1

My company has numerous remote servers which we manage. These servers are all Windows Servers and a spread out across different hosting companies / data-centres. Their purpose is IIS Web hosting, SQL Server, Cache servers, File servers.

Currently we have a single user account per server that all staff use to login when needing to perform management that box. (Far from secure or ideal)

I would like each user to have his own credentials and possibly have the ability be able to centrally manage these user accounts.

Since these Servers are not on the same network - What is the best way to manage this?

a) Create a user account for each user separately on each box? This will mean duplicating user accounts onto each box and having to manually revoke access individually on each box when needed.

b) Use Active Directory - All servers connected remotely to a central Active Directory (Possibly installed on a server in a data-centre to ensure high availability)? What is the implications of this when all Servers are remote, in different data centres and not on the same network?

c) Came across Azure Active Directory - not sure if this will work?

Mohamed Cassim
  • 11
  • 2

2 Answers2

0

You could manage several local user accounts at the time through powershell, with a few useful scripts.

You can find inspiration in the two articles below.

https://mcpmag.com/articles/2015/04/15/reporting-on-local-accounts.aspx?m=1

https://mcpmag.com/articles/2015/05/07/local-user-accounts-with-powershell.aspx?m=1

Anders Gornitzka
  • 11
  • 2
-1

As you may have figured out already, your solution passes ideally through Active Directory. Your servers should be included in domains managed by local Active Directory Domain Controllers. You may organize them in domains separated per site, if your sites are isolated or distant from each other.

Now, the topology risks to be complicated. This is the reason I am thinking to an interesting solution for you: Azure Active Directory with password writeback. What does that mean?

  • Azure Active Directory, you already know it
  • AAD Connect with Password Writeback lets you synchronize identities from your local AD to AAD and in the same time lets you synchronize back the password once you have changed it in AAD
  • Finally, as topology, you will have different corresponding domains (with AD DCs installed on your different sites); no need to connect them with each other, they only need to connect to the cloud (AAD). Note that you may need to have more than one AAD tenant; but there will be no problem to create and manage as many tenants you want. Just be sure the company doesn't have compliancy restrictions ragardless to passwords in the cloud.

Hope it answers to your problems.

LeCampusAzure
  • 54
  • 3
  • Azure AD wont help in the way you describe, the remote windows servers are in workgroups, Azure AD Connect wont be able to sync accounts from these servers to Azure AD, even If it could it wouldn't help. a solution is needed that makes it easier to use a single account to authenticate against each server. – Michael Brown May 20 '16 at 19:48
  • OK I will explain a bit better what I meant. – LeCampusAzure May 22 '16 at 12:05
  • This will mean installing Active Directory on each Server. These Servers are stand alone located in different data centers and meant as Web/SQL Servers. It is also best practice not to install AD on a Web Server or SQL Server machine. – Mohamed Cassim May 23 '16 at 09:39
  • No, it just means to include these machines in domains (and have an AD domain controller on the site in that case). So apart adding domain controllers to sites, the main impact is moving your servers from workgroups to domains. – LeCampusAzure May 23 '16 at 12:53