make identifying security gaps difficult. In isolation, this objective would drive IT to centralize administration and limit rights allocation, a strategy that is impractical for most large organizations with distributed admin groups.

The only other option is to design and assign permission sets across dozens or hundreds of administrators and then get those administrators, with different skills, in multiple locations, to do the same things in the same way, all of the time.

The objective should be to identify and implement a security solution that allows central IT to easily define and delegate administration permissions, standardize administration processes and constantly monitor the environment for breaches and potential security exposures.

Enhanced Local IT Effectiveness. IT organizations' goal is to increase enterprise productivity by delivering the right information and resources to authorized employees quickly and accurately. This requires a fundamental understanding of who needs what and why, and a way to quickly and flexibly respond to new requirements as they arise. IT managers responsible for local business process support must remain empowered to create and deliver solutions within approved security guidelines.

Deployment objectives here should focus on providing local administrators with tools for delivering and administering IT resources and information more effectively.

Controlled Administration Costs. On the surface, enhanced security and service-level objectives appear to increase project costs. However, foundational technology upgrades like AD provide rare opportunities for enterprises to fundamentally enhance core security and administration processes. This is the time to simplify and streamline tedious, repetitive and often error-prone admin tasks such as creating user accounts, diagnosing user log-on issues, providing file access and removing user rights. By increasing standardization and efficiency, security and service levels are improved while costs are reduced. Administration processes represent a large portion of "keep the lights on" IT budgets, and process improvements create recurring structural cost savings.

The business justification for the AD implementation project can and should include hard operational return on investment in addition to tighter security controls.

Supplement Windows Technologies to Avoid Deployment Friction. Incorporating value-added Windows security and administration applications with an operating system upgrade provides a cost-effective way to optimize all stakeholder interests and eliminate the need to compromise between core enterprise IT objectives. Consider software from the following categories to ease organizational friction and gain project support from key stakeholders:

  • Role management software relaxes the tension between central process control and local administration flexibility. It allows central security groups to easily define a role-based administration permission structure for delegating admin activities across the entire enterprise, from help desk to organizational unit administrators. Security administrators establish policy and gain permission visibility while activities are performed more cost-effectively, closer to users and information.
  • Service provisioning reduces operating costs and improves delivery effectiveness by automating routine and error-prone admin activities, including user provisioning and the configuration of Exchange and other Windows resources. Security is enhanced by achieving process control and automating policy enforcement over access permissions to critical files, applications and resources.
  • Security auditing provides visibility into all administrator permissions, information access rights and administration transactions across the enterprise. These applications enhance the ability to detect and repair security gaps while dramatically reducing the time and cost of comprehensive audits.
  • Web-based administration tools provide an easy-to-use alternative interface that unifies administration across multiple Windows infrastructure technologies (AD, Exchange, NTFS). Web admin tools have the advantage of presenting only the tasks and scope available to that administrator and abstracting complex processes so that more tasks can be delegated to cost-effective resources with minimal training requirements.

Look for solutions that combine the capabilities necessary to satisfy stakeholder objectives and exceed your organization's deployment goals.

Mark Hynes is founder and chief operating officer of Xevo Corp., a maker of Windows administration and access management software.

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon