Defending my thoughts on Active Directory

James McGovern was kind enough to take the time to respond to my post on “the evils of Active Directory”. I’ve managed to get this post in front of a few other people including members from the Active Directory team at Microsoft and I think that for the most part people have become quite defensive about it.

I think that perhaps I need to do a a better job of explaining my perspective better, and in doing so you’ll see that I’m not necessarily anti-AD, but more anti-“Corporation as Identity Silo”.

Active Directory and similar directories are a an attempt to model how people and organisations represent their identities to each other. Given the dominance of computing in the enterprise space it is natural then for the various directories to represent “the company” as the central resource and “the employee/user” as leaf nodes hanging off it.

This made sense especially at time when “the company” was the centre of everyone’s technological universe.

My argument is that over the past decade that center has started to move away from “the company” and towards “the individual”.

Interestingly I think that many in the IT profession will be the last to see this happening because as power users we have enjoyed quite a bit of freedom inside the enterprise to use technology how we see fit, and so the systems have “been made in our image” you could say.

So what does this have to do with identity management? Well – as an empowered user I am likely to start to rely on services outside the enterprise to do my job. This is not a trend we can stop, we just have to accept it and our definition of identity and who controls it will need to change.

This is where federated identity comes into the picture which basically allows two or more identity stores to agree to exchange identity information to authenticate users. There are lots different federated identity systems out there.

The theory is that in this brave new world federated identity will enable organisations to extend their control of their users identity into the cloud. However my theory is that users will reject this because it is less empowering and quite frankly – the federated identity solutions won’t be able to keep up with the plethora of new online products and services which users will be working with.

Technologies like Live ID and Open ID have more chance of succeeding because they work outside the enterprise but we will end up with at least a partially fragmented identity system where users maintain their identities in two systems.

CardSpace and similar technologies are much more interesting because they offer the ability of users to manage their own identities and present them to the relying party – it is user controlled and empowering – even if from a geeks perspective the identity stores are distributed and controlled by others outside “the company”.

So – my closing argument is that “identity” will not be owned by “the company” in the long run. Control of a users identity will pass to the user, and the user will present that identity to applications that empower them.

This isn’t about defending an existing market players turf, this is about acknowledging a move in the center of the identity universe.


6 thoughts on “Defending my thoughts on Active Directory

  1. Angus McDonald


    You’ve made some good points. The pointy end is when the organisation wishes to control how people associate themselves with the company (e.g. I can’t just make myself Elcom’s CEO in AD, but in Live ID/Open ID I could claim that).

    What we need is a way where organisations (i.e. sys admins) control what relationships you can claim with them (including being able to repudiate such relationships) and people can exercise their identity as a member of that organisation beyond the corporate firewall …

    The problem in Microsoft of course is that it is not one body of people, but many large and small teams in a federation together … so a good idea in one area won’t necessarily get adopted elsewhere unless Pirate Captain Ballmer puts his foot down about it.

  2. Jonas Follesø


    Couldn’t agree more. At the moment I depend more on external systems like Twitter, Google Reader, LinkedIn, Facebook and my personal e-mail to do my job, than the internal systems provided by my employer.

    The internal systems are old (Outlook Web Access 2003), slow, rigid security (two phase authentication) and a general pain in the but. I keep all my e-mail lists and software development related discussions on my own e-mail address, hosted by Google Apps, which gives me a GREAT online e-mail client accessible when ever I work out at a client.

    To do my job as a developer I depend on my network, either through Twitter, LinkedIn, Facebook or Messenger, and non of these identities are controlled or supported by the enterprise.

  3. Mitch Denny Post author

    Hi Angus,

    Yep. I guess this is where claims really come in – however, truth me told a claim of “I’m the CEO” isn’t that realistic in most scenarios. For example, a lot of Microsoft systems these days are getting past with the following resource access roles:


    Examples are SharePoint, TFS, Reporting Services – even the ACLs in Windows 2008 have been simplified to this level unless you really go digging. In a more user empowered world, how these rights are dished out will be more controlled by who created the resource in the first place.

    For example, if I create a SharePoint site, then me as a user (not an administrator) gets to control the access rights to that resource. In fact the access control mechanism is designed to e-mail me when someone wants access effectively distributing the system administration burden to someone better qualified (the user) to make an access control decision.

    So I think that whilst there will be resistance from internal IT organisations, reality will when and users will control their identity. Its just that not everyone gets it just yet 🙂

  4. James

    Do you think OpenID will succeed if the ecosystem hasn’t figured out how to make money off it? Do you think that Microsoft and others aren’t also participating in OpenID and therefore will transform OpenID into something more palatable by those with money?

  5. Wile1one

    I guess Mitch you are hitting comments which tend to fit into a stereotyped political scale of left and right wing… you are never going to remove politics from organisations…

    My point is this… every organisation has operational policies within which individuals operate. AD does not descriminate from individuals… What Im wondering is whether there are some applications within which AD is policy friendly, then others where it just gets in the way…

    The problem for organisations is they operate in changing environments, and rely on the ingenuity of individuals within them to adapt to the change to ensure survival… This is an ongoing debate, and rigid versus flexible policy determines what gets adopted… for these pundits, its not only a monetary decision. Nah I think you hit the tip of the iceberg, so why stop at AD?? what other branches of the tree need shaking?

    James… OpenID is pushed like alternative fuels… and has the same problems of adoption… Obviously corporations want a return on investment, but can not afford to ignore anything which shows potential, or threatens their market… So pick up the banner – let me encourage you and state your case… after all… it is your right. You might catch the attention of someone with some money to throw at it.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s