By Arleen Thukral, MS, CCE
In this month’s installment of Networking, we explore Active Directory—a flexible, hierarchical, Microsoft-developed organizational model that facilitates the delegation of administrative responsibilities. Although Active Directory relies on domain name server (DNS) to function, existing DNS systems may need to be upgraded before they can support Active Directory.
Moreover, objects are grouped into domains—with objects for a single domain stored in a single database. And domains—which are identified by their DNS name structure—are defined as a logical group of network objects (i.e., computers, users, and devices) that share the same Active Directory database.
Furthermore, a tree is a collection of one or more domains, with domain trees linked in a transitive trust hierarchy. Situated at the top of the structure is the forest—a collection of tress that share a common global configuration.
Subsequently, each domain controller contains a copy of Active Directory—not just the information of a single domain. Therefore, when a change is made to Active Directory, the change is applied to whatever domain controller is closest, and then it is replicated to the remaining domain controllers.
Understanding Organizational Units
The objects contained within a domain can be grouped into organizational units (OUs). The idea is that if you have a large domain, you can organize the domain into OUs and charge an administrative officer with resetting passwords for the OU. This then provides a mechanism for safeguarding directory objects from unauthorized access.
The OU is the recommended level at which to apply group policies—which are Active Directory-based mechanisms for controlling user and computer desktop environments. Specifically, Group Policy settings are stored in Active Directory objects on domain controllers, with a child OU inheriting Group Polices from parent OUs.
Along the same lines, loopback Group Policy Object (GPO) processing allows a policy to be applied to users based upon which computer (or special-purpose medical device computer) they’re logged onto. (Case in point: All users logging onto a specific computer will receive the same policy settings.)
The two modes for loopback processing are:
- Replace mode: With this mode, only group policies that apply to the computer are processed.
- Merge mode: This mode first processes group policies that apply to the use object, and then the GPOs that apply to the computer object. If settings conflict, however, the computer object settings override the user settings. Note: If medical device computers are slow to load, it might be worthwhile to investigate the group policies.
Moreover, a separate OU is especially advantageous for medical devices that require specialized considerations for group policies, including screen lock registry, Antivirus, host-based intrusion prevention systems, etc. Take an EEG monitoring device, for instance. For the device to continuously record patient data, the application must not screen-lock.
Group Policy Security Settings
Security settings allow administrators to consolidate many security-related items and apply them via Group Policy and Active Directory. Remember: Security settings are computer-, not user-, specific. They include:
- Account policies: Encompassing Password Policy and Account Lockout Policy, account policies are set in the default domain policy. If different account policies are required for different sets of users, a multiple-domain architecture may be in order. Further, account policies set at the OU level will be applied if a user is logging onto the local computer, not the domain. Still, setting account policies at the OU level is recommended in case a local log-on occurs.
- Local policies: This includes Audit policy, user rights assignment, and security options (i.e., registry-specific security settings).
- Event log: This policy includes settings for event logs.
- Restricted groups: This facilitates membership restrictions for sensitive groups.
- System services: This includes start-up options for services.
- Registry: Discretionary access control lists (DACLs) for specified registry keys
- File system: DACLs for specified files and folders
- Public key policies: This includes encrypted data recovery agents, Automatic Certificate Request Settings, Trusted Root Certification Authorities, and enterprise trust
Disadvantages of Active Directory
Although Active Directory has numerous advantages, there are downsides to this model as well. For one thing, Active Directory offers no means to manage non-Windows clients, such as Mac or Unix. Further, Active Directory is designed to use a single forest for each organization; therefore, companies with multiple or global schemas must implement multiple forests, which increases administrative overhead. It’s an issue, indeed, since separate domains and forests don’t merge easily.
Other drawbacks? Active Directory is difficult to integrate into preexisting network systems and there is little interoperability between Unix systems. That’s why it’s important to carefully weigh the pros and cons before implementing Active Directory.
Arleen Thukral, MS, CCE, is a VISN 20 biomedical engineer at VA NorthWest Healthcare Network in Seattle. Questions and comments can be directed to [email protected].