This post is sponsored by Softerra, Ltd. What’s this?
Several months ago, we did a two part series on Softerra’s Adaxes. If you have ever been frustrated by the antiquity of Active Directory Users and Computer (ADUC) or left perplexed by missing features in the Active Directory Administrative Center (ADAC), the Adaxes management console for Active Directory may be exactly what you need.
In this third part of the Adaxes series, we are going to look at three new features: Active Directory Change Control, Business Units, and Scheduled Tasks.
Active Directory Change Control
For all but the smallest environments, change control is a necessity. It is a small wonder that this feature is not native to Active Directory management (or offered similarly like Advance Group Policy Management in MDOP is). The difference between change control and delegation is black and white.
With delegation, individual permissions are assigned to a subset of users or groups. These specific permissions include things like resetting a password (user or computer) or creating an OU. To paraphrase Yoda, an IT administrator can or cannot. There is no try.
Change control supplies a middle trying ground. Junior administrators (or even non-technical employees) can be given permission to initiate actions but be denied the ability to complete these actions. For example, an administrator at a remote site can be delegate the permission to create a user but change control can intercept any actions that would delete a user. This action would be recorded, stored in the Adaxes console Approval Requests node, and a notification is sent to a higher-level administrator. Change control through Approval Requests provide a safer way to distribute management permissions in Active Directory.
Business Units as a New Type of Organizational Unit
General best practices for organizing your Active Directory structure can be summarized as a dichotomy. Objects, such as computers or users, can be grouped by physical location or logical structure. When an Active Directory OU structure is logically aligned to your environment, you are easily able to manage departments but have to rely on Active Directory sites for location management. If your Active Directory OU structure is physically aligned, location based items are easier to manage but dispersed business segments become more tedious.
In native AD, objects can only be a member of a single OU. While this is still true with the additional Adaxes features, Business Units allow for virtual OUs that overlay on top of your actual structure. With Business Units, your environment can gain the advantages of a physical and logical AD structure.
By building dynamic queries, an administrator can build a Business Unit to correspond to nearly management need. For example, you can have a Business Unit for managers and another Business Unit for executives without the need to physically move AD objects around. In fact, Business Units can change depending on the user looking at them. Think of this as Access Based Enumeration for Active Directory. An employee working in Human Resources can look at an All Users Business Unit and see every account but IT accounts. When an IT employee looks at the All Users Business Unit, they can see every account.
The advantage of Business Units over groups is that you can apply directly modify the objects in a business unit. With a group, you have to pass the members to a script. One feature that I would love to see added to Business Units is the integration of Group Policy links. Being able to create a Business Unit and link a GPO to it would be wonderful!
This could work practically by:
- Looking at the physical location of each object in the Business Unit.
- Modifying the GPO’s security scope to apply to just these objects.
- Linking the GPO to the physical location of the objects.
This would allow administrators a greater flexibility in Group Policy and would improve Group Policy processing times as GPOs are linked as close to the object as possible instead of higher up the Active Directory hierarchy. It should also be noted that once a Business Unit is created, unit membership is maintained automatically. This automatic maintenance brings us to our next topic, scheduled tasks.
Scheduled Tasks in Active Directory
Active Directory management would not be complete without some method of task creation and scheduling. Of course, the Adaxes management console includes this feature.
What really sets the scheduled tasks feature apart is the plethora of built-in management tasks. As soon as you fire up the Adaxes console, you can immediately schedule items like:
- cleanup stale users and computers
- notify users of password expirations
- populate security and distribution groups
With each task, you can clearly define what objects are (or are not) affected. The tasks can be triggered by actions or ran at scheduled times. Each task is created in a workflow pattern. You define how conditions are met and exactly what happens.
The scheduled task that you create can get as intricate as needed with and/or and If statements. Scheduled Tasks also integrate with Change Control. For example, managers can be notified that a user will be suspended before it actually occurs.
The Adaxes console brings some much-needed attention to Active Directory management. In this guide, we covered three advance features that make AD easier to use. Change Control provides you with a safer means for delegation. Business Units allow a greater amount of flexibility. Finally, scheduled tasks make Active Directory object upkeep simple. If you would like to learn more about these advancements, start by downloading the free trial.
I switched jobs in April 2015 and my new job had Adaxes. At first I was doubtful but when I started to learn and use the tool I was blown away! When I started HR could provision a new user, but we had nothing when a user is terminated. We now have enabled HR to schedule terminations where it calls scripts to push changed to Google Apps, LastPass, emails our phone vendor to deprovision the employee’s phone. The freedom of writing a powershell script and letting Adaxes control access to that script via a web interface is absolutely amazing when it comes to automation and security!
Thanks for writting these articles about Adaxes, it has definately helped me trust it more then I would have otherwise!
Thank you for taking the time to comment Jake! I am surprised that AD management hasn’t received the attention that Group Policy or other products have. I would love to see Microsoft purchase Adaxes and integrate it like the Group Policy Preferences purchase a few years ago.