Active Directory is a great centralized authentication service for security and compliance, but Macs, mobile devices, and remote access cause headaches.
When I arrived at my current employer about seven years ago, I was surprised to find no Active Directory. There was an attempt at an LDAP infrastructure, but the only thing authenticating to it was a single Samba server.
The replication to a secondary LDAP server was broken, email was off on its own, wireless was a collection of consumer-grade access points using static WAP keys, and every application -- whether commercial or internally developed -- had its own authentication scheme. I don't want to say it was a mess, but there was little evidence of a consistent authentication strategy or direction.
One of my first projects was to migrate from a legacy email system to Exchange. Since Exchange requires Active Directory, I saw an opportunity to begin to centralize authentication. Over time, new Windows servers were all put into Active Directory, a new multi-site distributed file server system was installed, and I talked with our developers about pointing applications requiring authentication to Active Directory. Next came a new wireless system and updated VPN endpoints; these, too, via Microsoft's version of a Radius server, tied into Active Directory.
My goal wasn't to have absolutely everything authenticate to Active Directory, but in my view, more is better. In theory, it should be easier for end users, because they have to remember only one set of credentials, and changing a password once takes care of many services. From an administrative perspective, Active Directory gives you one place to deactivate an account that covers multiple points of entry; I even configured our entire router, switch, and firewall infrastructure to authenticate administrative access against Active Directory.
As our IT operations evolved and security policies and compliance needs grew, we began to implement password change and account lockout policies. These policies help us protect critical infrastructure and information.
Mac, mobile, remote access headaches All in all, I consider this implementation a success. However, it doesn't mean there aren't difficulties. First on the list is Macintosh users, who make up about a third of our computing population. Macs can be joined to Active Directory, but they aren't fully fledged members, so you can forget about simple group policies such as locking screen savers.
In addition, Macs on their own don't have a mechanism to inform users about expiring passwords, and changing an Active Directory password from within the Mac OS isn't a reliable solution. I haven't been able to get it to work at all, even with add-on products such as Centrify. Also, logins from Macs to wireless networks and file servers are not unified like they are in Windows.
Macs are a hassle, but the majority of problems came from mobile devices. As more people configured phones and tablets to access their email and connect to our wireless network, account lockouts increased exponentially. Why? When people change their password, they forget about all of the places
Dan Tesch is an IT Director at a Chicago-area marketing firm. He's also a member of the Interop Advisory Board. Dan's technology experience began in the late 1980s in the publishing industry, and now includes networking, virtualization, storage and security. View Full Bio