UW Windows Infrastructure: Delegated OUs Brian Arkills Software Engineer, LDAP geek, AD bum, and Associate Troublemaking Officer Identity and Access Management,

Slides:



Advertisements
Similar presentations
ADManager Plus Simplify Your Active Directory Management.
Advertisements

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Agenda AD to Windows Azure AD Sync Options Federation Architecture
Configuring SharePoint 2013 and Office 365 Hybrid – Part 1
By Rashid Khan Lesson 5-Directory Assistance: Administration Using Active Directory Users and Computers.
Office 365 Identity aka Azure Active Directory
Integration: Office 365 Brian Arkills Software Engineer, LDAP geek, AD bum, and Associate Troublemaking Officer Identity and Access Management, UW-IT.
Active Directory: Final Solution to Enterprise System Integration
Virtual techdays INDIA │ august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –
UW Windows Infrastructure: What’s in it for me? Brian Arkills Software Engineer, LDAP geek, AD bum, and Associate Troublemaking Officer Nathan Dors Manager.
Brian Arkills Software Engineer, LDAP geek, AD bum, and Associate Troublemaking Officer UW Windows Infrastructure.
Identity and Access Management
Understanding Active Directory
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
LDAP Management at Stony Brook Making Active Directory and PeopleSoft Work Together SUNY Technology Conference Rochester, New York Monday June 12, 2006.
HalFILE 3.0 Active Directory Integration. halFILE 3.0 AD – What is it? Centralized organization of network objects and security – servers, computers,
Chapter 7 WORKING WITH GROUPS.
Windows 2000 and Active Directory Services at UQ Scott Sinclair Senior Systems Programmer Software Infrastructure Group
Active Directory at the University of Michigan Data Population and Kerberos Interoperability MaryBeth Stuenkel LAN/NOS/Groupware Services.
Brian Arkills Software Engineer, LDAP geek, AD bum, Senior Heckler, and Associate Troublemaking Officer State of Windows Services at the UW.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
UW Windows Authentication Group Multiple forest scenario task force - Testing report and recommendations.
9.1 © 2004 Pearson Education, Inc. Lesson 9: Implementing Group Policy in Windows 2000 Server Exam Microsoft® Windows® 2000 Directory Services Infrastructure.
Module 2 Creating Active Directory ® Domain Services User and Computer Objects.
Module 1: Introduction to Administering Accounts and Resources
Managing Active Directory Domain Services Objects
Module 6: Designing Active Directory Security in Windows Server 2008.
Designing Active Directory for Security
POSITIONING STATEMENT For people who operate shared computers with Genuine Windows XP, the Shared Computer Toolkit is an affordable, integrated, and easy-to-use.
A detailed look at the Microsoft Windows Infrastructure at UWE including Active Directory (AD), MIIS, Exchange, SMS, IIS, SQL Server, Terminal Services.
Module 7: Fundamentals of Administering Windows Server 2008.
Security Planning and Administrative Delegation Lesson 6.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.
DEP313 Active Directory Restructuring with ADMT v-2
…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.
Brian Arkills Software Engineer, LDAP geek, AD guy, Chief Troublemaking Officer Windows HiEd Conference 2006 Managed Workstations: UW Nebula.
Riva Managed Identity Integration for Active Directory and Novell ® GroupWise ® Aldo Zanoni CEO, Managing Director Omni Technology Solutions
Virtual techdays INDIA │ august 2010 virtual techdays INDIA │ august 2010 Moving/Co-existing your messaging platform to the cloud with Exchange.
4. Managing the Desktop Thomas Lee Chief Technologist – QA plc.
Brian Arkills Software Engineer, LDAP geek, AD bum, Senior Heckler, and Associate Troublemaking Officer Fill-in Topics for Windows HiEd Conference 2007.
Office 365: Identity and Access Solutions Suresh Menon Technology Specialist – Office 365 Microsoft Corporation India.
Security Planning and Administrative Delegation Lesson 6.
ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam
Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
Integrating Active Directory with eDirectory ™ Using Novell Account Manager Reid Oakes Technical Team Manager Novell, Inc.
FROM MIT KERBEROS TO MICROSOFT ACTIVE DIRECTORY The Pennsylvania State University’s move from a lower case MIT Kerberos realm to a Standard Microsoft Active.
OVERVIEW OF ACTIVE DIRECTORY
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
WNAG: Advisory Report Presented to: UCIST By: Stephen Nickerson February 3, 2006.
Windows NT ® Security Management: Extending Windows NT 5.0 Security Management Tools, Part 2 Praerit Garg Program Manager Windows NT Security Microsoft.
Labs. Session 1 Lab 1: Designing an Active Directory Forest Infrastructure in Windows Server 2008 Exercise 1: Designing an Active Directory Forest Exercise.
IAM VISION OUR CREATIVE INSPIRATION IAM STRATEGY & ROADMAP TEAM JUNE 3, 2015.
Unit 7 ITT TECHNICAL INSTITUTE NT1330 Client-Server Networking II Date: 2/3/2016 Instructor: Williams Obinkyereh.
BE-com.eu Brussel, 26 april 2016 EXCHANGE 2010 HYBRID (IN THE EXCHANGE 2016 WORLD)
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Windows Enterprise Services.  Introductions  UNM Directory Services  RSAT  Organizational Units (OU)  Active Directory Groups  Naming Convention.
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
Recording Brief EMS Partner Bootcamp Variables Values Module Title
Secure Connected Infrastructure
Identity and Access Management Services
State of Windows Services at the UW
Unit 7 NT1330 Client-Server Networking II Date: 7/26/2016
Ask the Microsoft Infrastructure Team October 2017
Brian Arkills Microsoft Solutions Architect
Presentation transcript:

