Case Study Rationalising Microsoft Active Directory

The Client

Details supplied on request, employs 140 members of staff, 60 remotely. Based in Cardiff it is independent of the National Assembly for Wales but is funded by it.

The Challenge

To avoid disruption to day to day business Westgate IT had to manage and implement the project over 2 weekends. Following cut-over to the new security group architecture the network had to be fully operational on the final Monday morning at 8am. A back-out plan had to be in place as well.   

Business Solution

Westgate have done projects like this one many times before. For us therefore designing the solution presented few risks or challenges. The client made and promulgated the necessary policy changes across the orgainsation including informing all staff and users. Without those policy changes, Westgate could not have made the changes to the Active Directory User Security Groups that were needed long term. The main elements of the project were as follows:

• As part of its Transformation Programme to put in place a new Information Governance Framework policy stating that ALL operational information is shared unless a strong justification exists why it cannot be (shared)

• A new set of network permissions based on a limited number (around 6 to start with) active directory user groups were agreed. These groups were designed to open up all data on the network to remove problems experienced by Westgate IT when managing the network, enable backup of folders, facilitate collaboration and cross team working, enable SharePoint to be implemented smoothly and minimising any potential security risks.

• The new user groups to also be totally transparent to Westgate IT as legacy network folders had existed previously that could not be accessed easily creating the risk that content might not be compliant with current security & acceptable use policies.

• Westgate’s technical evaluation concluded that the only feasible approach was not to try and amend network folder permissions one by one, but remove ALL current network folder access controls in one go (by replacing them with one new group policy for ALL content on the main shared drive) and then implementing a revised, minimised, set of access controls based on sharing almost all content on the network, and only controlling access where really necessary for a very small number of folders. This major change meant that ALL shared drive folders and data were visible to the ALL Users group (which included every staff member) unless an additional User Group eg Finance/HR Team/Corporate Services/ICT Team had been applied to that Folder to restrict access to the individual files.

• Project timings were that it was to take two weeks, with the actual work taking place on two successive weekends. Westgate IT used the first weekend to test the technical solution on a backup set of data thus creating no operational risk for  users (that the network might be down on the following Monday). On the second weekend we progressively removed the old permissions from the old folder, then configured the new user groups and applied them to all the data on the network shared drive. It was tested and users then started using the network from 8am on the Monday. No major issues were experienced and the migration project to the new security groups was voted a success by all users.  

Outcome

The project was a success, and all staff were provided with access to the information and documents on the network they needed. Compliance with information security policies also improved. Since the changes Westgate have been able to manage the network more efficiently. Without the project, migration to SharePoint would have been impossible as getting the right Active Directory security model and architecture is key to optimising SharePoint.