managing group policies for non windows computers through microsoft active directory

8/14/2019 Managing Group Policies for Non Windows Computers through Microsoft Active Directory

1/14

89 Fifth Avenue, 7th Floor

New York, NY 10003

www.TheEdison.com

212.367.7400

WhitePaper

ManagingGroupPoliciesforNon

WindowsComputersthrough

MicrosoftActiveDirectory


2/14

Printedin

the

United

States

of

America.

Copyright2009EdisonGroup,Inc.NewYork.EdisonGroupoffersnowarrantyeitherexpressedor

impliedontheinformationcontainedhereinandshallbeheldharmlessforerrorsresultingfromitsuse.

Allproductsaretrademarksoftheirrespectiveowners.

FirstPublication: April2009

Producedby: AndrewPodosenin,SeniorAnalyst;BarryCohen,EditorinChief


3/14

TableofContents

Tableof

Contents......................................................................................................................... 1

ExecutiveSummary ..................................................................................................................... 1Introduction .................................................................................................................................. 2ManagingGroupPolicies........................................................................................................... 3

PredominanceofWindowsPlatform..................................................................................... 3GroupPolicyManagement.................................................................................................. 3SchemaExtension ................................................................................................................. 3EaseofUse ............................................................................................................................. 4UniformityofManagement................................................................................................. 4PolicyManagementFeaturesAvailablethroughActiveDirectory............................... 4ManagementComplexitiesintheUnixEnvironment..................................................... 5

CrossplatformChallenges ...................................................................................................... 6LimitationsofSUDO ............................................................................................................ 6LimitationsofNIS/NIS+....................................................................................................... 6LimitationsofRBAC............................................................................................................. 6Kerberos

Authentication...................................................................................................... 7

LimitationsofFilePermissionsinUnix............................................................................. 7ManagingPoliciesAcrossDifferentFlavorsofUnix/Linux ...........................................7

AdvantagesofManagingUnixPolicieswithLikewise....................................................... 7ComplexitiesofManagingPoliciesinMacOSXEnvironment ..................................... 8

ConclusionandRecommendations........................................................................................ 11


4/14

ManagingGroupPoliciesforNonWindowsComputersthroughMicrosoftActiveDirectory Page1

ExecutiveSummary

Currently,midsizeandlargeenterpriseshavetomanageidentitiesandpolicies

uniformlyacrossaheterogeneousplatformbase.Thisneedarisesfromincreasingnode

managementcosts,thedesiretoimprovesecurityposture,andindustryregulatory

requirements.

ThemostefficientwaytomanagepoliciesandidentitiesonnonWindowsplatformsin

theseenvironmentsistochooseWindowsasacommongroundforthestorage,

management,andenforcementofsuchpolicies.Windowsischosenasacommon

ground,becauseitisascalableandreliableplatformwithexcellent,intuitive

managementtools.

AdministratorscanuseOpenSourcetoolsorprofessional,scalable,andsupported

solutionslikeLikewiseEnterprisewhenstandardizingidentitymanagementon

Windows.Thepresentpaperdiscussestheadvantagesanddisadvantagesofboth

approaches.


5/14


Introduction

ThiswhitepaperdiscusseshowLikewiseEnterpriseenablesorganizationstointegrate

andmanagetheirUnix,Linux,andMaccomputersusingMicrosoftActiveDirectory

tools.

ThepaperbrieflydescribestheproliferationofWindowsandthenmovesontodescribe

howActiveDirectoryfeatures,suchasGroupPolicyandextensionstoActiveDirectory

schemas,enablethemanagementofUnixlikesystems.

ThepaperthendiscusseswhyWindows wellknowneaseofuseadvantagesmake

managementofnonWindowssystemsthroughActiveDirectoryanattractive

alternative.

TheremainderofthewhitepaperprovidesamoretechnicaldiscussionofUnix

managementcomplexityandwhyincorporatingaWindowsPolicybasedmanagement

alternativeprovidesorganizationswithauniformuseandmanagementmodelfortheir

computingenvironments.

