Windows Server's Active Directory has evolved into a complex system. These products can help you through the rough spots.
It’s hard to believe that we've been living with Active Directory (AD) for 10 years. If you were in IT during the years preceding this huge paradigm shift, you've witnessed the evolution of how Windows domains are administered. Gone are the days of everyone in IT being a domain administrator. Now, domains can have structure and granular security permissions.
With all that capability, however, came the necessity of forethought and careful planning. If you've ever taken over a poorly planned AD implementation, you understand this necessity all too well. And every day, many administrators face the fact that AD encompasses only one of many user-provisioning tasks. Many companies have Exchange, Research in Motion (RIM) BlackBerry devices, Enterprise Resource Planning (ERP) databases, Human Resources (HR) systems, and countless other systems that users need to have access to. Many of you might also be in the middle of security audits. Sarbanes-Oxley (SOX), Statement on Auditing Standard 70 (SAS70), the Health Insurance Portability and Accountability Act (HIPPA), and other regulatory laws have forced us to rethink how we accomplish daily tasks and how we account for who does them.
Each of the four products in this month’s comparative review—Ensim Unify Enterprise Edition, ManageEngine ADManager Plus, NetIQ Directory and Resource Administrator, and Quest Software ActiveRoles Server—attempts to take on one or more of these challenges: setting up granular security permissions, user provisioning on multiple systems, and AD auditing. Some try to do everything out of the box, and others use a modular approach.
To test each product, I ran through five typical administration tasks that the build-in Microsoft tools either don’t do or don’t do very well. Those tasks are user provisioning (e.g., AD, Exchange, BlackBerry, ERP), Exchange provisioning (e.g., data store based on last name/department), delegation of duties, user de-provisioning a user (e.g., scramble username, reset password, remove from external system), and reporting for audits.
These four products have similar methods for helping you streamline the process of provisioning a new user. If every new user needs to be a member of the ERP Application global group, for example, this feature will be important to you. Another common example of user provisioning is integration with the HR database. Perhaps you'd like AD to be populated with the data from the HR database, or vice versa. Depending on the application, you might need to have a good scripting background to get the most out of this feature.
I installed each product in a typical Windows 2003 Active Directory Doman with Exchange 2003. I used VMware so that I could host multiple servers on one physical machine.
Ensim Unify Enterprise
Unify Enterprise walks you through a helpful “prerequisite check” for your system, then proceeds through a very simple installation routine. The product runs on Windows Server 2008 or Windows Server 2003 and requires IIS, ASP.NET, .NET Framework 2.0, and the SMTP service. Once the installation is complete, a Quick Start guide launches, walking you through some basic steps, such as setting general preferences and notification parameters.
Unify Enterprise has the cleanest GUI of all the products in this review. Through the easy-to-navigate interface, I immediately attempted to create a new user. Doing so led me to want to create a Template User, and in just a few minutes I had nice SpokaneUser and SeattleUser templates. (You can also add users by using a comma separated value—CSV—file.) If your dedicated Help desk staff spends most of its day administering users and computers, this is the interface they'll want to work in.
To help you delegate correct permissions for users, Unify Enterprise includes four built-in roles: System Administrator, Help Desk Administrator, HR Administrator, and Employee. Of course, you can create custom roles, but these four will get you started. For example, the Help Desk Administrator can perform the following tasks: Change and reset passwords, edit user properties, add security groups, and so on.
As for reporting, one of the tabs across the top of the web console is the Reports menu. The following reports are available: Usage, Resource Status, Action Logs, and Deleted Items. Each report is quite detailed, but—from an auditing perspective—I found the most useful information in the Action Logs and Deleted Items. Unfortunately, I couldn't find a way to export the reports into a format that I could give to an auditor.
Unify Enterprise takes a modular approach, giving you the functionality to administer only AD out of the box. If you need to provision Exchange Server or another “external” system, you'll need to purchase additional components. Unify Enterprise can be extended to support BlackBerry Enterprise Server, Exchange 2007 or 2003, Google Apps, and Microsoft Office Communication Server (OCS). ManageEngine ADManager Plus
The Manage Engine website immediately draws your attention to the company's 90:10 Promise: "90 percent of the features of the Big 4 at 10 percent of the price.” I wondered whether the product could really deliver on that promise. After reviewing the product, I’m not convinced that it does.
I downloaded the 30MB installation file and started the setup process. This was by far the easiest and fastest installation of all of the four products. I needed only to specify the port that I wanted the web server to run on (the default is port 8080).
As with the other products, the main GUI is web-based. However, ADManager can be authenticated with either domain or ADManager Plus authentication. Once you're logged on, a dashboard of canned reports shows you the number of active users, inactive users, disables users, locked out user, and so on. The tabs available across the top are AD Mgmt, AD Reports, AD Delegation, Admin, and Support.
ADManager Plus has a clean layout for adding or modifying user and computer accounts. You can move users one at a time or in bulk through a CSV import. A feature that sets this product apart from the competition is its Bulk User Modification. For example, you can move the Home Folders, disable/enable accounts, or change the dial-in/VPN properties for a group of users. You can also alter Exchange and Terminal Services attributes.
