AUTOMATED GROUPS AND SERVICE ACCOUNTS IN ACTIVE DIRECTORY

TechDays June 2014

Presented by Andrew Hamilton and Chuck Phillips

BRIEF HISTORY OF IDM @ UNM

IBM Mainframe (1970s) First system requiring ‘Management’ of accounts via the User Number Clerk

Growth of UNIX on campus early 1990s Network Information Service or NIS (originally called Yellow Pages or YP) Need for automated account management and synchronization

CCAT “Convenient Computer Access Today” was developed (1992-1993) Automated management of MVS, CMS, VMS and UNIX accounts.

LDAP “Lightweight Directory Access Protocol” installed (1996) Simple scripts were put in place to sync LDAP and UNIX accounts.

LAMB “LDAP Access Management Bundle” Was Born (2003) CCAT was demised Real time provisioning of accounts Real time synchronization of passwords between LDAP, Unix, Oracle.

PICES Was Spawned (2007) Provided structured way to provision directories across campus.

Enterprise Active Directory adopted (2008) Campus wide committee re-designed active directory structure and standards.

AGENDAAsk questions when they arise

1. Auto Populated Groups From Banner To Active Directory• Provide secure central access to Banner sourced data.• Reduce complexity and red tape for consuming data.

2. Active Directory Service Account Management• Process to obtaining privileged access• Changes to Service Accounts that are planned.

AUTO-POPULATED AD GROUPS

Student collegeStudent majorStudent program of study

Student levelStudent yearStudent registration status

Student sectionsStudent courses

• Staff org code

• Staff org level 3

• Staff org level 2

• Person’s role at UNM

• Person’s campus

GROUPS BASED ON ROLEExample roles

GROUPS BASED ON ORGANIZATION

Org Level 1 University President

Org Level 2 EVP

Administration

Org Level 3Human

Resources

Dept #s

Org Level 3Information

Technologies

Dept #s

Org Level 3PPD

Administration

Dept #s

Org Level 2VP Health Sciences Center

Org Level 2 VP for Student

Affairs

Org Level 2

Provost

Org Level 3College of

A&S

Dept #s

Org Level 3College of Education

Dept #s

GROUPS BASED ON ORGANIZATION

GROUPS: STAFF LEVEL 3 ORGName format: banner-orglevel3-AABData source: Banner job recordSample values:

ABO Continuing Education Cont EdABP Extended University Ext Univ

ABQVP Research & Econ Development

ABR Academic Affairs Monitoring

AFBHS Library and Informatics Center

AFC School of MedicineAFD College of NursingAFE College of PharmacyAFH University HospitalAFI HSC VP ResearchAGA Gallup BranchAGB LosAlamos BranchAGC Taos BranchAGD Valencia County BranchBAA UNM Medical Group

AAA President Admin Indpnt OfficeAAB Information Technology ServicesAAC UNM West and Branch InitiativesABA Provost Administrative UnitsABB University CollegeABC School of Public AdministrationABD VP for Equity & InclusionABE VP Division of Enrollment MgmtABF UNM West (use AAC)ABG College of Fine ArtsABH College of Arts SciencesABI Anderson Schools of ManagementABJ College of EducationABK School of EngineeringABL School of Law

GROUPS BASED ON ORGANIZATION

GROUPS: STAFF LEVEL 2 ORGName format: banner-orglevel2-ADData source: Banner job recordCurrent values:

AA President ExecutiveAB Provost Academic AffairsAC VP for Student Affairs

ADExecutive VP for Administration

AE VP Institutional AdvancementAF VP Health Sciences CenterAG Provost Branch CampusesBA UNM Medical GroupX0306 *UH and Clinical ComponentsX0310 *Regents

GROUPS BASED ON DEPARTMENT NUMBER

GROUPS: STAFF ORG CODEName format: banner-org-324AData source: Banner job recordSample values:

297A Community Learning and Public Servi298A Bookstore/Athletics Partnership299A RR Bookstore West301A Aerospace Engineering301B Aerospace Engineering Admin302A Biomedical Engineering302B Biomedical Engineering Admin303A Institute for Professional Dev IPD303B Inst Professional Devl Gen Admin305A Scholarship Office Administration306A Womens Center306B Womens Center Administration306C Womens Center Public Service306C0 Womens Center Special Events306C1 Womens Center Quniquennial Fund307A UNM West Administrative Operations308A UNM West Academic Operations309A Branch Operations310A Branch Initiatives

314A Parking Transportation Services314B Parking Transportation Gen Admin314C Business and Finance314D Information Technology314E Park and Trans Operations Support314E0 Parking Operations314E1 Transportation Support315A IT CIO316A IT Deputy CIO317A IT Planning & PR/Marketing318A IT Finance319A IT Customer Service320A IT Networks321A IT Classroom Technologies322A IT Computing Platforms323A IT Security & Quality Assurance324A IT Applications325A IT Initiatives329A Institutional Research329B Institutional Research Gen Admin329C Institutional Rsrch Conferences