Finally,thepaperdescribeshowLikewiseEnterpriseworkstobringtogetherActive

DirectoryandUnixmanagementunderWindowsGroupPolicies.


6/14


ManagingGroupPolicies

Predominanceof

Windows

Platform

MicrosoftWindowsServerandActiveDirectoryhavecometodominatebusiness

computing.ThishasresultedintheneedfornonWindowsdevicesandapplicationsto

interoperatewithandevenbemanagedwithinaMicrosoftWindowsActiveDirectory

environment.Besidesbeingoneof(ifnotthe)mostwidelydeployedscalabledirectory

solutions,ActiveDirectoryisalsothewidestdeployedandmostrobustcommercial

implementationofKerberos.

Overtheyears,Microsofthasbeensuccessfullyabletodeliverascalablecomputing

solution

from

the

server

to

the

client,

particularly

because

of

the

ease

of

use

of

its

graphicaluserinterface.Besidesaddressingtheoperatingsystem,directory,andstorage

markets,MicrosoftsenterpriseclassapplicationssuchasExchangeandSQLServer

dependupondirectorybasedauthentication.Inaddition,manythirdpartyapplications

suchasPeopleSoftandSAPincorporateADauthentication.Giventheroadmapoffered

byMicrosoft,thisinterconnectionofthedirectorysideandtheapplicationsidewillonly

increase.

ThefollowingsectionsdescribetheadvantagesofMicrosoftWindowsmarketplace

successfromaheterogeneousenvironmentperspective.

GroupPolicyManagementUnliketheotherdirectoryvendors,Microsofthasdeliveredprofileanddesktop

managementonalargescale.UnlikevendorssuchasNovellorSunMicrosystemswho

onlyhavepartialsolutions,Microsoftisabletoautomaticallypushpoliciesthroughthe

domainfromtheservertotheclient.Theenhancedgrouppolicyimplementationin

WindowsVistaandWindowsServer2008hasallowedadministratorstocentrally

manageagreaternumberoffeaturesandcomponentbehaviorsthanwerepossiblein

thepreviousversions.WiththecontinuingconsolidationofITvendors,theenterprise

computinglandscapewillbeundoubtedlybegearedmoreandmoretowardWindows

platforms.

SchemaExtensionOvertheyearsMicrosofthaslesseneditsaggressivestancetowardUnix,startingwith

addingsomeinteroperabilityinMicrosoftServicesforUnix3.0(SFU3.0),andextending

thatinSFU3.5.Mostrecently,inWindows2003ServerR2,Microsofthasincorporated

mostofthefeaturesofSFU3.5,addingtheabilitytoextendADschemawithUnix


7/14


compliantattributesinaccordancewithRFC23071.Thissimplifiedtheintegrationof

crossplatformidentitymanagementbyeliminatingtheneedtochoosebetweenthe

storingofUnixobjectcredentialsintheexistingclasses(socallednonschemamode)

andthe

non

supported

extension

of

the

AD

schema.

Now

administrators

can

take

advantageofRFC2307byusingUnix andLinuxspecificattributesthatarebuiltinto

theADschema.

EaseofUseItisgenerallyacceptedthatWindows managementtoolsareeasiertousethattheir

UnixandLinuxcounterparts.ThisisoneofthemajorreasonsthatMicrosofthaswon

thedesktopclientandserverenterprisemanagementbattle.Administratorstodayvery

infrequentlymustbeinvolvedwiththeerrorpronemanualeditingofconfigurationfiles

orrelyonwritingscriptsandexecutingthemfromthecommandline.Infact,creating

andpushing

the

enterprise

policy

across

thousands

of

clients

can

be

performed

with

fairlyfewmouseclicksfromoneofthepolicymanagementpluginsfortheMicrosoft

ManagementConsole.

