• State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 63 subscribers
  • Views 4182 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Create Managed Units and link Access Templates to Managed Unit by script or PowerShell

mcsecpearson
over 5 years ago

Hello,

I have a very large client with a very flat AD structure, would it be possible to script the creation of Managed Units and link Access templates to the Managed Units?

Also is there any recommendations about the number of managed units to have?

Due to the flat AD structure and 200,000+  users and groups we need a method to create around 5000+ managed units one for each site.

  • 0 over 5 years ago

    200K+ users in flat AD OU tree. Makes sense and today is a valid scenario.

    #1. ARS is designed to *virtualize* AD Management Workflow:

    • segregate ad objects/users in virtual OUs ‘MU’ based on any LDAP query
    • apply management workflow (virtual granular permissions (Roles) and Policies/scripts)
    • Virtual Attribute (VA) feature helps to *virtualize* AD schema extension to mark and segregate AD users (say VA_LineOfBusiness) and create MU=LDAP query(VA_LineOfBusiness = “Finance”) without direct impact/update native AD attributes.

    Change Control. That makes major reason for ARS to exist: to be able to land *virtually* on any “rocky” ground and “flatten” it up for AD management workflow to “skate” on it without changing OU structure, ACL OUs and other Change Controls against AD. Instead, all Change Controls are evoked on *virtual* AD management layer which helps to leverage risks both ‘technical’ and ‘political’ nature in timely manner and provides room to “breath” for “smooth transition” to a better, healthy and transparent AD state.

    #2. To create 5K+ MUs, group 200K+ users in MUs, assign workflow to MUs (permissions and policies) – for such a large project you will probably need to involve PSO to discuss the smooth transition ‘strategy’ and script it ‘technically’.

    Risk. If the input AD data is ‘garbage’: you will get ‘garbage’ MUs and workflow ‘out’. That is the major reason for PSO to discuss and design in “ARS language” the transition to ‘straighten and transparent’ up your big AD via “ARS path”.

    Here HR comes into play: most probably, you will need to have HR data to be synced to AD via ARS/AD Management Workflow. ARS Sync Service allows to sync \\SHARE\HR.CSV dump into AD users.

  • 0 over 5 years ago

    Hi,

    we found out, that there might be some performance issues with a large amount of MUs in ARS 7.1 and 7.2.

    To automate the creation of MUs, look here:

    https://www.quest.com/community/one-identity/active-roles/product-knowledge/w/wiki/111/building-a-managed-unit-dynamically

    New-QARSAccessTemplatelink will create the link with Trustee and Accesstemplate on the MUs.

    BEN