× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

Best practice Active Directory OU structure

Best practice Active Directory OU structure

By Centrify Advisor IV on ‎09-24-2015 01:34 AM

Why having an Active Directory OU structure for Centrify?

 

Centrify deliver Role Based Access Control and Privilege Management to both Unix/Linux and Windows environment using Active Directory as a central directory.

 

Because Active Directory will be used to store Unix Identities, AD Computer accounts for non-Windows servers joined to Active Directory, but also Roles and Rights to apply fine grained access control and privilege management, it is recommended to create several OUs in the current Active Directory environment to store these objects and facilitate their management.

 

From their experience of numerous successful deployments, Centrify Professional Services provide recommendation on the OU Structure to deploy and store Centrify related data, but also on Active Directory delegation model to help manage those data.

 

CSS 2015 - OU Structure Standard.png

 

This best practice OU Structure should be adapted to the Active Directory domain organizational design currently in place. And that can be the job of Centrify Professional Services to help you doing the right implementation.

 

Recommended delegation model

 

In addition to the simple OU structure, Centrify Professional Services recommend to have AD Groups to administrate Centrify data stored under this structure. The OU Structure come with four AD Groups that have delegations on Active Directory and can be reused to apply fine grained delegation on Centrify Zones.

 

Centrify Administrators (e.g. Unix Team, Security Team)

This role grant rights to manage all Centrify related data stored in Active Directory by settings the following permissions:

  • Manage Centrify Licenses
  • Manage Centrify Zones
  • Manage Centrify User Roles
  • Manage Centrify Computer Roles
  • Manage Centrify Provisioning Groups
  • Manage UNIX Groups
  • Manage UNIX Computer Accounts
  • Manage UNIX Service Accounts

 

Computer Managers (e.g. Unix Team)

This role grant rights to manage UNIX Computers by settings the following permissions into Active Directory and the DirectManage Access Manager Console:

  • AD Delegations
  • Manage UNIX Computer Accounts
  • Zone Delegation (must be granted by the Centrify Administrator)
  • Join machine to the Zone
  • Remove machine from the Zone

 

UNIX Data Managers (e.g. Unix Team)

This role grant rights to manage UNIX Users and Groups by settings the following permissions into Active Directory and the DirectManage Access Manager Console:

  • AD Delegations
  • Manage UNIX Groups
  • Manage UNIX Service Accounts
  • Zone Delegation (must be granted by the Centrify Administrator)
  • Add, remove, modify User to the Zone
  • Add, remove, modify Group to the Zone

 

Authorization Managers (e.g. Security Team)

This role grant rights to manage Roles, Computer Roles, Privileges and Role Assignments by settings the following permissions into Active Directory and the DirectManage Access Manager Console:

  • AD Delegations
  • Manage Centrify User Roles
  • Manage Centrify Computer Roles
  • Zone Delegation (must be granted by the Centrify Administrator)
  • Add, remove, modify Roles to the Zone
  • Add, remove, modify Computer Roles to the Zone
  • Add, remove, modify Rights to the Zone
  • Manage Role Assignments into the Zone

 

By default, the Centrify Administrators has the delegations applied on OUs and Zones where other Roles only have delegations applied to OUs. To delegate tasks at Zone level for Roles like Computer Managers, UNIX Data Managers and Authorization Managers, the Zone delegation wizard from the Centrify Access Manager Console should be used.

 

How to deploy the OU structure easily?

 

In order to help deploy this best practice Active Directory structure and delegation model, Centrify Professional Services has developed a PowerShell script named CreateOU.ps1 to automatically deploy this structure and apply delegation in a target Active Directory domain. This script is widely use during Professional Services engagement as-is or with customization to reflect implementation chosen during a Design workshop.

 

Best way to obtain this script is to contact your Centrify Sale representative, they will put you in contact with one of the System Engineers or Professional Services consultants that will be able to provide you the latest version of the script as well as the instruction to use it.

 

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel