After a lot of hours, I have finally completed the migration of all CVUSD login scripts to RBAC! This is a big milestone, as we now no longer have to worry about individual people's login scripts.
At this point, every single person that logs in to the CVUSD domain will get the login script: login.bat. (Excepted is Cortez, which I will complete next week, as the server is currently turned off due to the power outage)
Every access setup is solely controlled by Active Directory security groups.
A couple of quick items to note. (mostly for those of you who deal with logins, and security groups:
There is also a cheat sheet for District Office department, as well as additional documentation regarding the RBAC system. I recommend that you take a look at those.
It may be beneficial that we have a meeting at some point to talk about this new system, and to answer any questions that you may have. This is all completely brand new, and may be confusing to some.
You may be asking why I have done all of this work, and the simple answer is: reporting, and compliance. Previously, we had no idea what access a certain user had, or who had access to a certain folder, application, or GPO. This is potentially a huge liability, as we are blind to some of the access privileges that we may have inadvertently setup. This system is tightly integrated. the login script is directly tied in to the ACLs, and in most cases, 2 levels of ACLs have to be passed before access is granted to a folder.
To see this in action. There are reporting tools that I have already created that can be used to get certain information about people's access, or folder / application access. I have placed those tools here:
http://do-web.chino.k12.ca.us/ittools
If you want to use those, please remember to add http://do-web to your trusted sites, and set the security to "low", as these components use some system calls that require privileges. If you don't, you will get all sort of warnings , and will not get the desired results. .
Also, as a side note, for some reason, when you open any of these tools, they open behind all windows (i'll look into that, but for now, when you open it, just click on its icon in the task bar to bring it to the front.
As I had mentioned in the previous articles, these changes are quite significant in Active Directory, and though I have tested every single configuration, I couldn't have tested every single scenario. So if you hear of any issues with drive mapping, or access, please let me know, and I can take care of them.
Sorry for the long post, but I wanted to include as much information as possible to get you started with RBAC.
At this point, every single person that logs in to the CVUSD domain will get the login script: login.bat. (Excepted is Cortez, which I will complete next week, as the server is currently turned off due to the power outage)
Every access setup is solely controlled by Active Directory security groups.
A couple of quick items to note. (mostly for those of you who deal with logins, and security groups:
- You will notice that the \\chino.k12.ca.us\netlogon is now much cleaner, and only has a handful of scripts. All the batch files have been removed. (you can see what's been removed in this document)
- All security groups in Active Directory have now been fully organized under Security Groups. There is only a small handful of groups which still need to be dealt with. The rest are mostly in the corresponding OUs.
- For access assignment of users, 90% of the security groups needed are in the "Role Groups" section. Everything else is mostly back-end.
- For 90% of the situations, any group that contains the word: "Default" in the description of the group should not be assigned directly to a user. These are groups which receive inherited groups from other groups.
- For school staff and teachers, the groups to which a person belongs are quite simple: for most school people, they will usually belong to 2 groups on average:
- School Name: i.e:Woodcrest Junior High
- Their role: i.e: 205-Office, or 205-Teacher, or 205-Library.
- A combination of the above would work, except for office AND teacher, as these will look at different locations for the I: drive of the user, and potentially not find the user's home folder.
- Each user can only belong to ONE and only one Department or School.
- If the user works at Ayala and Litel, but needs access to both office drives, they would be added to one of the schools where their i: drive resides (i.e: Ayala High School), and would be added to 103-Office and 311-Office. This will map all the necessary drives for them.
- Any user with group memberships NEEDS to belong to at least one group, aside from "Domain Users".
- Similarly, the "Domain Users" group has to be the primary group, or some mapping will not work, or worse, kixtart will crash. (this is a issue with kix and parsing groups)
There is also a cheat sheet for District Office department, as well as additional documentation regarding the RBAC system. I recommend that you take a look at those.
It may be beneficial that we have a meeting at some point to talk about this new system, and to answer any questions that you may have. This is all completely brand new, and may be confusing to some.
You may be asking why I have done all of this work, and the simple answer is: reporting, and compliance. Previously, we had no idea what access a certain user had, or who had access to a certain folder, application, or GPO. This is potentially a huge liability, as we are blind to some of the access privileges that we may have inadvertently setup. This system is tightly integrated. the login script is directly tied in to the ACLs, and in most cases, 2 levels of ACLs have to be passed before access is granted to a folder.
To see this in action. There are reporting tools that I have already created that can be used to get certain information about people's access, or folder / application access. I have placed those tools here:
http://do-web.chino.k12.ca.us/ittools
If you want to use those, please remember to add http://do-web to your trusted sites, and set the security to "low", as these components use some system calls that require privileges. If you don't, you will get all sort of warnings , and will not get the desired results. .
Also, as a side note, for some reason, when you open any of these tools, they open behind all windows (i'll look into that, but for now, when you open it, just click on its icon in the task bar to bring it to the front.
As I had mentioned in the previous articles, these changes are quite significant in Active Directory, and though I have tested every single configuration, I couldn't have tested every single scenario. So if you hear of any issues with drive mapping, or access, please let me know, and I can take care of them.
Sorry for the long post, but I wanted to include as much information as possible to get you started with RBAC.
- This change was made over the Easter Break week 2011. (04/25 - 04/28)
No comments:
Post a Comment
Please make your comment. (GMK)
Note: Only a member of this blog may post a comment.