ADManager Plus has limited capability for provisioning Exchange above and beyond what you get with the standard Microsoft tools. Whereas some of the other applications can automate the Exchange portion, ADManager can't. Because ADManager Plus can't provision outside AD or Exchange, I focused my testing on the disabling or deleting of user accounts. A Delete policy lets you specify whether a user's Home Folder, Roaming Profile, Terminal Server Home Folder, or Terminal Server Profile should be deleted along with the user account. One important note: I couldn't find a “recycle bin” feature. When an AD object is deleted, it's deleted just as if you removed the object through the built-in Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
ADManager Plus includes 13 types of reports, including password, Exchange, GPO, OU, and many others. There are even compliance-specific reports, including SOX-, HIPPA-, and PCI-compliance reports. Of all the products in this comparative review, ADManager Plus has the most comprehensive list of available reports. NetIQ Directory and Resource Administrator
NetIQ Directory and Resource Administrator has both a web interface for day-to-day administrative tasks, and separate applications for Account and Resource Management and Delegation and Configuration. Like the other products in this review, NetIQ Directory and Resource Administrator is considered a 100 percent proxy model. In other words, “real” AD permissions aren't actually granted to your junior administrators. This is a real advantage if the OU structure of your AD implementation wasn't set up correctly correctly—particularly if the objects you want to grant access to aren't grouped in your OU structure.
This product promotes the notion of powers, which are similar to rights. There are 290 preconfigured powers, and you can also create your own. A simple wizard lets you create a new power over users, groups, computers, contacts, OUs, and published printers. For example, I created a power that allowed the user property EmailAddress to be updated. These powers are then combined to create roles (e.g., Help Desk Administrator). The product's administration website is great for non-technical users, such as managers who have the reset password power, or even for users who have permission to update their personal information (e.g., job title, phone numbers).
Another concept unique to NetIQ Directory and Resource Administrator is automation triggers. A new trigger is created and associated with a UserCreate operation. Once this has been set up in the product's Delegation and Configuration tool, an administrator or Help desk technician can use the web interface to create users, configure Exchange mailboxes, and so on. The interface is simple and well designed.
With the product's ActiveViews, you can implement delegated authority independent of your AD structure. This is useful if the current OU structure wasn't set up properly or if the areas you want to delegate control of fall outside the scope of your current OU structure. An ActiveView can be a group of just about anything, including users, groups, OUs, contacts, computers, and even resources such as printers, print jobs, shares, and services. Because ActiveViews are dynamic (much like an Exchange query-based distribution list), these views change and grow as your domain changes, with no administrative overhead on your part. I was able to easily create an ActiveView that included all the users from the Spokane, WA office. After you create an ActiveView, another wizard automatically starts, letting you delegate specific control of that view to a group.
To generate a report on any object in AD, you use the Directory and Resource Administrator (not the web interface). This tool lets you query for a specific user or group (or any object) and run a report of changes made to the object or by the object. For example, you might want to know who has altered the Help Desk Administrators group (has someone added a rogue entry?), or you might want to know what this particular group has been doing. I found the reporting to be very granular and detailed enough to make any auditor happy. Quest Software ActiveRoles Server
If you've ever used the built-in Delegate Control feature in the Active Directory Users and Computers snap-in, you'll feel right at home in ActiveRoles Server. The product has three default web components: Self Service, Help Desk, and Administrators.
Provisioning a new user in ActiveRoles Server was easily the most user-friendly process of all four products. The built-in policies do a great job of getting you most of the way there. And like the other products, this one requires that you go the rest of the way with scripting. If you're unsure where to begin, Quest has a handy Wiki document full of useful scripts that you can plug directly into ActiveRoles Server.
At one company I've worked with, Help desk technicians aren't allowed to create Exchange mailboxes because of the “risk that they might not create the mailbox in the correct store.” This scenario frustrates the junior technician and wastes the senior engineer’s time. ActiveRoles Server' provisioning and de-provisioning policies help in these kinds of situations.
This tool looks and feels the most like AD itself. When you're delegating permissions, you'll find that the ActiveRoles delegation wizard looks and feels almost identical to Active Directory Users and Computers. Also, whereas ActiveRoles is a “proxy” type tool by default (e.g., ActiveRoles Server controls the permissions, not AD), you can sync the permissions that you set up to AD if you want to. This functionality is useful if applications outside ActiveRoles Server—such as an HR database—need to access objects in AD.
Similar to NetIQ with its ActiveViews, ActiveRoles Server has a feature called Managed Units (MUs). An MU is a collection of objects that you want to group together for administration. As in the NetIQ example, this is useful if the domain wasn't designed properly or even if the administrative tasks you want to perform are outside the AD design. For example, your OU structure might be by city or department, with individual managers distributed throughout the structure. An MU could include all the managers in a particular city and then be granted the right to reset passwords.
ActiveRoles Server has robust Exchange provisioning capabilities, including user and group de-provisioning. When de-provisioning a user, you can disable the account, set the username and password to random values, remove the account from security or distribution groups, grant the manager permissions to the user’s home folder, delete the home folder, run a script (PowerShell, VBScript, JScript, or PerlScript) to disable the employee from an HR database, and schedule the account for permanent deletion.
Before the ActiveRoles Server system can be used for reporting, a Data Collector has to be installed on the server first. Another SQL Server database also has to be created to store the data. The process for getting reporting set up in this product was the most complex of all these products. In fact, throughout testing, I couldn't get the reporting to work correctly.
These products are heads and shoulders above the AD tools that Microsoft ships with Windows Server. However, don't consider them substitutes to proper planning and management! More than once, I found that if I was careless (or sneaky) enough, I could find a way for a Help Desk Technician to escalate his or her privileges and get added to the Domain Administrators group. This isn't a fault of the tools, but they can make it easier to become complacent.
Each of these products worked well and performed their tasks as advertised, but in my opinion, ActiveRoles Server edges out the competition. I appreciate that even though it has a “proxy” model like the other products, the permissions can also be synced to the native AD security structure. The built-in policies to provision and de-provision users immediately subtracts about 30 minutes of busy-work in the typical IT shop when a user is terminated. ActiveRoles Server also has a robust, built-in Workflow module. In the end, ActiveRoles Server simply impressed me the most, regardless of the trouble I experienced with the reporting feature. NetIQ Directory and Resource Administrator ranks a close second, only because ActiveRoles Server has a stronger interface.