The University of Texas at Austin

Austin Active Directory

Austin Active Directory Remediation and Refresh Project

4/9/2014 - TSCs are now able to set the AAD Entitlement for Guest EIDs using the UT EID Lookup. Users must ensure that AAD entitlement has been set for guest EIDs used in AEMS, Office 365 and Austin Disk created on or after May 16, 2014. Remediation of EIDs will begin on May 19, 2014.

Hardware for the “refresh” has been procured and provisioned. The project team is continuing to refresh the existing hardware for the domain controllers and name servers and is expected to be completed by the end of April.

A recording of a previous FYI session discussing this project is available for viewing on mediasite. If you have any questions about this project, please review the FAQ or contact the Active Directory R&R project manager, Brain Hurdle at bhurdle@utexas.edu. 512-232-0713.

Changes and updates are required to the Austin Active Directory (AD) and enterprise services such as Austin Exchange Messaging Service (AEMS), Office 365 and Austin Disk this fiscal year to remediate operational issues identified by the Office of Internal Audits (IA) to reduce the risk of inappropriate use of university resources or the disclosure, modification or deletion of confidential data. A refresh of the aging AD hardware is also required to ensure continued high availability of the service.

Project FAQ

Business Need and Background

IA performed an audit of the Austin AD and AEMS in direct relationship to EIDs and user accounts in April 2013, citing guidelines in Section 5 of the university’s Information Resource Use and Security Policy. The findings of the audit resulted in a high level recommendation: access to AD and those critical enterprise services that leverage AD such as AEMS, Office365, and Austin Disk should be disabled or de-provisioned when (1) accounts are no longer in use or (2) accounts no longer have a valid association or entitlement with the university.

The hardware for the AD environment requires a refresh to maintain warranty and support status. Additionally, new domain controllers will be added to enable efficient authentication of UT services in the cloud.

Project Description

Information Technology Services (ITS) will establish an automated process to enable and disable accounts in AD based upon EID affiliations and entitlements as established in UT’s Identity and Access Management (IAM) framework. This process will ensure AD and other enterprise services leveraging AD such as AEMS, Office 365, and Austin Disk will be accessible by EIDs with an active affiliation or a necessary entitlement. The project will be broken into 4 steps:

  1. AD Entitlement: This step creates the ability for AD Organizational Unit (OU) owners to grant an entitlement to an EID. Accounts with the entitlement will apply to AD EID accounts.
  2. AD Sweep: This step will include the checking of all existing AD accounts for a valid affiliation and disabling those without valid affiliations. This includes disabling AEMS and Office 365 emails accounts that do not have valid affiliations. All services relying upon Austin Active Directory for authentication, such as Austin Disk, will also be affected.
  3. AD Provisioning Update: Update provisioning tools to ensure accounts are enabled or disabled based on affiliation and entitlement changes.
  4. AD Refresh and Cloud Bridge: This step will include upgrading the four (4) domain controllers to new hardware and Windows Server 2012 R2. This step also includes adding two (2) new domain controllers with public IP addresses for the cloud bridge.

Project Goals

  • Prevent misuse of university resources including critical applications, home directories, and email accounts.
  • Prevent the disclosure, modification, or deletion of confidential university data by removing former employees’ access.
  • Have all Common Goods Services follow guidelines set forth in the Section 5 of UT Austin’s Resource Use and Security Policy.
  • Improve AD’s efficiency, security, and features by upgrading to new domain controllers.
  • AD accounts will be enabled and disabled based upon EID affiliations and entitlements.
  • Efficient authentication will be enabled for UT services in the cloud.
  • Effectively communicate timing and impact of changes to campus Technical Support Coordinators (TSCs).

FAQ

What is the purpose of this project?
The Office of Internal Audits (IA) has found the Austin Active Directory (AD) to be out of compliance with Sections 5.3.4 and 5.3.5 of the Information Resource Use and Security Policy:

  • 5.3.4. Accounts of individuals on extended leave (more than 120 days) or accounts that have not been accessed more than 120 days must be disabled.
  • 5.3.5. Accounts of individuals who have had their status, roles, or affiliations with university change must be updated to reflect their current status.

To reconcile the identified compliance issues, Systems has implemented a Remediation and Reconciliation project for Austin Active Directory that disables EID accounts based on a check either for eligibility through the appropriate affiliation or, if that is lacking, the presence of the AAD entitlement. If an account fails both prongs of this test, it is disabled from Austin Active Directory authentication. Exchange email service and individually-owned Austin Disk Services subscriptions are likewise disconnected from the account and scheduled for deletion.

In addition, a refresh of the aging AD hardware is required to ensure continued high availability of the service.

What is the timeline of this project?

  • The Entitlement phase began in Fall 2013 through Spring 2014.
  • The Reconciliation phase began in Summer 2013 and will continue through Summer 2014.
    • By May 16th, Stakeholders must have granted the AAD entitlement to guest EIDs that will be provisioned new mailboxes and file shares in AEMS, Office 365, and individually-owned Austin Disk Services.
    • Enforcement of the eligibility requirements will begin May 19th, 2014.
  • The Refresh phase will begin in Spring 2014 and complete in Summer 2014.

What is the difference between an affiliation and an entitlement?

