Welcome back to our year with Adaxes series! In this part, we are going to explore two key features that I personally love. First, we will look at the web consoles available in Adaxes and how you can customize them for your environment. These web based tools have the ability to replace Active Directory Users and Computer (ADUC) as well Active Directory Administrative Center (ADAC). We will then look at the self-service tools available for online and offline use. These tools automate away most of the routine object work that you are probably already doing in AD. Specifically, they can eliminate attribute changes, group membership changes, and password resets.
Using Web Consoles to Manage Active Directory
In the earlier articles of this series, we quickly mentioned the different management methods that Adaxes allows. Along with an expanded local administration console, three web interfaces are available after initial installation. To make access a bit easier, I actually took the shortcut files provided in the install and deployed those with Group Policy.
Of the two management web consoles, the Administrators version is most similar to ADAC/ADUC. The Help Desk version is a good starting point for HR (or in our case, media specialist use). In larger organizations, it would make a great tool for tier 1 helpdesk. Both can include the familiar and navigable AD tree of OUs. These console excels by bringing common tasks to the forefront. Think about easy ADAC made resetting passwords by including that tool on the start page. Now think about how easy other tasks could be if you had a simple button available at the very beginning. In the screenshot below, you can see our administrators console with common tasks brought to the homepage.
The three consoles are really well thought out. If you need to change them, it is very simple to create a copy and to edit the new page. A few years ago, one of my favorite tools was a modified ADUC MMC with a bunch of scripts builtin to the side pane. The Administrators web console, which I spend most of my time in, is a more powerful version of that modified MMC. It is also a lot easier to manage and scale out. You can see some of these customization in the console above. For example, we often prestage computer accounts in AD before imaging them and have added the Create Computer button directly to the homepage.
I will be the first to admit that my web design skills suck (see the template for this blog that hasn’t changed ever). The Web Interface Customization tool, which is installed on the Adaxes server, takes away most of the challenge of customization without locking you into default selections. Changes are divided up into logical tabs. You can customize how someone can interact with AD and exactly what they can interact with. For example, you can give an administrator at a school view over their OU and provide them with custom tools built right into the browser.
Of course, anything you create in the full Administration console still applies to the web consoles. Take our school administrator example from above. If they tried to create a computer account, the name and other attributes would still need to match computer property patterns. Placeholders, such as the default naming convention, would still auto populate. Business rules, such as adding the computer to groups, would automatically apply.
Self-Service AD – Attribute and Password Changes
Let me start off by saying that I was pleasantly surprised to find out that all of the self-service tools were included in a single Adaxes purchase. Heck, even the client installer for offline resets wasn’t an extra charge! I am used to companies taking that one really special feature out of a product and then selling it as an add-on (certainly not talking about the company named something like sun breezes).
In Adaxes, the first part of self-service is the web console. When a user logs into the self-service console, they will see a window similar to the one below. Some of my information, such as in the top pane, has been removed. As you can see, I can update my general information, telephones, and address. Though newer versions of Exchange make this almost as easy, I can also easily update my AD photo in this view.
Look to the right in the picture above. Under the My Panel pane, you will see a button for My Team and My Department. These use the Managed By attribute to build a team map and the department attribute to build a department map. Both of these tools make an awesome way to build a self-updating staff directory. We currently have our staff directory on our website and I am hoping to replace it with these tools!
The second part of self-service can be found in the client and offline tools. After a few small configuration changes, users can use the web console and windows client to reset their own passwords.
I highlighted the reset button in the picture above. The reset password is very configurable. Almost every option can be configured with a Group Policy setting. The default installation adds a user hint to the logon screen as well that states Forgot your password? line. Because our backgrounds change every day and have writing on them, I went with the cleaner look that you see above. You can also set the Reset Password up for offline use. By using an enrolled phone, a user can get a unique code to log onto the local machine with their account. This applies when the machine does not have a connection to your domain.
Hopefully, you all have enjoyed our look into web consoles and self-service. In the final post of this setup series, we will look at several smaller (but still very useful) features and some configuration practices. If you haven’t already tried it, a 30 day trial can be downloaded here.