UW Windows Infrastructure: Delegated OUs Brian Arkills Software Engineer, LDAP geek, AD bum, and Associate Troublemaking Officer Identity and Access Management, UW-IT

Agenda IAM background UWWI services and architecture Delegated OUs Open discussion, Q&A, UWWI backlog

Who IAM is & where UWWI fits in

UW NetID Background Funded by Technology Recharge Fee Available to anyone that needs one Multiple independent types: personal, shared, admin, application*, reserved Each type has different naming, policy, and password restrictions Test—any UW NetID type can be these Sponsored—personal only Only UW NetIDs w/ passwords are in UWWI

Groups Service Defines a structure UW Group ID namespace Provides fine-grained access control Working on auto-provisioned groups REST API for programmatic CRUD operations Hourly sync to UWWI Let’s see a demo:

UWWI Service Line Delegated OUs, including DDNS service Active Directory based LDAP services, including white pages info & LDAP authentication Domain Services via Trust, including UW NetID and Groups service integration Campus WINS service Campus KMS service, aka Microsoft product activation services UW Forest

Brief history 2000 UW Forest launched 2003 UW Forest stops accepting new domains 2006 UWWI Domain Services via Trust launched –LABS domain retired –WINS service launched 2007 UWWI supports LDAP authN 2008 KMS service launched, Ischool OU pilot 2009 P172 adoption 2010 Delegated OUs service launched ???? UW Forest end of life?

High level benefits Authentication and Authorization –All UW NetIDs *with* the password, and other integration benefits (e.g. disable events) –Enables service access to more than just your org, w/o costly one-off account provisioning –Groups formed from institutional data Directory Services –Person and group data together –Connectors from wide variety of applications Delegated OUs –Reduce overhead of domain controllers –Less user administration, user simplification –Reduce friction to collaborate

Key Limitations Limited user management via Support Tool –Writable: home directory, profile, logon script, unix shell, unix home directory –Readable: many key attributes, except memberOf –Non-UWWI features are also available Some groups are private, memberOf on *all* users is restricted Some attributes on users, groups, computers are not readable by domain users DCs on P172 We can workaround these limitations in some cases, and some may change over time.

UWWI Stats and Use Trusts –47 trusts today OUs –22 OUs today Basic Stats –25k UWWI logons/day during 2008 –137k UWWI logons/day during 2010 –485k UWWI users –75k UWWI groups –1.3k UWWI computers

UWWI Architecture Diagram

Delegated OUs

OUs: Basics Funded by Technology Recharge Fee UW-IT maintains AD, integrates with key infrastructure You get a delegated slice of a shared domain –Can’t directly create users, groups, or contacts; can indirectly create via other mechanisms –Users, groups and contacts do not live in your slice of shared domain Computers and GPOs have naming guidelines Management tools: mostly MS default tools; only some custom tools requiredManagement tools

OUs: Solutions (and demos?) UW NetID Support Tool for delegated user managementUW NetID Support Tool Groups Service for delegated group managementGroups Service Cost-recovery domain migration assistance GroupSync tool for bulk group importGroupSync tool Migration blueprint and VerifyUsernamesAreUwnetids tool for unassisted migrationsMigration blueprint VerifyUsernamesAreUwnetids tool DDNS service for workstationsDDNS service Automated delegated OU computer groups to replace domain computersdelegated OU computer groups

OUs: Weighing benefits/potential downsides Benefits –Remove need to run your own DCs –Fewer accounts/passwords for clients to use –Remove silos, share our costs and successes Potential downsides –Cost of migration of users, groups, and computers –Access to user object attributes is significant –Some external dependence –Some desired features are missing, e.g. SCCM, Likewise Enterprise, delegated bulk user writes We are willing to partner with customers on any of these potential downsides

The End Brian Arkills Author of LDAP Directories Explained

UWWI Backlog Provide transparency; enable customer discussions and internal planning Identify customers who will partner in development of tricky features

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.