An affiliation describes a user's relationship to the university, which is used to determine whether they are eligible for various services. An entitlement in some cases may be used to grant access to those services when a user lacks the appropriate affiliation. (In other cases, it exists alongside an eligible affiliation.) The AAD entitlement is used to ensure users who lack the appropriate affiliations (see below) are still enabled in Austin Active Directory and eligible for Exchange email and individually-owned Austin Disk accounts.

What are the affiliations a user must have to be eligible for an active status in Austin Active Directory?

Current Student, Future Student, Current Faculty, Future Faculty, Current Staff, Future Staff, University Affiliate (sometimes known as "Affiliated Worker" in HRMS).

What happens to my ineligible EID accounts that contained services like AEMS, Office 365, or individually-owned Austin Disk accounts before the Reconciliation process occurred?

While these accounts normally would become ineligible (and therefore deactivated from AD, with their Exchange accounts and individually-owned Austin Disk Service subscriptions scheduled for deletion) if they lacked the AAD affiliation, ITS has proactively granted these accounts one year of the AAD entitlement to give TSCs more flexibility in bringing their accounts to compliance.

How can I determine whether a user has the necessary affiliation or entitlement to be enabled in Austin Active Directory?

Use the UT EID Administrative Services tool (also known as ID Manager).

  1. Navigate to the ID Manager and authenticate as necessary. (If you cannot access this tool, please make a request with the ITS Help Desk for authority to grant the AAD entitlement.)
  2. In the top-right, enter the user’s EID in “Quick Jump to UT EID” and click “Go.”
  3. The user’s information will be displayed below. Affiliations will be listed first in the column on the right, and entitlements will be listed directly below that.

How do I add the AAD entitlement to an EID?

Use the UT EID Administrative Services tool (also known as ID Manager).

  1. Navigate to the ID Manager and authenticate as necessary. (If you cannot access this tool, please make a request with the ITS Help Desk for authority to grant the AAD entitlement.)
  2. In the top-right, enter the EID in “Quick Jump to UT EID” and click “Go.”
  3. The EID information will be displayed below. At the “You can manage this UT EID by:” drop-down list, select “Update entitlement” and click “Go”.
  4. Scroll down to the “Update entitlements” section. Select the AAD entitlement from the list, set the end date (it can be left blank to add the entitlement indefinitely), and click “Add”.
  5. The entitlement will then appear in the “Entitlements:” section on ID Manager’s profile page for that EID.

What if a user is supposed to have an eligible affiliation, but doesn’t?

Affiliations are based on the source systems that define users’ relationships to the university; they are not created by the EID Administrative Services tool (ID Manager) itself. For employees, contact the department’s hiring unit. Students should contact the Registrar themselves.

I support non-UT-affiliated users (e.g., Extension Studies Participants) who must make use of Active Directory authentication to use my department's IT resources (e.g., computer logins, SharePoint sites). This means they lack the appropriate affiliation to be enabled in the Austin Active Directory. How can I ensure these users have access to these IT resources?

The Active Directory Remediation procedures outlined above apply only to Active Directory authentication, Exchange email, and individually-owned Austin Disk Services accounts. These accounts will be enabled in Active Directory once they are granted the AAD entitlement. Once this occurs, these users can authenticate to Active Directory services for which they have been given permission. (Users will still need to be granted permission to the specific services to which they need access, like computers or SharePoint sites; the AAD entitlement merely enables these accounts for AD authentication in the first place.)

How long after eligibility is lost does the user become deactivated in AD? How long after adding the AAD entitlement in the EID Administrative Services tool will a user account be made active in Active Directory again?

Either process should occur immediately. This is because the synchronization time between Active Directory and TED is, in most cases, instant.

How are ITS services impacted by a user account being deactivated in Active Directory?

If a user account is disabled in Active Directory, TRAC automatically removes any Exchange email and individually-owned Austin Disk subscriptions connected to that account. Once this begins, the disconnected service will persist for 30 days, plus two weeks thereafter, before it is purged.

Please note, however, that Austin Disk’s Departmental Storage service will not be affected by the remediation process, though Exchange accounts or individually-owned Austin Disk subscriptions may be.

Will my department be notified if an account loses eligibility?

If the account’s services are sponsored in TRAC, the TRAC sponsors for the sponsoring group will receive an email notifying them of the change in eligibility. The email will describe options for remediation, should it be needed.

What is the recommended best practice when a user becomes ineligible (due to affiliation change), but needs to retain their Exchange or individually-owned Austin Disk services? In other words, affiliation change and AAD instatement may not happen on the same timeline. What is the best practice in this scenario?

ITS recommends that TSCs plan for changes in Active Directory and ITS email and storage service eligibility by “front-loading” the AAD entitlement. Ensure the AAD entitlement is in place before the user loses eligibility.

How do I designate a department Stakeholder (someone who can grant the AAD entitlement via the EID Administrative Services tool)?

Department technical contacts who need the ability to grant the AAD entitlement to EIDs should submit a request through the ITS Help Desk.

I am a Department OU Owner, and I have created Service Accounts (not “Service EIDs”) using the Austin Active Directory Department Administration Tools. Will these accounts be subject to the same remediation as ineligible EIDs?

No. Service accounts created through the Department Administration Tools are not subject to the same remediation as Active Directory accounts tied to EIDs.

We Can Help

Get help from an expert at the ITS Help Desk!

* Call us at 512-475-9400

* Submit a help request online

We also have a walk-in service in the first floor lobby of the Flawn Academic Center (FAC). Stop by and let us help you!