GROUPS BASED ON COLLEGE

GROUPS: STUDENT COLLEGE

Name format: banner-stucollege-ADData source: Banner student record, current term

Current values:AD Associate DegreeAP School of Arch. and PlanningAS College of Arts and SciencesCE Continuing Education

CPUndergrad Certificate Program

ED College of EducationEN School of EngineeringFA College of Fine ArtsGP Graduate ProgramsHS High SchoolLW School of Law

ME School of Medicine

MGAnderson Schools of Management

ND Non-Degree StatusNU College of NursingPA Provost Academic/AdminPH College of PharmacyRC Main-Research CentersUC University CollegeUL University LibrariesUN UnclassifiedUS University Studies

CLASS GROUP SECURITY

AUTO-POPULATED CLASS GROUPS Obfuscated Name of group to honor FERPA.

Group Name can be obtained by searching description of group

Name is unrelated to section data.

New groups for every semester.

• Provisioned two weeks before

Old groups destroyed when finished

• Removed two weeks after.

Built based on registration data.

GROUP CATEGORIZATION

Groups Access Management, WES use only

SysAccounts Reserved for future use

SysBannerGroups Unrestricted employee roles

SysGroups Protected data

Structured

Automated

“Securing Private Data” Fastinfo 7064 defines how to request access to view

the student data. Attach certificate to Service Request

OU Admin training Use standard Group management techniques Create group w/permissions Assign membership

Service Account Extra layer of security New/Old

REQUESTING ACCESS

fastinfo.unm.eduSearch for ‘Autopop group’

- Sign up for training!

- Learning Central

- OU admin training from WES

ACCOUNTMANAGEMENT Active Directory is becoming more integral and IDs are

becoming centrally managed.

Eventually there will no longer be a need to create or delete user accounts manually in AD.

Centralizing Identity management around a consistent standard

Central IdM

• Transparency

• More resilient

• More adaptable

• More flexible

SERVICE ACCOUNTS

WHYSERVICE (SVC)ACCOUNTS?

Secondary Account For System Administrators

Elevated privileges

Access to Services to manage sensitive data Enterprise appliances and applications. OU Administration Workstation or Server admin logins

Software Account. Software is installed to run as this account to isolate

it from system and other users. Overhead Accounts. Used to run Scripts.

System accounts

Admin accounts

ACTIVE DIRECTORY STRUCTURERetain control and flexibility

Simplify account management

• Separated into Organizational Units• Accounts (people) are populated automatically based

on Banner• Groups, Servers and Workstations managed by

Departmental “OU Administrators”.• Svc Accounts

• Should end in ‘svc’• Reside in a sub-OU called SvcAcnts

GOALS

OU Admin is responsible for maintaining them WES creates the initial OU delegation OU Admin removes them when finished

How can UNM’s Accounts Management team help?

1. Elimination of abandoned privileged accounts.

2. Adapt to UNM’s needs LAMB will sync to the SvcAcnts sub-OU.

3. Belongs to an owner that can be tracked. Privileged accounts to terminate with their owner.

4. OU Admins can delegate sensitive administration

Administrative accounts will be more structured.

Active Directory will be cleaner and more secure.

DISTRIBUTION LISTS

Email Notifications File shares reaching the quota limit Service availability Server performance

Reporting Tools OU audit and activity reporting Monthly reporting and Real Time alerts

New early warning mechanisms

SERVICE (SVC)ACCOUNTS

Management of service accounts is moving to HELP.unm.edu service requests. There will be FastInfo describing the method for

creating service accounts. 

Through Help a request for a service account is requested. Needs a department sponsor. Needs a written justification. The service account will be tied to the requestor's

account.  

Once created OU Administrators will Authorize the account to their services. Control and responsibility is still in the OU Admin’s hands

Delegation will be more transparent.

Audits will be easier to perform..

SERVICE (SVC)ACCOUNTS

Serviced with LAMB/netid process

Password Changes to Service Accounts can be made through netid.unm.edu just like other accounts. Previous password must be known.

Password Policy to be in sync with LDAP Account Passwords will expire in LDAP every 180 days. Password Expiration notices will go to the Identified

Owner of the Service Account.

Renewal of Service Accounts on a regular basis. Accounts will be renewed yearly to ensure need and

functionality. Service Account Owners will be put on a mailing list for

notification of service changes/notifications.

Self servicing password resets for non-OU admins.

COMMUNICATION

Over 9,000 Summer groups ready to use right this moment!

Close to 16,000 groups during Fall and Spring semesters.

Service Account management and automation

Coming later this summer

Keep an eye on standard communication paths for further announcements regarding this. I.e. OUAdmins-L@list.unm.edu, IT Alerts, IT Agents,

and other

How does this affect you?