Secure multi-client capability through Microsoft Active Directory

IT & Management Consulting, IT-Sourcing, Provider Management

Even in a jointly used infrastructure, the integrity of data and systems remains ensured. Service providers are presented with significant resource savings.

As it is known, in a Microsoft infrastructure, access to resources, data as well as applications is controlled via Active Directory (AD). Depending on how complex the business structures mapped are, AD not only controls access at 1:1, but also describes the different levels of the trust relationship between individual domains. A mostly complex system that reflects the inner dynamics of a company like a mirror image.


Traditionally, if the business IT is operated at an external provider, one of the unwritten rules is that each company is represented in physically separated hardware. Too big is the concern that through joint server utilisation unauthorised parties may be able to take a look at a third party's data or structures. Therefore, a lot of service providers operate an autonomous Active Directory for each client. This, of course, costs processor power, electricity, administration, and operating system licenses.

It is not only since the increasing prevalence of cloud computing and the growing acceptance of cloud infrastructures for the provision of IT as a service that a demand has been voiced there for putting an end to these restrictions and to provide for a more cost-saving method.


It is exactly at this spot that "List Object Mode" is the tool to remove the physical separation of individual clients and to concomitantly maintain their logical separation. This is exactly what it achieved with at least two domain controllers in "list object mode". Service providers become enabled to consolidate their server landscape while continuing to provide the same services for their clients.

However, this mode is not without cost. Once the "List Object Mode" has been activated with the help of Microsoft's "ADSI Edit" tool, the different clients must be consolidated as well as their users, groups, computer and other Active Directory objects. In order for the "List Object Mode" to become active, the individual rights to the objects must be adjusted. However, this adjustment needs to be performed only once for the migrated objects and for newly added clients, and can be automated, e.g. through scripts and/or templates.


A test environment is indispensable for such a far-reaching server consolidation. It should contain all important applications and parameters that, in the future, are to be maintained under the roof of a joint AD. When only a single active AD is operated for all clients, the operation after a change must also be simulated and tested. A change can, for example, be a Group Policy Object that may have an impact on all clients. Also, it should be checked in the test environment whether all rights have been set as desired. Of course, the principle that no client may see another client's content must not be violated. Due to its impact and its complexity, the implementation of the "List Object Mode" in a global AD requires experience and overview. The IT service provider from the financial industry was - in close cooperation of customer, Microsoft and noventum - enabled to unburden its infrastructure of several servers and to significantly increase its efficiency in the process.

Nowadays, this IT service provider supports more than 450 clients with a total of more than 160,000 user objects in a single Active Directory. Contained therein are more than 4,500 Group Policy Objects (all of them explicitly authorised, of course).

Through this solution developed in-house, it was also possible to implement a uniform naming concept. Based on the latter, Group Policy Objects received unambiguous names and the administration became considerably easier.

Michael Lamboury

Go back