Keeping an organization safe from potential security breaches and costly downtime involves knowing who has access to what parts of the infrastructure and how changes were made to group policies or to user account information. Many IT organizations have already made the long journey from legacy systems to Active Directory (AD) or are well on their way. Having spent time preparing for the pitfalls and pains of migrations, corporations have often forgotten why they set forth on the journey in the first place. The promise of Active Directory has always been to lower the costs of user administration, but sometimes it is unclear how best to achieve these ends. For many organizations, the two most overlooked areas are group policies and the secure delegation of tasks.
Group Policies are the "Killer App" of Active Directory. They help dramatically lower the cost of administering users and computers by enabling the automated distribution of policies across the Active Directory forest. All Active Directory environments are preconfigured with two default Group Policies - the Default Domain Policy and the Default Domain Controller Policy. These two policies configure the initial security settings for the Active Directory environment; however, there are more than 900 additional Group Policies Object settings in Windows 2003 and XP to maximize AD performance and availability, optimize IT resources and protect information assets. In spite of the many options available with Group Policies, many organizations have failed to widely leverage them in their IT environment
The litany of Group Policies available may, in fact, be a deterrent to wider adoption as corporations are overwhelmed by the number of policies and struggle to define which ones to implement. Some of the most powerful Group Policies include the ability to configure what is visible to end users in the control panel or start menu, enabling folder redirection and disk quotas and defining account settings like lockout and password policies. Each of these policies helps to lower overall administrative costs.
Disabling access to specific items through the control panel and start menu reduces the likelihood of downtime due to end user misconfigurations. Enabling folder redirection and disk quotas ensures that critical computer information can be routinely backed up (through folder redirection) and that non-critical data is kept to a minimum (through disk quotas). Finally, defining account settings like minimum password length and password history help to lower the odds of account hijacking through password cracking. While there are numerous additional capabilities that can be implemented with Group Policies, implementing these key policies would serve as a great starting point for companies looking to increase their return on Active Directory.
Of course with all the benefits Group Policies offer come a few new perils. With native tools alone there is no way to test and approve changes to Group Policy settings before promoting them into a live environment. As a result, organizations risk locking out all end user access to critical applications with just an inadvertent setting change by an administrator. To avoid such situations, some organizations attempt to replicate their Group Policy environment in lab environments. Not only is this costly, it is also nearly impossible to appropriately model the ever-changing production environment in order to properly validate the effect of new changes. This is where third-party tools can help. By providing a virtual offline environment for Group Policy change simulation and change approval, organizations can realize the value of Group Policies while avoiding the risks associated with making live environment changes or the costs of trying to replicate the live environment in labs.
Along with the implementation of Group Policies, organizations interested in reducing administrative costs must also focus on securely delegating administrative tasks to non-IT personnel and end users. For example, many help desk functions like password resets, group membership changes and new account creation can be delegated to the help desk or OU level administrators. Assigning these tasks to less privileged personnel serves two cost saving functions: it enables higher level administrators to focus on the tasks of keeping Active Directory optimized, and improves productivity and reduces the security threat inherent in providing too many end users with high-level permissions.
Organizations can achieve even greater administrative cost savings by enabling end user self-service or by completely eliminating human intervention through the automation of repetitive tasks. These functions require the use of third-party tools working in conjunction with Active Directory. For example, while it is less expensive to task help desk personnel with resetting passwords instead of IT administrators, it is even less costly to allow end users to perform this function for themselves. Many vendors allow end users to unlock their accounts, reset their passwords and synchronies the new password to other accounts through web-based, challenge response authentication. This practice has been proven to reduce help desk call volume by an average of 15 to 35 percent.*
Of course being able to remove human involvement altogether is the least costly solution for completing administrative tasks. New account creation is a time for organizations to take advantage of user administration automation. For example, companies can ensure that an Active Directory account, Exchange mailbox, home directory and home quota are all automatically created for each new user added to the Human Resources system. While this level of automation could be achieved with native Active Directory scripting, the use of third-party tools enables easier implementation, appropriate auditing and less expensive maintenance.
As these scenarios demonstrate, using Group Policies and delegating administrative tasks, enable organizations to greatly maximize their investment in Windows 2000\2003. Active Directory provides a powerful infrastructure for facilitating these actions and, in conjunction with third-party administrative tools, can ensure that administrative functions are performed with less risk and greater levels of automation and audit-ability.
*Gartner, Inc., "Justify Identity Management Investment with Metrics," February 23, 2004
Indy Chakrabarti is product marketing manager for security administration solutions at NetIQ.