GPO best practices : Security-Group Filtering Versus OU

This has been a fun topic of discussion on Server Fault. There appear to be varying "religious views" on the topic.

I agree with Microsoft's recommendation: Use a sub-domain of the company's already-registered Internet domain name.

So, if you own foo.com, use ad.foo.com or some such.

The most vile thing, as I see it, is using the registered Internet domain name, verbatim, for the Active Directory domain name. This causes you to be forced to manually copy records from the Internet DNS (like www) into the Active Directory DNS zone to allow "external" names to resolve. I've seen utterly silly things like IIS installed on every DC in an organization running a web site that does a redirect such that someone entering foo.com into their browser would be redirected to www.foo.com by these IIS installations. Utter silliness!

Using the Internet domain name gains you no advantages, but creates "make work" every time you change the IP addresses that external host names refer to. (Try using geographically load-balanced DNS for the external hosts and integrating that with such a "split DNS" situation, too! Gee-- that would be fun...)

Using such a subdomain has no effect on things like Exchange email delivery or User Principal Name (UPN) suffixes, BTW. (I often see those both cited as excuses for using the Internet domain name as the AD domain name.)

I also see the excuse "lots of big companies do it". Large companies can make boneheaded decisions as easily (if not moreso) than small companies. I don't buy that just because a large company makes a bad decision that somehow causes it to be a good decision.

This is a chronic problem with large Identity Management systems attempting to glue together heterogeneous systems. Invariably, you'll be limited to the lowest common denominator, which all too often is an 8-character ASCII-alpha-numeric limit thanks to some (probably legacy) Unix-like system somewhere in the bowels of the datacenter. Those fancy modern systems can take arbitrary length UTF8 usernames are unlikely to get used.

I spent 7 years at an institution of higher education where we had to figure out 8-character usernames for 5000 new students every year. We had managed to come up with unique names for 15 years of students by the time I left. This can be done, Mr. smitj510

Things that will make your life immeasurably easier:

• Figure out what your lowest-common-denominator is, which requires analyzing every part of your identity-management system to discover what the limits are.
  • That old Solaris 7 system is forcing the 8-character limit.
  • Critical applications that use identity data have their own limits you will have to consider.
    • Perhaps they expect user data from LDAP to conform to a unique-to-them 'standard'.
    • Perhaps the authentication database they use can only handle certain formatted data.
    • Perhaps that Windows-compatible system still uses SAMAccountName two decades after that stopped being a good idea.
• Have a database table with a list of the One True Identifier (that 8-character account-name), with links/fields listing alternate ID's like firstname.lastname or anything else that might come up.
  • Off-the-shelf software can do some really weird and IDM-unfriendly things like use a numerical ID for account name, or auto-generate account IDs based on profile data. All that goes into the database table too.
  • This also helps people with non-[a-z|0-9] characters in their names like Harry O'Neil, or non-ASCII ones like Alžbêta.
• When you build your account synchronization processes, leverage that database table to ensure that the right accounts are getting the right updates. When names change (marriage, divorce, others) you want those changes to propagate to the right places.
  • Configure the actual identity databases themselves to prevent local-changes where possible, and business process to strongly discourage that when it isn't possible. Rely on the central account-sync process for everything you can.
• Leverage alias systems wherever you can, such as in email.
• Consider the 8-char ID immutable, since changing that field can trigger a LOT of heart-ache among IT staff as accounts have to be recreated.
  • This suggests an account-ID not derived from name data, since marriage/divorce/court-order can change the name-data over time.
• Have a system in place for exceptions, since there will always be some.
  • Horrible divorce and that name-data generated 8-char UID brings wrenching memories every time you have to enter it? Be nice to your users and allow a mechanism for these changes, but keep it quiet.
• Do what you can to allow multiple username logins in the systems where that's an option
  • Some people like their 8-character uid, others like firstname.lastname@example.com. Be flexible, make friends.
  • Sometimes this requires fronting your web-based systems with a single-sign-on framework like CAS or leverage saml. You will be surprised at how many off the shelf systems can support SSO frameworks like this, so don't be discouraged.

Which is to say, treat it like a databasing problem because that's what it is. Pick a primary key for maximum compatibility with your systems (likely 8 characters), build a lookup-table to allow systems to translate local ID's to the primary key, and engineer your data synchronization systems to handle various IDs.