Paul R. Perkes : Projects : Windows 2000 Active Directory

Windows 2000 Active Directory

THE PROBLEM

Almost everyone in the Center for Solid State Science (CSSS) has a computer on their desk necessary to perform their job function, we have several labs with general use workstations and most of our research instrumentation is controlled by at least one computer. Running around between all of these systems managing accounts, keeping systems up-to-date with patches and providing necessary Internet security has rapidly become unmanageable. Users also spend a lot of time trying remember several different usernames and passwords and managing and transferring files which are strewn about over several different systems.

THE SOLUTION

Windows 2000 Active Directory (AD) solves most of these problems or at least makes them more manageable.

  1. One Account one Password
    Using AD users only need one account and one password to access any system that they are authorized to use.

  2. Centralized and Remote Account Management
    Using AD computer accounts can be centralized and managed remotely.

  3. Computer Security
    Using AD Group Policy Objects can be applied to specific groups of users and/or computers to control access to computing resources and to apply Local Security Policies.

  4. File Access and File Management
    Using AD Group Policy Objects users can have their "My Documents" folder redirected to a server share regardless of which computer they log on to thereby always having access to their files and making backup of user data more manageable. Likewise, using GPO logon scripts other server shares can also be automatically mounted.

ASURITE IDs

In order to integrate a unit's computing resources with ASU's Windows 2000 Active Directory all users in the unit need an ASURITE ID. Surprisingly enough, many users do not have ASURITE IDs, don't know if they do or don't know what their ASURITE ID is. I have prepared the following document to inform the users in the Center for Solid State Science of the need for obtaining one, how to find out if they have one, what it is and how to obtain one.

Obtaining and ASURITE ID

CAVEATS

What happens if the network or Active Directory is down?

In the event that the campus network or Active Directory system is down users would not be able to log into any systems. Although this situation would presumably be rare it could pose a serious problem. In order to minimize the impact of such outages the following configurations will need to be made:

  1. Unprivileged and protected local guest accounts that are generally known to internal users and support staff will need to be created on each general use system and likewise individual local accounts will need to be created on personal desktop systems. These accounts would be used temporarily in the event that either the campus network or AD is down.

  2. Baseline Local Security Policies will need to be implemented on all systems. These policies are always applied first and then superseded by Group Policy Objects. In the event that either the campus network or AD is down these Local Security Policies would still be in force. The Local Security Policies for these systems should be able to be audited remotely using HFNetChk.exe and updated remotely using Secedit.exe.

IMPLEMENTATION

Implementing all this is NOT trivial! Those of you interested in attempting to reproduce the limited progress I have made on this project will be interested in the following page of resources:

How To Implement Windows 2000 Active Directory at ASU

Paul R. Perkes                                  (480) 965-5218 Phone
Principal Technical Support Analyst             (480) 965-9004 FAX
Center for Solid State Science                  (602) 999-4781 Wireless
Arizona State University                        paul.perkes@asu.edu
Box 871704
Tempe, AZ 85287-1704

Last Updated: Wednesday June 11, 2003