When You're Dealing With Directories, They're All Special, but Some Are More "Special" Than Others

Let’s talk directories for a minute. In identity and access management (IAM) it all starts with the directory – after all, you need someplace to set up the account and hold authorizations and you need something to authenticate against. Everything that someone needs to log into requires a directory. Sometimes they are built in and included, sometimes they are more universal and shared across a number of systems, sometimes they are simple, sometimes they are standards-based, and sometimes they are just a mess.

When I started my career in IAM I joined a little start up, full of Linux guys that were trying to overcome the challenges presented by every Unix or Linux box requiring its own directory and the security shortcomings of the technologies available to unify those disparate directories. These really smart guys quickly realized that Microsoft had already beat them to the punch with Active Directory (AD) overcoming the same challenge for Windows server (remember Windows NT anyone?). They changed course and switched from building a dedicated (and awesome) Unix/Linux directory service to creating technologies that would allow those systems to act as “full citizens” in the already awesome AD environment. And the rest, as they say, is history.

Fast forward 10 years and the concept of an AD bridge is commonplace, the little start up is now part of our thriving IAM business, and Active Directory is a key component of almost every enterprise and managing AD is critical in almost every enterprise IAM program. Of course, every directory is special and must be dealt with appropriately, but it seems that AD is more special and no matter how well you treat all the other directories in your enterprise, if AD is underserved, things can go wrong pretty quickly.

There are two main challenges facing an organization trying to integrate AD with an enterprise IAM program:

  1. Active Directories native tools are woefully lacking in usability and automation and efforts to custom-build desired functionality into an IAM framework typically fall short, while going way over budget and running way too long.
  2. The privileged account management implications of AD are scary, with a native lack of delegation and too much password sharing and over-provisioned admin rights.

But there is hope. Tools exist (conveniently available as part of the One Identity family of IAM solutions) that overcome both of those challenges in a single, easy-to-implement, easy-to-use, and easy-to-integrate solution.

We’ve written a white paper that details the most common challenges facing Active Directory administrators and simple, actionable solutions. It’s called Active Directory Security Challenges … Solved!. The paper details everything from the value of simple and efficient group management to the security gains available through delegating the AD admin account.


For a more detailed look at getting access control through AD right. Download our white paper called Access Control is Easy, Use Active Directory Groups and Manage them Well.

Active Directory is Special, isn’t it about time you treated it that way?