Treat Active Directory Like a Database
by Indy Chakrabarti
November 17, 2004
People who manage users typically don't talk to the people who manage databases. The advent of Active Directory, however, creates an unanticipated alignment of these two seemingly disparate functions. Although Active Directory manages user login and other information, it is also a database and needs to be treated as such. Here are five database management procedures that help make user administration with Active Directory less challenging.
Test Changes First
The tried and true principle of database administration is to not fool around with settings in a production environment. It can be difficult to adhere to this principle with Active Directory because of the ongoing changes that occur, including adding new users and groups. However, there are many critical tasks you should avoid in a live environment. For example, you should make changes to the Active Directory security model in a test lab before deploying them.
Similarly, changes to Group Policy settings, which control Active Directory security, can be disastrous if introduced into production erroneously. It is important to be aware that there is no Apply button for Group Policy. Every time someone enters a space bar in a Group Policy Object setting, it begins replication across your domains. There is no way to call it back. Because Group Policy is required in Active Directory, every organization running Active Directory is open to this threat.
Use Comprehensive Change Control
Some organizations understand the value of creating a test environment, but many have not formalized the process to validate when a change can be taken from test to production. To ensure that a change is appropriate, organizations should require approval before introducing changes into the live environment. In addition, mandate strict rules for limiting who has privileges to perform different tasks in Active Directory as well as the scope of those privileges.
The best form of change control is to remove the ability to make changes in the first place. Enterprise Resource Planning systems such as SAP don't allow users to edit the database table data directly. Instead, they deliver a filtered interface that not only controls who can change specific data, but also sets guidelines on acceptable values for the data inputs.
Make Sure You Can Rollback Critical Changes
An important, but often unplanned, Active Directory capability is the ability to rollback changes in the enterprise database. For example, third-party software can allow you to quickly rollback to previous Group Policy settings if, as discussed earlier, someone mistakenly hits the space bar.
Third-party software can help automate the process, but good internal procedures can allow you to rollback, too. For example, you can implement a rollback for mistaken user account deletes. Instead of allowing help desk administrators to perform account deletions, allow them only to disable accounts and then move them to a separate Delete Organizational Unit (OU). Access to this OU can be restricted to highly privileged administrators who alone have delete permissions. This dual-key authorization process ensures the ability to rollback without restoring to complicated Active Directory restores.
Get Immediate Notification of Production Changes
Changes to the live environment are inevitable despite the best efforts to control them. However, to recognize the need to rollback, organizations first need to ensure that they are alerted to critical changes. Most organizations today monitor their servers and databases, but few try to detect changes to their Active Directory environment.
For example, can the company detect when someone changes the Group Policy setting for password length from 10 down to one? Are administrators alerted when someone is granted enterprise administrator privileges in Active Directory?
Audit Production Changes
Not only is realtime monitoring important, in today's regulatory environment the need to audit historical changes is critical. This can be accomplished in one of two ways in Active Directory. The most common way is to install log consolidation software to archive domain controller logs. Another option is to implement user administration software that sits on top of Active Directory and centrally logs all action before committing it to Active Directory. These capabilities are difficult to achieve without additional software, yet without taking this extra step an administrator might not be able to answer the question, Who reset the CEO's password last Monday at 1:00 a.m.?
Implementing these five steps won't eliminate all user administration headaches, but it will reduce the number of fires you have to fight.
About the Author
Back to top
Indy Chakrabarti is a product marketing manager for security administration solutions at NetIQ Corp.