Case Study: Cornell University achieves centralized, least-privilege Active Directory security with One Identity Active Roles

Cornell Makes the Active Directory Security Honor Role

Cornell University, a large higher-education institution, faced a highly distributed and loosely controlled Active Directory environment (more than 100 independent AD domains) that left student, faculty, and staff data vulnerable to AD-based attacks, human error, and shared all-or-nothing admin credentials. To address these risks, Cornell turned to One Identity and deployed the One Identity Active Roles solution.

One Identity implemented Active Roles to centralize and automate AD administration—providing delegation and sub-delegation, naming convention enforcement, audited change history, template workflows, and integration to Unix/Linux authentication—so admins receive least-privilege access and actions are tracked and reversible. The deployment enabled the desired complex delegation model for hundreds of administrators, streamlined Unix/Linux authentication and authorization based on AD, eliminated unfettered admin access across domains, reduced risk, and has been working effectively for nearly ten years.

Cornell University

Muhammad Arif

Identity Management, CIT