Austin Active Directory
Austin Active Directory Remediation and Refresh Project
5/29/2014 - On Monday, May 19, Austin AD Remediation project began, disabling approximately 241,000 Austin Active Directory (AD) EID accounts including those belonging to Former Students and Former Staff.
The next phase AD Remediation will continue on Monday, June 2 and Wednesday, June 4, disabling approximately 50,000 AD “guest” EID accounts on each day. A detailed version of this timeline can be found on the TSC Manual for this project (EID login required).
EIDs must have an approved affiliation or entitlement to meet eligibility and avoid becoming disabled or have the AAD Entitlement granted to the EID.
A recording of a previous presentation discussing this project is available for viewing at: http://mediasite.aces.utexas.edu/UTMediasite/Play/2282c9d314354c12b6fe2bcbc4060dbf1d. If you have any questions about this project, please review the FAQ or contact the Active Directory R&R project manager, Brian Hurdle at firstname.lastname@example.org, 512-232-0713.
Changes and updates are required to the Austin Active Directory (AD) and enterprise services such as Austin Exchange Messaging Service (AEMS), Office 365 and Austin Disk this fiscal year to remediate operational issues identified by the Office of Internal Audits (IA) to reduce the risk of inappropriate use of university resources or the disclosure, modification or deletion of confidential data. A refresh of the aging AD hardware is also required to ensure continued high availability of the service.
Project Wiki (EID login required)
Business Need and Background
IA performed an audit of the Austin AD and AEMS in direct relationship to EIDs and user accounts in April 2013, citing guidelines in Section 5 of the university’s Information Resource Use and Security Policy. The findings of the audit resulted in a high level recommendation: access to AD and those critical enterprise services that leverage AD such as AEMS, Office365, and Austin Disk should be disabled or de-provisioned when (1) accounts are no longer in use or (2) accounts no longer have a valid association or entitlement with the university.
The hardware for the AD environment requires a refresh to maintain warranty and support status. Additionally, new domain controllers will be added to enable efficient authentication of UT services in the cloud.
Information Technology Services (ITS) will establish an automated process to enable and disable accounts in AD based upon EID affiliations and entitlements as established in UT’s Identity and Access Management (IAM) framework. This process will ensure AD and other enterprise services leveraging AD such as AEMS, Office 365, and Austin Disk will be accessible by EIDs with an active affiliation or a necessary entitlement. The project will be broken into 4 steps:
- AD Entitlement: This step creates the ability for AD Organizational Unit (OU) owners to grant an entitlement to an EID. Accounts with the entitlement will apply to AD EID accounts.
- AD Sweep: This step will include the checking of all existing AD accounts for a valid affiliation and disabling those without valid affiliations. This includes disabling AEMS and Office 365 emails accounts that do not have valid affiliations. All services relying upon Austin Active Directory for authentication, such as Austin Disk, will also be affected.
- AD Provisioning Update: Update provisioning tools to ensure accounts are enabled or disabled based on affiliation and entitlement changes.
- AD Refresh and Cloud Bridge: This step will include upgrading the four (4) domain controllers to new hardware and Windows Server 2012 R2. This step also includes adding two (2) new domain controllers with public IP addresses for the cloud bridge.
- Prevent misuse of university resources including critical applications, home directories, and email accounts.
- Prevent the disclosure, modification, or deletion of confidential university data by removing former employees’ access.
- Have all Common Goods Services follow guidelines set forth in the Section 5 of UT Austin’s Resource Use and Security Policy.
- Improve AD’s efficiency, security, and features by upgrading to new domain controllers.
- AD accounts will be enabled and disabled based upon EID affiliations and entitlements.
- Efficient authentication will be enabled for UT services in the cloud.
- Effectively communicate timing and impact of changes to campus Technical Support Coordinators (TSCs).