1

We do managed IT services for a number of small / medium business. I'm looking to find a solution to manage our access to our clients' AD forest's in a scalable fashion.

Right now, we manually create our own login in AD, with sufficient rights. As you can imagine, this doesn't scale well as we gain employees and the need to be able to revoke passwords etc... Involves manually logging into each client to update AD.

For almost all of our clients, we manage their entire IT infrastructure, including AD, all servers, network etc... So if we can obtain a reliable solution, we should reasonably be able to modify the clients' AD configuration to achieve our goal.

We also do hosted services, so we have a reliable means of hosting our own infrastructure for clients to sync back to.

What I'd like

  • A way of being able to centrally manage AD accounts for multiple customers, across sites/forests etc...

  • Preferably, we'd switch to creating our own accounts, for each one of our techs in the customer's AD, so we have a degree of accountability, and access policies can be more granular.

  • Obviously the above point raises concerns of polluting the client's AD (though we don't have too many people right now), so we'd want to try and avoid having client's have to see our users constantly. This is a tricky one of course, but perhaps simply putting our users in a separate OU would partially solve this.

  • Our main goal is to simplify hiring/firing processes, and reducing the possibility of human error (eg. Missed disabling access on Customer X during decom of access). So things like password resets, disabled users, should sync to some degree. I imagine permissions are less of an issue as they could be on a per-customer basis anyway.

  • Multi-Platform is also a goal. We need to be able to manage routers and Linux machines too, RADIUS seems like it would be an obvious choice.

  • Servers are mostly Windows 2008 R2 with some Windows 2012, some Linux, Cisco and Juniper Equipment.

  • I should add that RADIUS etc... Should not be the only source for AD. The goal would be to have the customer's existing AD accounts for their needs, then import our own, from RADIUS.

What I've Tried

So far I've been focusing on somehow integrating RADIUS accounts into AD - but everything I've found is more about using AD as a master-source for AD integration, whereas I'd want more of the opposite.

I think RAIDUS makes sense for us as lot of our hosting infrastructure is non-Windows, even though our clients are primarily Windows Based. And we are looking to providing RADIUS auth for our DSL tails as well anyway. Would make sense to have a single source of truth for all employee accounts.

Very interested in hearing how people in a similar situation have been able to solve this issue, as I haven't found much online.

Thanks.

Geekman
  • 451
  • 1
  • 10
  • 21
  • 1
    Ever heard of trust relationsships? Have the clients domains trust your domain. – TomTom Dec 11 '13 at 12:17
  • @TomTom Yes. I'd thought about this, though I'm weary how customers would feel this level of trust. I suppose I'll have to research what granularity is available so I can find a safe situation for both parties. My understanding so far is that it's either one-way or two-way, and anything more granular can get quite complicated from a permissions stand point. – Geekman Dec 11 '13 at 12:20
  • @TomTom Thinking about it some more, since we have full domain admin access to all our clients, it's probably not going to need a lot of granularity, and as mentioned, there's lots about integrating AD as a source for RADIUS, too. Still interested in seeing what others say, but this could work. Thanks. – Geekman Dec 11 '13 at 12:26
  • Trust per se does not give any rights. You still have to add the users to the respüecitve groups - trust only allows that and "trusts" that User A from domain X IS user A from DOmain X (and happens to have rights in my group). I would go this way. Adding it as answer... – TomTom Dec 11 '13 at 12:35

1 Answers1

2

Ever heard of trust relationsships? Have the clients domains trust your domain. Or a specific service personell domain.

Trust per se does not give any rights. You still have to add the users to the respüecitve groups - trust only allows that and "trusts" that User A from domain X IS user A from DOmain X (and happens to have rights in my group).

TomTom
  • 50,857
  • 7
  • 52
  • 134
  • The more I think about it, the more I think your answer makes sense. I almost feel for posting this question, since I did know of (but not much about) one-way trusts etc... Thanks for your answer. – Geekman Dec 11 '13 at 12:53
  • You are welcome. Even experienced people sometiems do stupid things. There is a saying in german "not seeing the wood due to all the trees" which means you do not see the bigger picture (and obvious thing) because focusing on all the details ;) Happens the best of us. – TomTom Dec 11 '13 at 13:42