Automated Computer Account Management in Active Directory June 2 nd, 2009 Bill Claycomb Systems...
-
Upload
ann-alexander -
Category
Documents
-
view
216 -
download
0
Transcript of Automated Computer Account Management in Active Directory June 2 nd, 2009 Bill Claycomb Systems...
![Page 1: Automated Computer Account Management in Active Directory June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram.](https://reader030.fdocuments.in/reader030/viewer/2022032706/56649de45503460f94adb013/html5/thumbnails/1.jpg)
Automated Computer Account Management
in Active Directory
June 2nd, 2009
Bill ClaycombSystems Analyst
Sandia National Laboratories
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company,for the United States Department of Energy’s National Nuclear Security Administration
under contract DE-AC04-94AL85000.
![Page 2: Automated Computer Account Management in Active Directory June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram.](https://reader030.fdocuments.in/reader030/viewer/2022032706/56649de45503460f94adb013/html5/thumbnails/2.jpg)
Agenda
•Background•Motivation•Design and Implementation•Performance•Discussion•Future Directions
![Page 3: Automated Computer Account Management in Active Directory June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram.](https://reader030.fdocuments.in/reader030/viewer/2022032706/56649de45503460f94adb013/html5/thumbnails/3.jpg)
Active Directory
• Localized data store containing information about objects– Users– Computers– Contacts, etc.
• Provides information to applications– Authentication and access control – Contact information– Group membership
• Uses LDAP Communication Protocol– Lightweight Directory Access Protocol
![Page 4: Automated Computer Account Management in Active Directory June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram.](https://reader030.fdocuments.in/reader030/viewer/2022032706/56649de45503460f94adb013/html5/thumbnails/4.jpg)
Active Directory at SNL
•User account objects:– 12651 user accounts– 2023 service accounts
•Group objects– 14024 group objects
•Contact objects:– 21543 contact objects
•Computer objects:– 24989 computer objects
![Page 5: Automated Computer Account Management in Active Directory June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram.](https://reader030.fdocuments.in/reader030/viewer/2022032706/56649de45503460f94adb013/html5/thumbnails/5.jpg)
The Problem
• Authoritative data source for computer account information is not Active Directory (AD)– SQL Database: Network Information System (NWIS)
• Policy requires any object in Active Directory to be in authoritative data source– Policy was not enforced
• Administrative duplication of efforts– Machine records manually entered into database– Computer accounts manually entered in AD– Computer accounts manually managed in AD once
populated
![Page 6: Automated Computer Account Management in Active Directory June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram.](https://reader030.fdocuments.in/reader030/viewer/2022032706/56649de45503460f94adb013/html5/thumbnails/6.jpg)
Solution
•Automate computer account population and management in Active Directory
![Page 7: Automated Computer Account Management in Active Directory June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram.](https://reader030.fdocuments.in/reader030/viewer/2022032706/56649de45503460f94adb013/html5/thumbnails/7.jpg)
Benefits
• Automated population and standardization of account data– Ownership– Support notes
• Reduced administrative overhead– Eliminate need for manual account creation
• Enable registration policy enforcement• Accurate reflection of actual computer usage
– Large impact to billing calculations– Removal of inactive accounts from AD
![Page 8: Automated Computer Account Management in Active Directory June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram.](https://reader030.fdocuments.in/reader030/viewer/2022032706/56649de45503460f94adb013/html5/thumbnails/8.jpg)
Implementation - Platform
•Application developed using .NET Framework– Allows easy interoperability with Active
Directory– Simple interface with SQL database as well– Service easily integrates with existing
Windows platform
![Page 9: Automated Computer Account Management in Active Directory June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram.](https://reader030.fdocuments.in/reader030/viewer/2022032706/56649de45503460f94adb013/html5/thumbnails/9.jpg)
Implementation - Provisioning Database
UniqueID Name Owner Management Info OS Machine roles Etc.
AD UniqueID Name Owner Info OU Location Provisioning Tags
![Page 10: Automated Computer Account Management in Active Directory June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram.](https://reader030.fdocuments.in/reader030/viewer/2022032706/56649de45503460f94adb013/html5/thumbnails/10.jpg)
Implementation - Management
Authorized Accounts
Existing Accounts
New Accounts Account Changes Expired Accounts
![Page 11: Automated Computer Account Management in Active Directory June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram.](https://reader030.fdocuments.in/reader030/viewer/2022032706/56649de45503460f94adb013/html5/thumbnails/11.jpg)
Implementation Concerns
•How to handle machines no longer authorized to be in Active Directory?
•Handle workstations differently than servers?
•How to handle machine renames?•How to handle movement of computers between management unit OU’s?– Machine owner changes locations, and thus
changes management unit
![Page 12: Automated Computer Account Management in Active Directory June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram.](https://reader030.fdocuments.in/reader030/viewer/2022032706/56649de45503460f94adb013/html5/thumbnails/12.jpg)
Future Directions
•Automated management of object location– Requires consistent OU structure within
management units
•Feed Active Directory information back to authoritative data source– Usage information– Logging information
![Page 13: Automated Computer Account Management in Active Directory June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram.](https://reader030.fdocuments.in/reader030/viewer/2022032706/56649de45503460f94adb013/html5/thumbnails/13.jpg)
Design and Implementation Team
• Database– Miriam Maldonado– Stan Hall– Andrew Steele– Robbie Evanoff– Jim House
• Active Directory– Bob D’Spain– Jason Crenshaw– Bill Claycomb