Information Systems:Microsoft Active Directory At uniPHARM

From uniWIKI
Revision as of 15:21, 26 April 2019 by Darrenf (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Active Directory is present and functioning normally at uniPHARM, housed within a pair of virtualized domain controllers that are Server 2012R2 in flavor. There is a single forest and single domain being unipharm.local. The functional level is 2012R2 and there are no special external trusts and no weird schema edits. The two domain controllers replicate with each other and the FSMO roles are all on UWDDC1. The design of the AD layout is really not too complicated because there is only one site and the organizational units roughly mimic the business departments. In a company that is the size of uniPHARM it is not entirely bad to have "special" folks in their own OU which is how the payroll administrator is in AD for example. Having individuals in an OU is only sustainable when headcount is low - it does not scale up. Group policy objects are labeled well in AD and applied at the OU level. The "Standard Desktop Settings For Windows" have the majority of settings that get applied to computers and users in an OU but certain other options like printers and mapped drives and web filter stuff is split off into separate GPO's for flexibility. There are no logon/logoff scripts linked through GPO's and there aren't any non-Microsoft software installation packages linked through GPO's. WSUS settings are configured Standard Desktop Settings GPO but computers that are registered in WSUS will initially go to the unassigned computers group so that they can be manually moved around to the existing groups in WSUS - again this was done for flexibility in a small environment and it does not scale up.

There is no Bitlocker in use at uniPHARM and DirectAccess is also not used so those special parts of Active Directory are not in play. User passwords in Active Directory do not expire so this is either a good thing or a very bad thing depending on who is reading this. The passwords given to staff are complex but have not changed in 15 years. There are applications that do use AD authentication for single sign on, but because the Power8 does not gracefully use AD, the ability to change staff passwords means that the password has to change in multiple spots in order to stay consistent. Users think all the applications get the same password from some magical source but in reality, the same password is simply configured for the user in the applications that don't do AD SSO.

  • Moodle uses AD authentication
  • Gauss does understand AD users but authentication using the AD user is not consistent
  • The Sophos firewall web filter uses AD auth AND a certificate
  • The Sophos firewall uses AD auth for webadmin logins for IT staff
  • This wiki uses AD auth
  • vSphere uses AD auth but just for IT staff
  • Lenovo XClarity uses AD auth just for IT staff

And here's the list of stuff that does NOT use AD:

  • Green screen
  • ASW and DC1 and the RFGuns
  • Domino <--- actually has its own independent LDAP thing that does not talk to AD
  • Anything from Ceridian, HealthSourcePlus Barracuda, SRfax, Esker, Trello, Exware
  • None of the Xerox copiers and none of the Lexmark printers use AD auth
  • The SSL VPN service from the Sophos firewall uses certificates that it generates so AD auth is not used for VPNs connecting from manager laptops
  • Nothing related to the Toshiba phone system uses AD auth
  • None of the IMMs on the physical servers use AD
  • None of the security camera DVRs use AD and none of the temperature monitoring stuff uses AD
Retrieved from "https://owl.unipharm.com/mediawiki/index.php?title=Information_Systems:Microsoft_Active_Directory_At_uniPHARM&oldid=12510"