[Scott R]

We use Quest, (QAS Quest Authentication Service) on our unix servers and our linux laptops etc. It works fine, it's not the best thing in the world but it's functional. The real hangup we had was procedure. Each and every user and group in AD needs to be "unix enabled" so existing groups needs to be enabled and new users and groups need to be built "enabled."

Something like this is a huge issue for us since we have have so many employees and different help desks around the world. But, we got there. We are getting rave reviews from our AIX and SUN folks that now just have to add a single group to their users.allow file rather than an entire list of users like we did before.

We have only had a few issues to date, one was AD groups with "spaces" in them, this didn't work at all early on, then they patched it it and it got "better" but we can still throw the odd group name with multiple "spaces" and kill the authentication on the server. Another patch is slated to come out soon to address some more of this.

Now, if you're still not bored reading the AD policy objects and GPO must be tailored entirely to the unix machines, you won't be using your existing policies to push to unix systems. I suppose thats a given since the operating system objects are entirely different. But the good news is, it does work! You just need a working policy for the flavor of unix that you're securing.

My AD admins balked at first, of course they bleed Microsoft, but they are coming around.