Active directory users finding their way

A vast majority of IT shops manage employee network access and security policies using Microsoft Active Directory. Many express satisfaction with the system, but some say it's complex and too difficult

"One challenge is having the time and abilities to really lay out Active Directory so it's consistent and allows you to set up group policies that work for IT as well as the users," said Mark Cardono, an IT specialist for the Shore Educational Collaborative, a Chelsea, Mass.-based special needs school serving 10 districts in Massachusetts.

Of 358 IT professionals responding to an April SearchSecurity.com survey on identity and access management, 85% said they use Microsoft for directory services, group policy and provisioning. Nearly two-thirds said Microsoft is their primary vendor for this purpose. Asked which vendors they use for authentication and authorization, 72.6% said Microsoft.

Products from Sun Microsystems Inc., Symantec Corp., IBM, Novell Inc., Cisco Systems Inc. and RSA Security Inc. also ranked high, but nowhere near Microsoft's level.

One explanation for the figures may be the sheer number of enterprises that are Windows environments. Active Directory is Microsoft's trademarked directory service, and today is an integral part of the Windows architecture. Like other directory services, such as Novell Directory Services (NDS), Active Directory is a centralized and standardized system that automates network management of user data, security, and distributed resources, and enables interoperation with other directories.

For IT departments managing environments that are predominantly Windows-based, it makes sense from a financial and logistical standpoint to use a directory service that's already built into the operating system.

As Cardono pointed out, "Microsoft Active Directory is part of the package with no extra cost." He said budgets are tight in the education sector and that institutions "can't go out and get the latest and greatest [product] all the time."

In search of Group Policy
The Group Policy feature in Active Directory is a critical piece of Cardono's patch management plans.

To use Windows Server Update Services (WSUS), one of Microsoft's patch delivery tools, Cardono must configure Group Policy to tell WSUS which computers need which security updates.

He watched a webcast on how to set up WSUS one night and found that he's not the only one struggling with Group Policy management.

"Information wasn't in a place that was intuitive and the narrator made a point of this," Cardono said, adding that he wants Active Directory to make it easier to find the right policy for specific groups.

Cardono is not alone in wanting a better handle on the program. More than 44% of respondents said a top priority this year is to better leverage Active Directory and other directory services.

Hard to use
Jessica Lynne Verzi, information security manager for Rochester, N.Y.-based ESL Federal Credit Union, likes that Active Directory has a feature to set domain and group policy. But that doesn't mean she finds the program any easier to use than Cardono does.

"I'm not happy with it," she said. "It's hard to fully grasp everything you can do with Active Directory." She specifically referenced her difficulty in keeping track of who has logged on, when they logged on and what they're doing.

"You have to hit the books and research too much just to figure out how to do certain things," she said. "You have to be very intimate with that product to get it to do what you need it to."

The survey results suggest IT shops are either working to make Microsoft Active Directory a better fit in their environments, or are looking to use the directory services of another vendor.

More than 85% said they're spending the same or more on directory services, while only about 14% said they're spending less or not at all. Though a vast majority said they use Microsoft Active Directory, 47% said they run multiple directories from separate vendors.

Others are satisfied
Microsoft's system may be a thorn in the side of some IT administrators, but the survey numbers seem to indicate that a majority of users are happy with it.

More than 68% of respondents said they are either satisfied or very satisfied with their directory services, compared to only 6.28% who are not very or not at all satisfied.

Much of that satisfaction is probably directed at Microsoft, given the number of respondents who identified the company as their primary directory services vendor. For those using more than one directory, it's possible their satisfaction was directed toward one of the other vendors they use.

Brian Clark, an IT professional based in Chicago, said he's gotten Active Directory to do his bidding for the most part. In particular, he likes that the program can be used to manage the host-based firewall in Windows XP.

"The Payment Card Industry (PCI) [standard] requires that laptops have a host-based firewall installed that can't be disabled by the user," he said. "You can accomplish that via Active Directory Group Policy."

Getting help
Clark's experience is with the Windows 2003 version of Active Directory. He said a lot of companies still use the Windows 2000 version, which some consider obsolete by today's standards. "I could see where they might have problems," he said.

Clark acknowledged there's a steep learning curve when it comes to figuring out Group Policy and that can be a problem for organizations lacking the internal resources to study it. At the company he most recently worked for, specialists from outside the company were brought in to help.

"We used a consultancy specializing in all things Windows," he said. "We brought them in to help us build things the way we wanted to."

By having the outside help, the company was able to broaden its use of Active Directory and it cost less than $10,000. His advice to those having trouble with Active Directory: Get the outside help.

If a company has a few thousand dollars to spare, he said, "It's well worth it."