The many reasons for joining the UIUC AD fall into four basic categories:
1) Simplifying IT Management,
2) Improving User Access to Computing Resources,
3) Strengthening Computer Security, and
4) Lowering Computing Costs.
1. Simplify IT management
Minimize system administration tasks:
A centralized structure run by experienced Windows Server administrators will reduce the routine administrative tasks required from an NT administrator.
Simple resource sharing:
Participants in the UIUC AD have a single, consistent point of management for user accounts, applications, and devices, simplifying access control for all users and machines in your department. Sharing a resource becomes as simple as setting an Access Control List (ACL).
Automated account management:
University faculty, staff, and students automatically have AD accounts, so there's no need to create new accounts and passwords. The AD user name is identical to each individual's UIUC NetID. Users logging on from Windows XP Professional computers can use their AD user name and password, or the UIUC NetID and password they have been using to log in to services such as NESSIE.
User password control:
If an AD account password is forgotten or the account becomes locked, users need to know only their NetID and NetID password.
2. Improve user access to computing resources
Extended interoperability of the Windows Network Operating System:
Users can find computers, file servers, applications, and printers in their buildings and across campus simply by searching the AD.
Location-independent access to desktop files:
Users can access their own or their group's files from any machine on the AD network.
Single sign-on:
CITES handles synchronization between Kerberos V5 account information and UIUC Active Directory accounts. This will potentially allow single sign-on: users log on only once to access resources in both the UIUCnet environment and in UIUC Active Directory domains, so students, faculty, and staff will have fewer accounts and passwords. Achieving this same synchronization may not be possible with domains outside of the UIUC AD.
3. Strengthen security
Secure environment:
CITES provides a high-availability environment for its servers, with UPS, RAID storage, climate control, and multiple locations. This environment is monitored 24 hours a day, ensuring that domain controllers in the UIUC AD are always available. CITES also provides a physically secure environment for domain controllers, relieving administrators of the responsibility to conduct security audits in this area.
Departmental control:
Unlike Windows NT domains, Active Directory has a more hierarchical security model with delegation of authority, which eliminates the possibility of enterprise administrators violating the integrity of your systems. In other words, adding your computers to the UIUC AD will not give CITES administrators access to sensitive departmental information without permission.
OU-level policies:
With AD, a department can maintain complete control and security over its computing services using group policy Access Control Lists (ACLs). AD's flexible management features strengthen security by facilitating policy control throughout your security groups. Inheritance, for example, allows department admins to set OU-level policies and security, which are then inherited by sub-OUs and by objects within the sub-OUs.
Kerberos-based authentication:
Authentication in AD integrates with the Kerberos security model.
4. Lower computing costs
Efficient administration:
With AD, your department can reduce the time needed for routine account administration. AD also enables network and system administrators to distribute software to individual machines for installation and configuration.
Fewer network servers needed:
Since CITES gives departmental system administrators full control of all objects within their OU, it is no longer necessary for departments to maintain their own Windows NT Domain Controllers (the security safeguard that gives users certain rights and privileges on the network).
Easy migration:
As Microsoft imminently phases out support for Windows NT, departments need to move from Windows NT networks. Active Directory is the most direct way to move from a Windows NT network to Windows Server 2003, allowing you to eliminate your Windows NT domain and retire your Windows NT server machines.