UniformityofManagementThevariousvendorsUnixandLinuxplatformsarenotoriouslydifferentfromone

another:theyhavedifferentmanagementtoolsanddifferentdesktopinterfaces.Looking

atanumberofpopularLinuxdistributionsfromRedHat,SUSE,andUbuntu,it

becomesclearthatLinuxdidnotdelivertheuniformityhopedfor.Sinceitisclearthat

UnixandLinuxmustinevitablyinteroperatewithWindows,thereisaheightenedneed

forstandardizedauthenticationandmanagementtools.Fortunately,Microsoftnowofferssuchcommonground:thecombinationofanActiveDirectoryframeworkand

GroupPolicymanagement.ThisiswhereUnixadministratorscantakealazyapproach,

sinceboththeframeworkandthemanagementtoolshavebeenalreadywritten,scaled,

tested,anddeliveredtotheenterprise.Allittakesistotapintothisofferedtechnology

anduseADforuniformpolicymanagement.

PolicyManagementFeaturesAvailablethroughActiveDirectoryWindowspolicymanagementallowsadministratorstoautomaticallyandintuitively

enforcealargenumberofendnodeparametersacrossthedomaininahierarchical

fashion.Theseparametersincludesecuritysettings,wiredandwirelesssettings,startup

andshutdownscripts,softwarerestrictions,QoS,IPSec,remotesoftwareinstallation

settings,accessrestrictionstolocalhardware,andmanymore.Increasedgrouppolicy

settingsappearinginMicrosoftVistaandtheupcomingWindows7clearlyindicatesthat

thisisthedesktopmanagementapproachthatMicrosofthaschosen.

1RFC2307canbefoundat:http://www.rfcarchive.org/getrfc.php?rfc=2307


8/14


AllthesepoliciesareeditedandenforcedfromtheMicrosoftGroupPolicyManagement

Console(GPMC),acomprehensiveandintuitivesuiteofpolicymanagementtools

availableas

aMicrosoft

Management

Console

(MMC)

snap

in.

GPMC

allows

administratorstolaunchtheActiveDirectoryUsersandComputers(ADUC)consoleto

applypolicyobjectstothedesiredOU(OrganizationalUnit)levelandlaunchGroup

PolicyObjectEditor(GPOE)tomodifygrouppolicysettingswithingrouppolicy

objects.Overall,theabovedescribedsuiteoftoolsallowsadministratorstoeasilycreate

multiplegrouppoliciesandenforcethematdifferentOUlevels.

ManagementComplexitiesintheUnixEnvironmentInteroperabilitybetweenWindowsandUnixhasalwaysbeenaproblemrepeatedly

addressedwithlimitedsuccessfrombothOSes.Whileportingapplicationsacross

platformsis

often

impractical,

cross

platform

authentication

allows

administrators

to

deliverUnixapplications(particularlyWebbasedapplications)totheWindowsrealm,

providingafasterandmoreconvenientsolution.Bythesametoken,allowingWindows

userstoauthenticateandmanageUnixsystemssimplifiestrackingidentities,making

theoverallUnixuserexperiencemorepleasant.

SomeattemptstohaveWindowsandUnixinteroperatehavemetwithmoderate

success.MicrosoftServicesforUnix(mostfeaturesofSFUhavebeenincorporatedinto

WindowsServer2003R2andWindowsServer2008)offerslimitedinteroperability

betweenADandNIS,plusapasswordsynchronizationutility.Specifically,SFUoffered

a

service

that

would

synchronize

Unix

UIDs/GIDs

and

Windows

user

and

group

identities(SID)bidirectionallyinonetooneandmanytoonemode.Additionally,SFU

offeredbidirectionalWindowstoUnixandUnixtoWindowspassword

synchronizationthatsupportsbothlocalanddomainaccountWindowspassword

synchronization.However,thesefeaturesdidnotsupportverymanyUnixflavorswhile

requiringafairamountofmanualconfigurationworktobeimplemented.

