WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL
53
© CENTRIFY CORPORATION 2004-2005. ALL RIGHTS RESERVED.
PAGE 53
To delegate which users and groups have control over the objects in a Zone
1. On the Windows computer, open the Centrify DirectControl Administrator Console.
2. In the console tree, select Zones, and then select the Zone you want. For example,
open the default Zone.
3. Right-click
the
default Zone that you selected, and then click Delegate Zone
Control.
4. At
the
Welcome page, click Next.
5. Click
Add, and then use Find, with search criteria if necessary, to locate the user or
group to which you want to delegate control.
6. Click
OK. After you finish adding users and groups, click Next.
7. From the list, select the tasks you want to delegate to the user or group. For
example, if you want members of the selected group to be able to modify Zone
information, select the Modify Zone Information task.
8. Review your selections, and then click Finish.
Mapping Privileged Local UNIX Accounts to Active Directory Accounts
As mentioned earlier in the section, "Optionally mapping root and privileged UNIX
accounts to Active Directory Accounts," DirectControl includes support for mapping any
local UNIX account to an Active Directory account. Before you deploy DirectControl,
establish a policy for how your organization wants to handle certain local UNIX accounts,
such as the root account. In some cases, consider the use of Group Policy as a method
for applying a consistent policy of local account mapping across a large number of
computers.
For more information about how to map user accounts either individually or by using
Group Policy see the Centrify DirectControl Administrator's Guide.
Choosing a Phased Deployment Option
A good approach for reaching a fully deployed the End State is to roll out the deployment
in phases. Performing a phased deployment is recommended in organizations with large
numbers of UNIX computers or many different legacy directory systems. The
DirectControl Zones feature is particularly useful in helping organizations to
compartmentalize the project into manageable phases.
If your organization has multiple legacy directory systems either central directories such
as NIS or local directories that use /etc/passwd you might choose to use one Zone for
each directory that you move into Active Directory, dividing the migration project into sub-
projects, based on the number of Zones. A good tactic is to start with a small Zone.
For example, you can use the following high-level set of steps to perform a phased
deployment. For detailed steps, see "Deploying the Solution" and "Stabilizing the
Deployment" later in this guide.
To deploy in phases one Zone at a time (synopsis)
1. Use the Centrify Administrator Console on a Windows computer to import a single
/etc/passwd file into a single Zone that has a small number of UNIX computers as
members.
2. Join the UNIX computers in that Zone to Active Directory.
3. Carefully monitor and resolve any issues that users or support staff experience.
4. After the first Zone is fully deployed and stabilized, update your deployment
documentation with information learned from the first deployment, and then deploy
the next largest Zone.
5. Continue deploying Zones one at a time until all legacy directory systems are
successfully migrated to Active Directory.