- Active Directory Change Control and Other Advanced Adaxes Features
- Business Rules, Security Roles, and Logging – A Deeper Look at Adaxes for Active Directory
- Active Directory Users and Computers vs Adaxes
A couple of weeks ago, we explored Adaxes as a replacement for the Active Directory management tools. We covered some really cool topics like the web console and streamlined wizards. That was just the tip of the iceberg in terms of features. In the second part of our review, we will cover a few of the advanced features found in Adaxes.
Business Rules for Active Directory
Delegation in Active Directory is strictly a black and white kind of world. You are either allowed to do something or you get to see a nice Access Denied error. While other Microsoft products, such as Advance Group Policy Management, support change control – Active Directory does not. Let’s look into change control when Adaxes is brought into the picture.
Business Rules, found under the Configuration Node, are the triggers that monitor Active Directory. They can be enforced before or after an action occurs. For example, the builtin rule After User Creation creates a home directory, exchange mailbox, and activates an Office 365 account.
We can create a new business rule and target it to Organizational Units that are deleted. By setting the Apply Before option and adding the action Send this operation for approval, we can create a completely customized change control environment. Each rule that you create can have conditions applied to narrow the application scope. In the screenshot below, my rule applies to all OUs but is scoped to members of the Helpdesk security group.
Approvers can be specified by security groups or automated through the use of the Owner setting on the OU. These pending changes are sent to the Approval Requests node until action is taken on them. Adaxes will notify administrators by email any pending request. The Approval Requests node is used by administrators to access all of the requests that the Adaxes Service produces.
Security Roles – Preconfigured Delegation
In many organizations, every employee of the Tech Department is a member of the domain administrators group (or another super group). There is a saying that many cooks spoil the broth. With Domain Admin permissions, they also burn your house down…
Granular Security Roles make delegation incredibly simple by preconfiguring permissions. As you can see in the screenshot above, I’ve selected the Computer Manager role. This role has the ability to Create/Delete computer objects which provides the ability to join new machines to the domain. They can also set properties on the computer accounts.
Thinking about the permissions needed in your environment will allow you to map jobs to roles. For example, a computer technician might need to manage Computers and Users in AD. This means he will need permissions from the Computer manager role and the Help Desk role. The builtin Help Desk role allow administrators to reset passwords and change account/password options.
These role permissions can be merged through assignments. As you can see in the screenshot below, the Helpdesk group has been assigned the Computer Manager permissions to the Domain Sites OU. This gives you granular control without additional complexity.
In Depth Logging – Who did what in Active Directory
The Adaxes administrative console does two really cool subtle things:
- allows editing to occur before it is pushed a live environment
- logs this editing (and any other AD change) to a central location
When we configured change control and tested a security role above, those changes did not become live until we selected the save button. If we navigated away from the active window, we are prompted to save our changes. I think this small change is very cool as most items in Active Directory are immediately live after being edited.
Once a change has been saved in an Adaxes node (or an object has been edited in Active Directory), that information is recorded in the Logging node. This applies across the entire object life cycle: creation, modification, and deletion. Errors, such as the access denied (red exclamation point) are even recorded for review.
Wrapping it all up
In this review, we covered business rules, security roles, and logging. Each of these advanced features integrate together to extend your ability to manage Active Directory. Business Rules function much like rules in Outlook – they allow you to automate tasks based off of a trigger. These can proactively protect resources or complete a process. Security Roles make delegation simpler by allowing you to drop users into granular permission sets. Finally, logging gives you insight into Active Directory activity without combing through cumbersome logs.
Using Adaxes as your Active Directory management console can provide some huge benefits. If your environment needs a more robust tool for managing AD objects, download the free Adaxes trial at this link.