DocumentsforUnixandLinuxplatformsalsoofferlimitedinteroperabilityatthecostof

extensivemanuallaborassociatedwitheditingconfigurationfiles,sometimesoneach

participatinghost.Thisisatediousanderrorproneprocedure.Severalhowto

documentsofthiskindhavebeenmaintainedsincetheyear2000,particularly

addressingauthenticationthroughpluggableauthenticationmodules.Unfortunately,

notalltheUnixandLinuxflavorsaresupportedandtheimplementationrequires

laboriousmanualconfigurationandextensivetesting.Anincorrectconfigurationcan

notonlyresultinfaileduserauthenticationbutalsomaketheUnixhostlesssecure.

TherearesimilardocumentsforSamba,Apache,andSSHauthentication.Additionally,

therecommendationsandimplementationschangefromapplicationtoapplication,

particularlyintheversionsofsupportedtoolsandthelocationandformatofthe


9/14


configurationfiles.Frequently,therecommendedmodificationsarenotsupportedby

eithertheUnixorLinuxvendorsorMicrosoft,whichmakesitdifficulttoimplement

thesechangesinaproductionenvironment.Therefore,shouldtheparticularplatforms

needto

be

supported,

administrators

need

to

have

extensive

knowledge

of

both

platformsandrelyonoftenuntimelyfreetechnicaladvicefromInternetforums.

Supportingcrossplatformauthenticationinsuchamannerisstressfulandcounter

productive.

CrossplatformChallenges

Thefollowingsectionsdescribethecrossplatformchallengesadministratorsmustface.

LimitationsofSUDOSUDOisusedasanalternativetotheextensiveuseoftherootaccountformanagement

purposes.SUDOallowsnonprivilegedaccountstoexecuteprivilegedcommands.

Whileagreatidea,astypicallyimplementedSUDOhasanumberofdrawbacks.Among

thesearetheneedtomanuallyapplyandmaintainthesudoersfileacrossallthe

managedsystems,testeachconfigurationchange,andmakemodificationstoeachnode

whenanewadministratorjoinsorleavesthecompany.

LimitationsofNIS/NIS+WhileNISisstillwidelyusedfordomainauthentication,thetechnologyhasknown

securitylimitations(aclientcanretrievetheentireNISpassworddatabaseforoffline

inspection),is

not

very

scalable,

and

has

inefficient

replication

processes.

While

NIS+

has

fixedanumberofNISdrawbacks,bybeinghierarchical,requiringserverauthentication,

andallowingpermissionsonoperations,NIS+isdifficulttoadminister,requiresspecial

backupprocedures,andhaslimitedscalability particularlywithmultipledomainsand

over1,000clients.Inthisregard,thescalabilityandrobustnessofActiveDirectoryoffers

afarbetteralternative.

LimitationsofRBACRolebasedaccesscontrol(RBAC)isanotherapproachatrestrictingsystemaccessto

authorizedusers.RBACisbasedonrolesthatarecreatedforvariousjobfunctions.The

operationspermissions

are

assigned

to

roles

rather

than

users.

Rights

management

is

simplifiedbyassigningausertoaparticularrole,simplifyingoperations.However,in

largeheterogeneousenvironmentsmanagementofRBACmembershipsbecomes

extremelycomplexasitlackshierarchicalcreationofrolesandprivilegeassignments.

Additionally,notalltheusershavethesameroleondifferentsystems,whichfurther

complicatestheadministrationprocess.


10/14


KerberosAuthenticationKerberosconfigurationrequiresrunningadaemon,synchronizingtimebetweenthe

serverandtheclientviaNTP,installationofthepam_krb5module,andmaking

applicablechangestothesampleconfigurationfilesprovidedwiththedistribution.Administrators,therefore,havetorelyonanextensiveknowledgeofbothplatformsand

onthenotalwaystimelythirdpartyhelpfromtheInternetforumstogetKerberos

implementedwithinaUnixorLinuxenvironment.Obviously,handlingdomain

authenticationinsuchamanneristimeconsumingandpronetoerror.

LimitationsofFilePermissionsinUnixInUnixafilehasthreeclassesofpermissions:theowner,thegroup,andeveryone.Each

classhasthreelevelsofaccessrights:read,write,andexecute.Thisoffersfarless

flexibilitythanaWindowsenvironment,wheremultiplelocalanddomainbasedfile

permissionscanbegrantedforusersandgroups.LinuxSecurityModules(LSM),which

areincludedwiththeSELinux2securityframework,offermoregranularfileaccessbut

atthecostofCPUoverhead.

ManagingPoliciesAcrossDifferentFlavorsofUnix/LinuxInheterogeneousenvironments,administratorshavetoenforcestandardpolicysettings

acrossmultipleflavorsofUnix,eachoftenusingdifferentdesktopenvironments

(GNOME,KDE,SunJavaDesktopSystem,etc).Thesedesktopenvironmentsdifferin

theparametersthatcanbemodifiedandintheformatandlocationoftheconfiguration

files.

Thus,

when

pushing

policies,

administrators

have

to

manually

filter

the

enforced

settingsonapertargetplatformbasisrequiringeitherpollingthesystemOSor

maintaininglistscontainingthesystemsandcorrespondingOSes.Thisisanothertime

consuminganderrorproneprocess.

AdvantagesofManagingUnixPolicieswithLikewise

LikewiseEnterpriseiscapableofsolvingalltheaboveproblemsinasimpleand

intuitivefashion.Thetechnologyoffersseamlessintegrationofoverahundreddifferent

Unix/LinuxoperatingsystemswithActiveDirectoryforbothauthenticationandpolicy

managementneeds.LikewiseEnterpriseofferscentralizedmanagementofidentities,

desktopenvironments

(including

2500

plus

Gnome

policy

parameters),

credential

cachingforofflineconnection,OSbasedclientpolicyfiltering,NISandusermigration

tools,aswellasauditingandreportingfunctionality.WithLikewiseEnterprise

technology,administratorscaneasilydeliverKerberosbasedsinglesignonforsuch

applicationsastelnet,FTP,SSH,rlogin,rsh,LDAPqueriesagainstAD,andApache

HTTPserver.

2SELinux,orSecureLinuxisfurtherexplainedat:http://www.nsa.gov/research/selinux/


11/14


LikewisesimplifiesaccountmanagementbyassigningeachuserauniqueID,whichis

provisionedandcentrallymanagedthroughActiveDirectory.Likewisesuniquecell

technologycan

map

users

to

different

UIDs

and

GIDs

for

different

computers,

eliminatingtheneedformultiplelocaluseraccounts.TheLikewiseextensiontothe

MicrosoftActiveDirectoryUserandComputersMMCsnapinallowsadministratorsto

createanassociatedcellforanOUandthenusethecelltomanageUIDGIDnumbers.

ThisallowsADusertoaccessnonWindowsnodeinselectedLikewisecells:

Theabove

features

let

administrators

integrate

non

Widows

nodes

into

aWindows

AD

authenticationandmanagementframeworkwithadequatepolicymanagement,user

provisioning,andreportingtools.

ComplexitiesofManagingPoliciesinMacOSXEnvironmentOvertheyearstheAppleMacintoshcomputerhasmaintainedasmallbutstableshare

ofthecomputingenvironment.Whilebeingusedprimarilyforaudio,video,and


12/14


graphicsediting,theMacintoshoffersextremeeaseofusecomparedtoWindows(notto

mentionUnix)coupledwithaplethoraofhighendgraphicsapplicationsdesignedand

compiledfortheMacintoshplatform.Applesmarketingeffortismaintainingand

somewhatexpanding

the

OS

X

market

share,

which

has

now

surpassed

8percent.

Part

ofthissuccesscanbeattributedtotheuseofastableUnixkernelinOSXandmore

standardPCcomponents,suchasIntelmicroprocessors,PCIEslots,andDDRmemory.

