Migrating to Active Directory remains an appealing idea for many companies. Ed Van Ness, a Windows NT administrator with Los Angeles-based Ticketmaster and an attendee at the event, said that his company is planning to implement Active Directory in 2003. Once the system is in place, he hopes that it will better allow the IT department to ensure that employees have the appropriate level of access to information. For example, Active Directory will make it easier for the IT department to make sure that people in finance can access only those budgets they are supposed to see. The system can be centrally managed, and help desk functions are likely to become more streamlined, Van Ness said.
While Active Directory can make management of the huge number of desktops in an enterprise much easier, it is not without its own headaches.
The most glaring problems with Active Directory are the kinds of sweeping changes that administrators can make to hundreds of computers with the stroke of a key, said seminar speaker Danny Kim, chief technology officer with FullArmor Corp., a Boston-based enterprise policy management company.
Kim detailed numerous problems that can crop up with group policy objects (GPOs). GPOs are essentially the rules that are associated with employees in an organizational unit. While the GPOs are at the core of Active Directory's management capability, there are surprisingly few safeguards in the product for GPOs, Kim said.
GPOs can have hundreds of different properties, and some companies have hundreds of GPOs associated with various organizational units. So this is an extremely flexible and complex system. Third-party tools can make powerful and complex Active Directory functions much more usable, said Ed Galvin, a systems engineer with NetIQ, a San Jose, Calif.-based systems management company, who presented along with Kim.
Though each GPO can have hundreds of properties, Active Directory does not provide documentation of changes made to each GPO. As a result, it is never clear who made which changes and when. Administrators can make changes that block anyone (including administrators) from reversing those changes, which can be disastrous. GPOs can block all access to an employees' hard drive and make the desktop non-functional, all with the click of a key.
All these important changes go live when they are made, Kim said. If more than one person makes changes to GPOs at a time, there is no way to prioritize the changes or to know how the final mix of changes will look until they go live as part of a 90-minute refresh cycle.
FullArmor provides a tool that helps manage GPOs and alleviates many of the problems that Kim detailed. NetIQ also has a suite of products that helps companies migrate to Active Directory and manage the system once migration is complete.
These tools sounded like good idea to Don Hayes, a network administrator with the State Street School in Los Angeles and an attendee at the event. He is hoping to simplify his school's access systems and provide better management by using Active Directory. In a school, he said there are many new people coming through the IT department all the time. A system lacking safeguards that does not document changes can be a nightmare. But with these third-party tools, he said, he can gain the benefits of Active Directory while better managing the risks.
For more information: