Access control in a Microsoft-centric environment presents special challenges. While identity and authentication is highly centralized, authorization is widely distributed and implemented differently with each type of resource. For example, you may have very advanced identity management and centralized authentication through Active Directory (AD) and you can base an employee's access to a wide variety of resources across the network with a single user account in AD. However, the user's permissions to those resources are scattered throughout the network and are stored and managed locally with each resource.
Therefore, in a Microsoft-centric environment, it is very easy to locate users and update their identity information or account status, but assessing and controlling what resources that user is permitted to access is complex and error-prone.
This tech brief presents eight recommendations to help you proactively address the difficulties of access control in a Microsoft-centric environment, and avoid the common pitfalls, risks and costs.