ThisintroducedAppletoapoolofhardwarethatismorereliable,lessexpensive,and

comesinwidervarietythanthecomponentsinolderRISCprocessorbased

Macintoshes.

Unfortunately,fromanenterprisecomputingperspective,Appledoesnothaverobust

enterprisemanagementtools.Thereareanumberofreasonsforthis.First,the

Macintoshhasneverbeenawidespreadenterpriseclassplatform,soApplenever

neededtoaddresstheissuesofscalabledirectoryservice,terabytesofstorage,or

centralizedcomputationalfacilities.Thusenterprisemessaginganddatamanagement

applicationssuchasMicrosoftExchange,LotusNotes,SQLServer,andsoforthhave

neverbeenportedtoApplesMacintoshservers.Evennowfewenterpriseclassproducts

areavailablefortheOSXplatform.Secondly,theprimaryuseofMacintoshesisinthe

graphicsdepartments,atechnologicallyandorganizationallysecludedgroupthat

requiressharingamongMacintoshusersonlyandinteroperatingwiththerestoftheIT

infrastructureviasharingprinters,storage,andInternetaccess.Thissituationcertainly

didnotcallforprovisioningandidentitysolutionstothedepthandscalabilityofits

Windowscounterparts.Onthebrightside,sinceAppledidnotexcelinenterprise

managementtools,otherssuchasMicrosoft,Novel,andSunhavecreatedthe

infrastructureallowingMacintoshuserstotapintoareliableframeworkofuseranddesktopprovisioning.

TheMacintoshplatformusesarecentlyaddedWorkgroupManager(WGM)tomanage

users,groups,shares(withaccesspermissions),andclientpreferences.Theapplication

allowsadministratorstomodifyaccounts(includingusers,groups,andcomputerlists),

assignprivileges,managesharepoints,andmodifydesktoppreferencesthatdefinethe

userexperienceforclientsboundtoApplesOpenDirectorydomain.WGMrequiresan

OSXServerasacentralizedrepositoryofuserinformation.Whilebeingabigstepfor

Macintoshmanagement,theproductpalesincomparisonwithwidelyrecognized

enterpriseuser

provisioning

solutions.

LikewiseSolutionforMacDesktopPolicyManagementTheLikewisesolutionformanagingMacintoshdesktopsallowsadministratorstostore

settingsinActiveDirectoryratherthanonaMacintoshOSXServer.Besidesdecreasing

thecostofthesolutionandoffloadingADmaintenancetoWindowadministrators,

Macintoshusersettingsarenowstoredinamorerobustandscalabledirectory.Since

storingthirdpartydatainActiveDirectoryrequireseitherirreversibleschemachanges


13/14


(whichmaynotbeagreeablewithWindowsadministrators)orusingnonstandard

fields(whichiscumbersome),initiallynonWindowsvendorswerereluctanttostore

usercredentialsinAD.ThisiswhereLikewisecomestotherescue.Bytakingadvantage

ofRFC

2307,

Likewise

Enterprise

integrates

user

authentication

with

Active

Directory

(inthesamewayasMacintoshActiveDirectoryPlugInallowsMacstoauthenticateto

MacintoshOSXOpenDirectory)offeringamechanismthatallowsWorkgroupManager

settingstobestoredinActiveDirectoryGroupPolicyObjects.LikewiseEnterprise

containsautilitytojoinMacstoActiveDirectory,lettingthemparticipateinADbased

userauthenticationandingrouppolicyprocessing.Fromthatpointon,administrators

canconnecttoActiveDirectoryfromtheWorkgroupManagerinterfaceandstore

settingsintheGPO.FromtheWindowsside,administratorscanuseGPMCtostoreand

manageMacpolicysettings.

Asaresult,LikewiseEnterprisebringstogethertheadvantagesoftheMacintosh

WorkgroupManagerwiththerobustnessanduniformpolicymanagementtoolsof

ActiveDirectoryinaseamlessandintuitivefashion.


14/14