WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL
© CENTRIFY CORPORATION 2004-2005. ALL RIGHTS RESERVED.
Administering DirectControl Zones
As mentioned earlier, you can use DirectControl Zones to compartmentalize groups of
users or computers into logical units. For example:
Group users based on a legacy directory service for example, place all previous
members of the NIS domain HRdomain into a Zone called HRzone.
Group users based on roles for example, place all finance users and computers
into a Zone called finance.
Group together a logically related set of users and computers for example, place all
UNIX users and computers in Europe into a Zone called Europe.
Zones can be a powerful new addition to your operational toolset. Eventually, however,
you might want to reduce the number of Zones into a system that is more aligned with
current day-to-day use rather than using an organizational method that is based on
accommodating legacy systems.
For example, you might initially want to set up Zones oriented around accommodating
numerous UNIX directory systems that were imported into Active Directory (for example,
one Zone for NIS directory A, one Zone for NIS directory B, and one Zone for OpenLDAP
directory C). However, after those directory systems are no longer relevant to your
organization, you might choose to transition to new Zones that are based on current
organizational characteristics, for example, by function or by region.
Because a user can be a member of multiple Zones, you can add users to a newly
defined Zone (even a Zone with no computer members) at any time. Gradually, you can
move the UNIX computers from membership in a legacy directory Zone into a Zone set
up around current organizational characteristics. However, in order to do this
successfully, you must carefully check the impact of the user's UNIX attributes in the new
Zone to make sure that settings such as UID settings are not in conflict with what the
operating system and applications are expecting in the Zone.
You can find additional information about managing Zones in the "Managing Zones"
section of the Centrify DirectControl Administrator's Guide. You can find additional
information about Zone migration strategies in the white paper "Centrify's Solution for
Migrating UNIX Directories to Active Directory: Leveraging Centrify's DirectControl and
Zone Technology to Simplify Migration."
Because Zones are transparent to the UNIX user, it might make sense for you to use
Zones as a way of compartmentalizing administration as opposed to using Zones for
organizational groups. For example, you might want to put all Red Hat Linux computers
in one Zone and all Solaris computers in a different Zone because different operators
might be administering these two groups of computers. In addition, with the new
capability provided by DirectControl Group Policy, some policies might be applicable to
one Zone (for example, enforced SELinux settings in a Red Hat Enterprise Linux 4 Zone)
but not applicable to another Zone.
Security administration is crucial for any organization. Establish controls to ensure that
operators are granted rights for administering the computers and attributes that are
required as part of their job but are locked out from accessing or changing computer
settings outside their areas of responsibility. Active Directory fully supports delegated
administration and the compartmentalization of systems and users within an organization.
You can set up these divisions as separate OUs or as separate domains within the Active
Directory forest, and then specify permissions for different types of tasks within each
The DirectControl solution expands the delegation concept by letting you assign the
administration of each UNIX Zone to the appropriate operators and administrators on a