Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


February 2001

DM/ActiveRoles 2.0


From the February 2001 Edition
of Windows IT Pro
Ed Roth
Product Reviews
InstantDoc #16447
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Simplify AD management

As you build your Active Directory (AD) topology, you'll want to create a robust directory structure that incorporates the appropriate security for rights and roles throughout your enterprise. This task isn't easy because Windows 2000 doesn't provide an interface from which you can control all AD permissions. To address this shortcoming, FastLane Technologies created an AD management tool that extends AD's standards-based delegation model. FastLane's DM/ActiveRoles 2.0 assists with AD deployment and management by letting you consolidate access control entries (ACEs) into logical roles that you can assign throughout the enterprise.

How It Works
DM/ActiveRoles lets you collect ACEs into one ActiveRole. You then assign the ActiveRole to an AD object and a user or group. To help me conceptualize the role-assignment process, I considered role assignments from the object perspective. For example, if I assign an ActiveRole called helpdesk to an organizational unit (OU) named BigCompany for the user account Fred, then Fred has the access specified in the helpdesk ActiveRole for the BigCompany OU. After you define an ActiveRole, you can reassign it wherever appropriate. Although you use the DM/ActiveRoles interface to create and assign ActiveRoles, the underlying ACEs are native to AD, which means you can use native Win2K tools to manage AD independently of DM/ActiveRoles.

Installing DM/ActiveRoles
I received DM/ActiveRoles as a Windows Installer file email attachment from FastLane; however, FastLane plans to distribute the product on CD-ROM. I double-clicked the DMActiveRoles.msi icon to install DM/ActiveRoles to my test server. My server was a dual-Pentium III processor system with 512MB of RAM that ran Win2K Advanced Server, and I configured the server as the only domain controller (DC) for the AD domain. After I selected the full installation option, the software installed within seconds and prompted me to enter a license key, which FastLane provided by email.

The online Quick Start Guide recommends that you set the software to Directory-Enabled Mode to leverage AD's performance and availability. To set this option, I selected FastLane DM/ActiveRoles from Win2K's Start menu, then selected Configure, Directory-Enabled Mode. The program also lets you store role information locally. Local Mode lets you evaluate DM/ActiveRoles without modifying the AD schema. If you wish, you can later make a one-time transition to the recommended Directory-Enabled Mode.

The User Interface
The DM ActiveRoles interface, which Figure 1, page 122, shows, is a Microsoft Management Console (MMC) snap-in. The left pane displays the DM ActiveRoles snap-in node in treeview, the ActiveRoles Container, the Reports node, and domain OUs. The right pane displays in list view the corresponding objects for the item you select in the treeview. When you select a directory object, the list view splits horizontally to show ActiveRoles in the lower-right pane. This pane shows both directly applied ActiveRoles and ActiveRoles inherited from parent objects in the directory.

Right-clicking in the lower-right pane lets you choose between displaying ActiveRoles or a native ACL for the object you select in the treeview. When you display ActiveRoles, a dark green key icon represents directly applied roles, and a faded green key icon represents inherited roles. When you view the native ACL, an ACE specified through an ActiveRole shows the letters AR added to its icon. In the treeview, a small green square in the lower-right corner of an icon designates objects that have ActiveRoles assigned to them.

Because the interface is an MMC snap-in, you can add other snap-ins to the console to customize your environment. I added the MMC Active Directory Users and Computers snap-in to my console to give me quick access to user management facilities. You can add additional domains to the treeview by right-clicking the DM/ActiveRoles snap-in node and choosing Connect to Domain from the resulting menu.

Defining ActiveRoles
By default, only members of the Domain Admins group can manage ActiveRoles, but you can add other users and groups to the list of those with access. To test this functionality, I right-clicked the ActiveRoles Container and selected Manage Permissions from the resulting menu. This selection launched Control Wizard, which I used to add a user account named RA to the list of accounts that had permissions to access objects. I selected Full Control from the Role drop-down menu for RA. I then logged off and logged on again as RA to verify that the account could manage ActiveRoles.

