Centrify DirectControl Best Practices - Cerberis

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLlinked to this level. Group policies can be logically linked to a given Zone by creatingOrganizational Units below OU=Computers and then moving UNIX computers intothose OUs. For example, if there is a Zone named Zone14 (undercn=Zone14,ou=Zones,ou=Unix), then the computer object could be stored inou=Zone14,ou=Computers,ou=Unix.Diana grants the UNIX Operators Active Directory Group the following permissions on“OU=Computers,OU=UNIX” using the “Delegate Control” Wizard in Active Directoryusers and computers:• Create Computer Objects• Delete Computer ObjectsOU=Groups: The best practice for storing UNIX-specific groups that do not correlate toexisting Active Directory groups is to store them in “OU=Groups,OU=UNIX”.Traditionally, all UNIX users have been members of a common group (i.e. ‘staff’) andhave had additional groups that were based on their responsibilities or current projects.For example, the ‘newcore’ UNIX group defined in Zone #1 in section Error! Referencesource not found. does not correspond to any existing Active Directory Group at IllumiClinics. Creating it under “OU=Groups,OU=UNIX” allows the UNIX team to managethat group’s membership.Diana grants the UNIX Operators Active Directory Group the following permissions on“OU=Groups,OU=UNIX” using the “Delegate Control” Wizard:• Create, Delete, and manage Groups• Modify the Membership of a GroupOU=Users: The best practice for storing UNIX-specific accounts that do not correlate toexisting Active Directory accounts is to store them in “OU=Users,OU=UNIX”. Thesewould be machine service accounts, such as Oracle or MySQL. This keeps the serviceaccounts clearly separate from interactive Active Directory User objects. User Objects forservice accounts are typically not subject to the Default Domain Policy for passwordexpiry, for example, as password expiry could render critical business services (such as adatabase) unusable. Migrating these accounts to Active Directory would allowcentralized password management and auditing.Illumi Clinics account creation policy requires that all accounts have a correspondingemployee or contractor record in the Human Resources database. Additionally, onlyHuman Resources personnel can create individual exceptions to this policy. None of themachine service accounts on UNIX are used for interactive logon. Diana and Cedar agreeto keep this Organizational Unit for future expansion. In the future, Diana could grant theability to create and delete User objects to appropriate personnel.OU=Zones: The best practice for storing Zones is to store them in“OU=Zones,OU=UNIX”. These Zones store application-specific information for the© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 17