Austin Active Directory
Austin Active Directory Remediation and Refresh Project
12/5/13 - ITS will establish an automated process to enable and disable accounts in Austin Active Directory based upon EID affiliations and entitlements. At the upcoming "FYI" session (10:00 AM, December 11 in POB 2.302) ITS will share more about the implementation timeline and how this process will impact Austin AD users across the UT community.
Changes and updates are required to the Austin Active Directory (AD) and enterprise services such as Austin Exchange Messaging Service (AEMS), Office 365 and Austin Disk this fiscal year to remediate operational issues identified by the Office of Internal Audits (IA) to reduce the risk of inappropriate use of university resources or the disclosure, modification or deletion of confidential data. A refresh of the aging AD hardware is also required to ensure continued high availability of the service.
Business Need and Background
IA performed an audit of the Austin AD and AEMS in direct relationship to EIDs and user accounts in April 2013, citing guidelines in Section 5 of the university’s Information Resource Use and Security Policy. The findings of the audit resulted in a high level recommendation: access to AD and those critical enterprise services that leverage AD such as AEMS, Office365, and Austin Disk should be disabled or de-provisioned when (1) accounts are no longer in use or (2) accounts no longer have a valid association or entitlement with the university.
The hardware for the AD environment requires a refresh to maintain warranty and support status. Additionally, new domain controllers will be added to enable efficient authentication of UT services in the cloud.
Information Technology Services (ITS) will establish an automated process to enable and disable accounts in AD based upon EID affiliations and entitlements as established in UT’s Identity and Access Management (IAM) framework. This process will ensure AD and other enterprise services leveraging AD such as AEMS, Office 365, and Austin Disk will be accessible by EIDs with an active affiliation or a necessary entitlement. The project will be broken into 4 steps:
- AD Entitlement: This step creates the ability for AD Organizational Unit (OU) owners to grant an entitlement to an EID. Accounts with the entitlement will apply to AD EID accounts.
- AD Sweep: This step will include the checking of all existing AD accounts for a valid affiliation and disabling those without valid affiliations. This includes disabling AEMS and Office 365 emails accounts that do not have valid affiliations. All services relying upon Austin Active Directory for authentication, such as Austin Disk, will also be affected.
- AD Provisioning Update: Update provisioning tools to ensure accounts are enabled or disabled based on affiliation and entitlement changes.
- AD Refresh and Cloud Bridge: This step will include upgrading the four (4) domain controllers to new hardware and Windows Server 2012 R2. This step also includes adding two (2) new domain controllers with public IP addresses for the cloud bridge.
- Prevent misuse of university resources including critical applications, home directories, and email accounts.
- Prevent the disclosure, modification, or deletion of confidential university data by removing former employees’ access.
- Have all Common Goods Services follow guidelines set forth in the Section 5 of UT Austin’s Resource Use and Security Policy.
- Improve AD’s efficiency, security, and features by upgrading to new domain controllers.
- AD accounts will be enabled and disabled based upon EID affiliations and entitlements.
- Efficient authentication will be enabled for UT services in the cloud.
- Effectively communicate timing and impact of changes to campus Technical Support Coordinators (TSCs).