Austin Active Directory
Austin Active Directory Remediation and Refresh Project
10/1/2014 - The Austin AD Remediation project has successfully completed the disabling phase of the Active Directory Remediation project disabling 728,282 AD EID accounts. The Austin AD is now in compliance with and fulfills the requirements given by Internal Audits. Verification of eligibility for Exchange mailboxes and Austin Disk shares began on May 19, 2014. To maintain eligibility, an EID holder must possess either the appropriate affiliation or the AAD Entitlement.
There is one final date of importance. There are two remaining important dates. ITS granted temporary Austin Active Directory (AAD) entitlements to Unaffiliated (Guest) EIDs used for Austin Exchange and Austin Disk services. The temporary entitlements expire on Wednesday, May 20, 2015.
If these accounts need to remain active for a longer period, each EID will need the AAD Entitlement updated by someone from your organization or changes to the affiliation via Human Resources or student records.
More information can be found on the project wiki. Please contact your Technical Support Coordinator (TSC) or local help desk technician for information and assistance with setting the AAD Entitlement. Additionally, you may contact the ITS Help desk at firstname.lastname@example.org.
Changes and updates are required to the Austin Active Directory (AD) and enterprise services such as Austin Exchange Messaging Service (AEMS), Office 365 and Austin Disk this fiscal year to remediate operational issues identified by the Office of Internal Audits (IA) to reduce the risk of inappropriate use of university resources or the disclosure, modification or deletion of confidential data. A refresh of the aging AD hardware is also required to ensure continued high availability of the service.
Project Wiki (EID login required)
Business Need and Background
IA performed an audit of the Austin AD and AEMS in direct relationship to EIDs and user accounts in April 2013, citing guidelines in Section 5 of the university’s Information Resource Use and Security Policy. The findings of the audit resulted in a high level recommendation: access to AD and those critical enterprise services that leverage AD such as AEMS, Office365, and Austin Disk should be disabled or de-provisioned when (1) accounts are no longer in use or (2) accounts no longer have a valid association or entitlement with the university.
The hardware for the AD environment requires a refresh to maintain warranty and support status. Additionally, new domain controllers will be added to enable efficient authentication of UT services in the cloud.
Information Technology Services (ITS) will establish an automated process to enable and disable accounts in AD based upon EID affiliations and entitlements as established in UT’s Identity and Access Management (IAM) framework. This process will ensure AD and other enterprise services leveraging AD such as AEMS, Office 365, and Austin Disk will be accessible by EIDs with an active affiliation or a necessary entitlement. The project will be broken into 4 steps:
- AD Entitlement: This step creates the ability for AD Organizational Unit (OU) owners to grant an entitlement to an EID. Accounts with the entitlement will apply to AD EID accounts.
- AD Sweep: This step will include the checking of all existing AD accounts for a valid affiliation and disabling those without valid affiliations. This includes disabling AEMS and Office 365 emails accounts that do not have valid affiliations. All services relying upon Austin Active Directory for authentication, such as Austin Disk, will also be affected.
- AD Provisioning Update: Update provisioning tools to ensure accounts are enabled or disabled based on affiliation and entitlement changes.
- AD Refresh and Cloud Bridge: This step will include upgrading the four (4) domain controllers to new hardware and Windows Server 2012 R2. This step also includes adding two (2) new domain controllers with public IP addresses for the cloud bridge.
- Prevent misuse of university resources including critical applications, home directories, and email accounts.
- Prevent the disclosure, modification, or deletion of confidential university data by removing former employees’ access.
- Have all Common Goods Services follow guidelines set forth in the Section 5 of UT Austin’s Resource Use and Security Policy.
- Improve AD’s efficiency, security, and features by upgrading to new domain controllers.
- AD accounts will be enabled and disabled based upon EID affiliations and entitlements.
- Efficient authentication will be enabled for UT services in the cloud.
- Effectively communicate timing and impact of changes to campus Technical Support Coordinators (TSCs).