Hi

I was wondering if any of you came across or handled Provisioning windows server local accounts using ISIM - Windows Local Account connector. My question is how would one handle provisioning accounts on Windows Server's which usually keep growing in number.

spinning up a windows server by the IT team is quite fast, in few mins to hrs they complete setting up the servers and they expect IDM to support user provisioning immediately. how can we use ISIM and its windows connector service to start provisioning accounts into the newly added windows server without need to much change or configure.

have you ever come across such a requirement, would appreciate of any idea's or pointers

I have done this as part of a larger PAM like implementation based on ISIM. The key here is actually not the adapter which is quite simple to handle - the larger amount of work is to build a "service lifecycle manager". In my case the customer was primarily using VMWare for Wintel servers - so we built a VCenter interface that could get all servers and delivered these in the customers CMDB interface format (the reason for this was the ability to expand later to non-virtual machines only stored there) . From there we build based on ISIM Java API to create services and reconciliation schedules.

You do not have to install the adapter on each server - you CAN do that (and in certain situations that may be required due to security setup) - as long as your adapter is running on a workstation that can reach the actual server (service attribute "workstation") that is the simplest way - but you must have a credential that works on the server to be able to manage it - and do not use a domain admin (that would be very very dangerous) - my take is to have individual local accounts with very long random passwords (64 chars or so) that is not known to any humans and never needs to be changed...

HTH

regards

Franz Wolfhagen

I should add that managing thousands of servers is not at simple job and requires some deep thinking about infrastructure, scalability, security and operations - so the pure technical part of it is probably the less complex - making it work in a stable way is pushing the boundaries of ISIM and your processes - one thing is to have these many many services up and running with reconciliation spread over the 24 hours of a working day - another problem is how to manage users on the servers - there are builtin accounts, service accounts real users accounts - and you may actually want to user (domain) groups to manage access on the servers which adds another complexity on top of it.

My advice here is if you go down that route is to get somebody that knows ISIM deeply and knows the in and out of Identity Management/IGA to help you out - there is a lot non-technical things to consider in such a design....

Regards

Franz Wolfhagen