Recent Posts

Topics

Archives

Improved IT security through AD Design

One of the things I freqently notice is that many small and mid-sized organizations have not spent a great deal of time on designing their active directory structure. The frequent response to this is that they lack the time and resources required to complete the task. My response to this is that they cannot afford not to do it. Why? With a poorly managed active directory, and ACL’s, it is almost impossible to ensure that users have the accesses they need while denying them rights to areas where they should not have access. As a result, in almost every instance I’ve seen, some user has rights to something he should not have rights to. In addition, the opposite is often true- A new employee joins the organization, but is not in all the appropriate groups and therefore misses vital information that he or she should be getting.

The solution to this is quite simple:

First, analyze your organization and break it down into functional units such as finance, operations, marketing, etc. After you have the functional units, take the list of users and assign each user to only one department. It is very important that each user only belong to one group, since we will use these groups later- don’t worry too much if some employees share job roles and therefore really fall into two categories. Pick the most applicable – Each employee can only be in one functional unit.

To clarify the above, lets take an example Finance department. Joe is the vice president of Sales. Joe has three departments working for him. Large business sales, small business sales, and government sales. Each of those departments has a manager- we’ll call them Jane, Harry and Frank. each department also has sub divisions of sales people, and sales support. In this case we would add each sales person (to the sales people group for their respective department). we would put jane harry and frank in a group by themselves since they are the managers. Joe would go in the sales functional unit by himself since there’s no one else at his level.

Now that you have this list, lets go into AD and create root level OU’s .. the first called _groups and the second called _users. These folders are going to become the structure for your new AD. Inside each OU (_groups,_users) create sub-OU’s for each functional unit in the organization. Once you have finished, move your user accounts into their respective OU’s under the _users section.

Now, in the groups section, create a groups that contain everything in their own container and it’s subcontainers..(ie. in the above example, we would create:

As you can see in the above example, this means that the government group contains the manager and his reporting groups, while the sales group contains the VP of sales and his supporting groups (which in turn, contain their groups.)

By doing this you can work all the way up the organization and truly organize your AD. What is that you say? I’ve forgotten something? What about the fact that sue from Large Corporate sales sometimes helps the government group?? She need rights to alot of the folders that the government group uses!!

Ah! no worries. The solution to this is simple! create a “visitors” group for each department too, and add users that need multi department access to those groups. So in this case, Sue’s main group is Large Corporate. But she is also a member of the Government Visitors group which gives her all the necessary rights to act in the government folders and groups.

The final step of this process is to follow a few rules.

If you follow these simple steps you will find it is much easier to manage your users.

In addition to AD, you can also choose to model your Shared folders after this new structure for even tighter and better security.

Enjoy your New AD!

_______________________________________
PLEASE HELP BY BOOKMARKING OUR SITE...
[del.icio.us] [Digg] [StumbleUpon]