Rslogix and Active Directory

I started work at a new place doing electrical and plc work.

They ordered me a new laptop, and I am still waiting on them to order a copy of Rslogix 5000 and some other PLC software.

However, in the meantime the IT department has taken the computer and joined it to their active directory domain. I've worked in IT before so I understand what AD is, and how it works. However, Ive never a computer doing plc programming that was joined to a domain.

Does anyone have any experience with this ?

HoldenC said:

I started work at a new place doing electrical and plc work.

They ordered me a new laptop, and I am still waiting on them to order a copy of Rslogix 5000 and some other PLC software.

However, in the meantime the IT department has taken the computer and joined it to their active directory domain. I've worked in IT before so I understand what AD is, and how it works. However, Ive never a computer doing plc programming that was joined to a domain.

Does anyone have any experience with this ?

Click to expand...

My desktop is on the admin AD. It lets me jump through the firewall to a terminal server .. which lets me jump through the firewall again to another terminal server ... using a different account name and password .. that is actually running the programming software.


It is slow as heck ... like running a 5 year old computer .. but I am told it is much more secure. IT tools are monitoring the traffic and throw warnings when I do anything out of the ordinary ... like run RXNetworx. So the monitoring DOES work.


Let's hope your IT guys have something like this set up. Having PLCs on your AD would be a bit scary.

I had a similar experience at a previous plant. The only issue was with Norton av software not playing nice with the ab software.
We had to disable it and life was good
James

Many IT departments know diddly squat about PLCs and instead get in the way; hopefully yours is different.


If it doesn't work then lay down the law that it is their problem and requires their immediate attention; since you are new so you may need your boss to make that case. If they cannot make it work within a few hours, tell them to take it off so you can connect directly without their hindrance. They are welcome to get another laptop to figure out how to do it, and then try again when they know.


The bottom line is that the PLCs, and the people that manage them, make the money; IT does not, and must not get in the way of those that do.

I've been lucky enough through 3 jobs over a 20+ year period that I had complete control on the Controls Laptops. The IT department didn't even want to concern themselves with software updates. All the machines I've worked with were not connected in any way to the plant network so I was in my own world as far as they were concerned.

As DRBitBoy stated, stay on them when it's their problem.

HoldenC said:

I started work at a new place doing electrical and plc work.

They ordered me a new laptop, and I am still waiting on them to order a copy of Rslogix 5000 and some other PLC software.

However, in the meantime the IT department has taken the computer and joined it to their active directory domain. I've worked in IT before so I understand what AD is, and how it works. However, Ive never a computer doing plc programming that was joined to a domain.

Does anyone have any experience with this ?

Click to expand...

Every place I've been has segmented networks, so computer that is on AD (IT network) for emails and other office work. Then I have a computer (or server) that I'm admin of for PLCs and other random tasks (OT or process network).

Im hoping I can just get them to let me off of the AD network, it's really pointless. I may just ask for another laptop, one for PLCs and one for the AD network.

I'm afraid this place is just lost. They keep telling me that I need to do more plc work. However, I have no programming software, no copy of the logic, no PDF copy of logic, no list of IO, and no copies of prints. They keep telling me that I should be able to program a plc without software. Their other popular answer is to call someone and see if I can make a copy of someone else's software.

It may be possible for them to just add some additional routes / rules to the corporate firewall to let you through onto the process network. That's assuming they are actually connected.

One of our main clients has this arrangement - each plant has a Palo Alto firewall, with a port for corp network, legacy process network and modem (documented) network. These then connect to dedicated switches for each network.

You can connect into the corp one and get a corporate subnet address automatically with DHCP. Then, provided your laptop is on the whitelist, are able to access the control network. Only a handful of ports are open between corporate and process and all traffic is logged. When i need a new port opened, i try connect and note the time, then just contact the IT guy and say "i need this opened, i tried at this time"... takes him a few minutes to spot the deny entry in the log, and create the new rule. Each rule gets reviewed every 3 months.

But, if they havent designed your network like that, or if being part of the AD also comes with all kinds of silly admin restrictions they won't budge on, then a non managed laptop is the way to go. Just make sure you do your backups and keep anti virus up to date.

Sounds like the people calling the shots have no idea about what is required to do your job. And as someone on here's signature line says "I don't know how to do your job, therefore it must be easy"

HoldenC said:

Im hoping I can just get them to let me off of the AD network, it's really pointless. I may just ask for another laptop, one for PLCs and one for the AD network.

I'm afraid this place is just lost. They keep telling me that I need to do more plc work. However, I have no programming software, no copy of the logic, no PDF copy of logic, no list of IO, and no copies of prints. They keep telling me that I should be able to program a plc without software. Their other popular answer is to call someone and see if I can make a copy of someone else's software.

Click to expand...

What? You sound like you are setup for failure.

HoldenC said:

Im hoping I can just get them to let me off of the AD network, it's really pointless. I may just ask for another laptop, one for PLCs and one for the AD network.

I'm afraid this place is just lost. They keep telling me that I need to do more plc work. However, I have no programming software, no copy of the logic, no PDF copy of logic, no list of IO, and no copies of prints. They keep telling me that I should be able to program a plc without software. Their other popular answer is to call someone and see if I can make a copy of someone else's software.

Click to expand...

So, what's the loss if you are connected to the AD?
I have actually set up Studio 5k to require log-on in order to do programming too, but that's something that is controlled by the administration console, the AD is only used for authentication.

Also, who is asking you to program the PLCs? If it's your manager, you need to explain to him how it works. If it's someone else, ask them to show it to you. If they do, please let this forum know too.

the point of putting the pc in the ad group is so you can store your work on the plant network as a backup in case your laptop crashes. trust me on that point!
my pc hard drive crashed and the only thing that saved me and the company a lot of grief was the incremental backups and the weekly backup we did.
james

My programming laptops(and all of our HMI/SCADAs) are connected to the domain here. No issues.

We've worked w/ the corporate IT folks to setup the right policies, groups, etc to make sure things work as needed while keeping the correct level of security enabled.