You can use predefined ActiveRoles or customized ActiveRoles. I used mostly predefined ActiveRoles that I modified. To modify them, I selected the ActiveRoles Container in the left pane of the MMC snap-in, right-clicked the role I wanted to copy, and selected Copy from the resulting menu. A Copy ActiveRole dialog box appeared that listed the predefined source ActiveRole and asked me to specify a name and description for the destination ActiveRole. To modify the destination ActiveRole, I right-clicked the copy of the ActiveRole and selected Edit from the resulting menu to bring up the Edit ActiveRole dialog box. This dialog box contains a drop-down menu for object selection and a list of corresponding permissions for which you can allow or deny access.

If you select the Filter unused objects/rights check box, the software lets you focus on only managed objects. The DM/ActiveRoles manual didn't document this feature well, but a conversation with a FastLane representative clarified the feature's use. Selecting this check box simplifies editing ActiveRoles because it limits the displayed objects and rights to only those that the ActiveRole definition references. For example, when I edited my Sr. Help Desk ActiveRole, I used the filter option to narrow the number of objects from 21 to the 3 that had specified permissions. The filter also narrowed the list of permissions for those objects to only those permissions that the selected role explicitly allowed or denied access to.

You can delete unused roles from the ActiveRole Container, and you can import and export individual or multiple ActiveRoles as necessary. I created several ActiveRoles by right-clicking the ActiveRoles Container and selecting New, ActiveRole. The Create ActiveRole Wizard prompted me for the role's name and description; the wizard then presented the same dialog box that I used for editing predefined ActiveRoles. Leveraging the AD functionality that the predefined roles contain is easier than creating roles, but through trial and error, I was able to establish the permissions I wanted for the role that I had created.

FastLane plans to create ActiveRole Packs of predefined ActiveRoles for specific AD-enabled applications (e.g., Microsoft Exchange 2000 Server). Registered users will be able to download these ActiveRole Packs from the FastLane Web site. FastLane also plans to designate an area of its Web site for users to trade custom ActiveRoles.

The ability to group ActiveRoles logically within the list view would benefit organizations that deploy many roles. However, version 2.0 doesn't offer such a feature.

Assigning ActiveRoles
After you define an ActiveRole, you assign it to the AD object to which you want to apply the role's specified permissions. At the same time, you designate who will have the selected object's role. To assign the Win2KLab Sr. Help Desk role to the entire AD domain, I right-clicked the top-level domain object and selected Manage Permissions, which launched the Control Wizard that Figure 2 shows. I clicked Add, selected SrHelpDesk in the resulting dialog box, then clicked OK to return to the Control Wizard. At this point, the Account column listed the SrHelpDesk group, and the Apply To column listed This object and all child objects (other Apply To options are This object only and Child objects only). Next, I clicked within the bounds of the Role column, and a drop-down box appeared. I selected Win2KLab Sr. Help Desk and clicked Finish. A green square appeared on the domain object's icon in the DM/ActiveRoles interface to show that the object is a controlled object, and the lower-right pane listed the newly applied ActiveRole information.

   Previous  [1]  2  Next 


Reader Comments
I agree that this tool is powerful and can help with the complex managment issues involved with Active Directory and a large user base. WATCH OUT, the tool can also destroy your domain very easily. I went to a training class for the entire DM Suite of products, and when we got to DM Active Roles the instructor destroyed the test domain by removing all administrator rights from the Domain Administrators group. This meant that even the built in Administrator account no longer had the rights neccessary to administrer the domain. Since this domain was created for testing no emergency restore files were available. The result, ........ well I got home early that day.

Terminex April 26, 2001

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
PsExec

This freeware utility lets you execute processes on a remote system and redirect output to the local system. ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

How can I stop and start services from the command line?

...
Active Directory (AD) Whitepapers Sustainable Compliance: How to reconnect compliance, security and business goals

Managing Unix/Linux with Microsoft System Center Operations Manager 2007 Cross Platform Extensions Beta

Addressing the Insider Threat with NetIQ Security and Administration Solutions
Related Events SQL Server 2008 – Can You Wait? | Philadelphia

SQL Server 2008 – Can You Wait? | Atlanta

SQL Server 2008 – Can You Wait? | Chicago

Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Register for Orion NPM v9 - Evaluation
Affordable, easy-to-use network performance management with SolarWinds Orion – Free Trial!

Want a Hardware-Independent Image?
Binary Research, the Ghost people, shows you how to clone with 1!

Order Your Fundamentals CD Today!
Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing