This article is more than 1 year old
There's more to life than Windows
But you still have to bring your other-OS kit into the fold
When you run a corporate IT infrastructure, the chances are you run Active Directory underpinning a predominantly Windows-based array of servers, desktops and laptops. And that's fine: it probably serves 90 per cent of the kit you have and is a secure, easy-to-use way of authenticating user logins.
But it's very unusual to have a world that is entirely centred around Windows. That's not a bad thing – there's more than one operating system in the world because no single OS can do absolutely everything. The problem is, these non-Windows systems are often also-rans when it comes to proper integration with the core systems; and this brings a few problems.
The first of these is management of the user database. A single user database is a good thing, because it's trivial to manage new users and, more importantly, people who leave the company. Disable someone's Active Directory account and if everything authenticates against that account, you've instantly disabled their entire access to the company systems.
If you start putting other devices into the network which don't use AD, you have several user databases to manage – and before too long you end up with a sprawling process for leavers and user deletions start getting forgotten.
Over and above authentication
There's another problem: AD does more than just authenticate users. It defines what groups they're in (which, really, is just another aspect of authentication), but more importantly, it does all that good stuff like applying policies to the users and the devices that are connected to it.
You'll generally have policies applied to your Windows machines (even if it's only basic stuff like defining default printers, or disabling the "Shut Down" menu option on servers to stop numpties like me inadvertently hitting it when I really mean to log out).
Application level centralization
One of the refreshing aspects of heterogeneous setups is that even if your authentication system is a bit single-platform, a lot of your applications will be platform-agnostic.
The most important example that springs to mind is your corporate anti-malware system: regardless of the smattering of different platforms you have to hand, the decent ones let you manage Linux, Windows and MacOS machines through a single central orchestration server. So even if your user database isn't centralised, this doesn't prevent you from centrally managing some of your core functions.
Surprising enterprise functionality
Smartphones and tablets are cool toys and you can do funky things with them. What many people don't realise is that the operating systems of mobile devices are actually loaded with enterprise-grade functionality that makes them surprisingly easy to control and integrate with corporate systems. Although they feel like consumer devices, and after all, that's how they're marketed, the authors of iOS and Android realise that the corporate market is also vast and have built in concepts such as profiles, secure application distribution, remote wipe and the like as a standard part of the platform. (And of course, if anyone used Windows Phone they'd be able to integrate it natively with AD as it's just another Windows device.)
Supported at last
There was a time when I had considerably more hair, and some of it was a kind of non-grey colour. Back in those days I remember trying to integrate a fleet of Linux kit into an Active Directory setup – not to mention a very early G5-based Apple server that one of my clients had bought.
The word "difficult" didn't even come close (particularly with the Apple box – in those days OS X Server didn't even have a static MAC-to-IP option in the GUI, so the chances of using hard stuff like AD were limited). Happily those days are gone; not only is AD support inherently easy to use in both Linux and MacOS, but there are loads of white papers and walkthroughs available from the writers of both that guide you through the best-practice approaches of working with it.
Oh, and don't forget ...
... that there's more to life than computers. If you're more than a tiny company you probably have some network infrastructure to manage – firewalls, routers, LAN switches, wireless access points, and the like. Why would you have centralised authentication on your computers and mobile devices and then a load of distributed user databases on your LAN kit?
If you're running network kit that's more than just crappy cheap consumer stuff, the chances are it supports TACACS+ (the common mechanism for remote authentication of management interfaces on network devices) – and quelle surprise, now we're in 2016 it's pretty straightforward to interface TACACS+ into an AD world too.
So think about it
I'm not going to tell you how to do all of the above: what's important is that you consider it properly. Whatever you're going to connect to your network (and, for that matter, whatever you integrate with it, particularly cloud apps), consider how people authenticate to it and how it authenticates to your network. Minimise the number of user databases by exploiting the fact that we're now out of the technological dark ages and it's surprisingly easy to do secure, centralised security for the vast majority of devices from the network hardware right up to the mobile applications. ®