This post is brought to you by ManageEngine. What’s this?
Active Directory Users and Computers (ADUC) is beginning to show some age. Why are custom reports so difficult to make? Generating a report just to see inactive accounts could take 10 minutes! Why can’t that search button remember that I also want to search for computer accounts? I can’t count the number of times that I’ve forgotten to check that box! Why do I have to go through so many menus to do simple things?
ManageEngine’s ADManager Plus addresses these shortcomings and extends Active Directory Users and Computers as a web-based application. In this guide, we will setup ADManager Plus and walk-through some major features such as easy reporting and the Active Directory Dashboard.
The 1 Step Install
To get started, download ADManager Plus and install it on your management machine for this walk-through. During the install, the only setting that you might have to change is the default port. You would only need to change this if you are running another web based tool.
The total install shouldn’t take more than 2-3 minutes. Once completed, the ADManager Web Console should automatically launch. It may take a minute or two for the console to fully load – it is doing some pretty cool counting in the background.
The ADManager Plus Dashboard
When fully loaded, you will be presented with the Dashboard view. This unique view summarizes your entire domain and graphically shows you: users, computers, groups, OUs, and GPOs. You read that right – Group Policy + Active Directory in a single console, more on that later.
In Dashboard snippet above, we can quickly see any users with expiring/expired passwords. If you had an account that was locked out, that information would also be immediately visible. Below that, each aspect of Active Directory is summarized and sorted. For example, users are divided into normal accounts, inactive accounts, locked accounts, expired accounts, and disabled accounts. It would take five separate reports in ADUC to get this information!
The Pieces of ADManager Plus
Just above the Dashboard is where the real fun starts! The screenshot below shows each core component of ADManager Plus.
In short, here is what to expect under each component:
- AD Mgmt: This is the workhorse of the product – provides AD management. We can also work with GPOs in this section!
- AD Reports: An extensive reporting module – currently has 150+ built-in reports for querying nearly anything needed.
- WorkFlow: A change control feature that allows you to monitor and approve certain AD activities.
- Automation: A Task Scheduler for AD!
- AD Delegation: Allows you to easily delegate roles and specifics actions to Groups.
- Admin: The Options and Configuration area for ADManager Plus
Let’s take a quick jaunt through the AD Mgmt module. Inside this section, objects are again grouped by type. Objects then contain actions such as “Create Bulk Users” or “Create Exchange Mailbox”.
One item that always frustrated me was bulk attribute editing in Active Directory Users and Computers. Some attributes were bulk editable, others weren’t. ADManager Plus eliminates this frustration!
ADManager Plus standardizes the provisioning and de-provisioning of objects. In a native environment, full account creation takes place across multiple management windows because most users will need a mailbox, permissions, Lync settings, etc. With ADManager Plus, all of these settings can be created within a single screen.
When using the ready-made reports, you might find that you can eliminate a few logon scripts. The most striking report for me was the real last logon time report. This report is built by querying each domain controller and presenting the latest logon time. This provides an accurate report for sites with multiple domain controllers.
GPO Management within AD?
In an ideal environment, a select few (or even just one) person would be in charge of GPO management. Limiting GPO creation and editing ensures a consistent and efficient environment. Knowing that, I also recognize the need for GPOs to be rescoped or relinked for software deployment, security settings, etc.
Like the Group Policy Management Console, you can view GPOs by Sites or through the normal Active Directory hierarchy. This web based view shows you any GPO linked and allows you to link/unlink additional GPOs. Building on that, OU specific actions can also be completed in the console. For example, you can enforce GPOs if needed.
If you have a first level responder (or you are wanting to keep techs out of the GPMC), this section makes a great alternative. However, I was left wanting a bit more out of this section. For example, being able to click on a GPO and have it launch the GPEdit MMC for that GPO would be awesome! Building on that, being able to have a combined view of AD Objects (like computers) and GPOs would be downright amazing! Hiding and showing classes of objects would keep the clutter at bay and make this possible.
Is ADManager Plus Worth It?
When playing with this tool, I could see scenario after scenario where I could use different features. Working in education, a lot of student interaction is handled by media specialists. Providing my media specialists with a web-based Active Directory (specifically tailored to them) would make them very happy! I can also see this being used by HR Personnel to manage the entire user account lifecycle. This includes creation, attribute updating (such as a last name change), and deletion.
From an IT perspective, I was very interested in the automation task scheduler and the change control features (Workflows). For a large organization, this could be a real life saver! Finally, I am very excited about future updates to the Group Policy section!
ADManager Plus integrates with a few other ManageEngine products. While I have not personally reviewed them, the extensions looked promising! If you are interested, you can read more about the ADAudit and ADSelfService tools here.