Home / server / Questions / 560655
Accepted
Geekman
Asked: 2013-12-12 04:13:31 +0800 CST

Managing Active Directory account access across multiple forests / customers

  • 772

We do managed IT services for a number of small / medium business. I'm looking to find a solution to manage our access to our clients' AD forest's in a scalable fashion.

Right now, we manually create our own login in AD, with sufficient rights. As you can imagine, this doesn't scale well as we gain employees and the need to be able to revoke passwords etc... Involves manually logging into each client to update AD.

For almost all of our clients, we manage their entire IT infrastructure, including AD, all servers, network etc... So if we can obtain a reliable solution, we should reasonably be able to modify the clients' AD configuration to achieve our goal.

We also do hosted services, so we have a reliable means of hosting our own infrastructure for clients to sync back to.

What I'd like

  • A way of being able to centrally manage AD accounts for multiple customers, across sites/forests etc...

  • Preferably, we'd switch to creating our own accounts, for each one of our techs in the customer's AD, so we have a degree of accountability, and access policies can be more granular.

  • Obviously the above point raises concerns of polluting the client's AD (though we don't have too many people right now), so we'd want to try and avoid having client's have to see our users constantly. This is a tricky one of course, but perhaps simply putting our users in a separate OU would partially solve this.

  • Our main goal is to simplify hiring/firing processes, and reducing the possibility of human error (eg. Missed disabling access on Customer X during decom of access). So things like password resets, disabled users, should sync to some degree. I imagine permissions are less of an issue as they could be on a per-customer basis anyway.

  • Multi-Platform is also a goal. We need to be able to manage routers and Linux machines too, RADIUS seems like it would be an obvious choice.

  • Servers are mostly Windows 2008 R2 with some Windows 2012, some Linux, Cisco and Juniper Equipment.

  • I should add that RADIUS etc... Should not be the only source for AD. The goal would be to have the customer's existing AD accounts for their needs, then import our own, from RADIUS.

What I've Tried

So far I've been focusing on somehow integrating RADIUS accounts into AD - but everything I've found is more about using AD as a master-source for AD integration, whereas I'd want more of the opposite.

I think RAIDUS makes sense for us as lot of our hosting infrastructure is non-Windows, even though our clients are primarily Windows Based. And we are looking to providing RADIUS auth for our DSL tails as well anyway. Would make sense to have a single source of truth for all employee accounts.

Very interested in hearing how people in a similar situation have been able to solve this issue, as I haven't found much online.

Thanks.

active-directory

1 Answers

  1. Best Answer

    Ever heard of trust relationsships? Have the clients domains trust your domain. Or a specific service personell domain.

    Trust per se does not give any rights. You still have to add the users to the respüecitve groups - trust only allows that and "trusts" that User A from domain X IS user A from DOmain X (and happens to have rights in my group).

    • 2