Simplify AD management

As you build your Active Directory (AD) topology, you'll want to create a robust directory structure that incorporates the appropriate security for rights and roles throughout your enterprise. This task isn't easy because Windows 2000 doesn't provide an interface from which you can control all AD permissions. To address this shortcoming, FastLane Technologies created an AD management tool that extends AD's standards-based delegation model. FastLane's DM/ActiveRoles 2.0 assists with AD deployment and management by letting you consolidate access control entries (ACEs) into logical roles that you can assign throughout the enterprise.

How It Works
DM/ActiveRoles lets you collect ACEs into one ActiveRole. You then assign the ActiveRole to an AD object and a user or group. To help me conceptualize the role-assignment process, I considered role assignments from the object perspective. For example, if I assign an ActiveRole called helpdesk to an organizational unit (OU) named BigCompany for the user account Fred, then Fred has the access specified in the helpdesk ActiveRole for the BigCompany OU. After you define an ActiveRole, you can reassign it wherever appropriate. Although you use the DM/ActiveRoles interface to create and assign ActiveRoles, the underlying ACEs are native to AD, which means you can use native Win2K tools to manage AD independently of DM/ActiveRoles.

Installing DM/ActiveRoles
I received DM/ActiveRoles as a Windows Installer file email attachment from FastLane; however, FastLane plans to distribute the product on CD-ROM. I double-clicked the DMActiveRoles.msi icon to install DM/ActiveRoles to my test server. My server was a dual-Pentium III processor system with 512MB of RAM that ran Win2K Advanced Server, and I configured the server as the only domain controller (DC) for the AD domain. After I selected the full installation option, the software installed within seconds and prompted me to enter a license key, which FastLane provided by email.

The online Quick Start Guide recommends that you set the software to Directory-Enabled Mode to leverage AD's performance and availability. To set this option, I selected FastLane DM/ActiveRoles from Win2K's Start menu, then selected Configure, Directory-Enabled Mode. The program also lets you store role information locally. Local Mode lets you evaluate DM/ActiveRoles without modifying the AD schema. If you wish, you can later make a one-time transition to the recommended Directory-Enabled Mode.

The User Interface
The DM ActiveRoles interface, which Figure 1, page 122, shows, is a Microsoft Management Console (MMC) snap-in. The left pane displays the DM ActiveRoles snap-in node in treeview, the ActiveRoles Container, the Reports node, and domain OUs. The right pane displays in list view the corresponding objects for the item you select in the treeview. When you select a directory object, the list view splits horizontally to show ActiveRoles in the lower-right pane. This pane shows both directly applied ActiveRoles and ActiveRoles inherited from parent objects in the directory.

Right-clicking in the lower-right pane lets you choose between displaying ActiveRoles or a native ACL for the object you select in the treeview. When you display ActiveRoles, a dark green key icon represents directly applied roles, and a faded green key icon represents inherited roles. When you view the native ACL, an ACE specified through an ActiveRole shows the letters AR added to its icon. In the treeview, a small green square in the lower-right corner of an icon designates objects that have ActiveRoles assigned to them.

Because the interface is an MMC snap-in, you can add other snap-ins to the console to customize your environment. I added the MMC Active Directory Users and Computers snap-in to my console to give me quick access to user management facilities. You can add additional domains to the treeview by right-clicking the DM/ActiveRoles snap-in node and choosing Connect to Domain from the resulting menu.

Defining ActiveRoles
By default, only members of the Domain Admins group can manage ActiveRoles, but you can add other users and groups to the list of those with access. To test this functionality, I right-clicked the ActiveRoles Container and selected Manage Permissions from the resulting menu. This selection launched Control Wizard, which I used to add a user account named RA to the list of accounts that had permissions to access objects. I selected Full Control from the Role drop-down menu for RA. I then logged off and logged on again as RA to verify that the account could manage ActiveRoles.

You can use predefined ActiveRoles or customized ActiveRoles. I used mostly predefined ActiveRoles that I modified. To modify them, I selected the ActiveRoles Container in the left pane of the MMC snap-in, right-clicked the role I wanted to copy, and selected Copy from the resulting menu. A Copy ActiveRole dialog box appeared that listed the predefined source ActiveRole and asked me to specify a name and description for the destination ActiveRole. To modify the destination ActiveRole, I right-clicked the copy of the ActiveRole and selected Edit from the resulting menu to bring up the Edit ActiveRole dialog box. This dialog box contains a drop-down menu for object selection and a list of corresponding permissions for which you can allow or deny access.

If you select the Filter unused objects/rights check box, the software lets you focus on only managed objects. The DM/ActiveRoles manual didn't document this feature well, but a conversation with a FastLane representative clarified the feature's use. Selecting this check box simplifies editing ActiveRoles because it limits the displayed objects and rights to only those that the ActiveRole definition references. For example, when I edited my Sr. Help Desk ActiveRole, I used the filter option to narrow the number of objects from 21 to the 3 that had specified permissions. The filter also narrowed the list of permissions for those objects to only those permissions that the selected role explicitly allowed or denied access to.

You can delete unused roles from the ActiveRole Container, and you can import and export individual or multiple ActiveRoles as necessary. I created several ActiveRoles by right-clicking the ActiveRoles Container and selecting New, ActiveRole. The Create ActiveRole Wizard prompted me for the role's name and description; the wizard then presented the same dialog box that I used for editing predefined ActiveRoles. Leveraging the AD functionality that the predefined roles contain is easier than creating roles, but through trial and error, I was able to establish the permissions I wanted for the role that I had created.

FastLane plans to create ActiveRole Packs of predefined ActiveRoles for specific AD-enabled applications (e.g., Microsoft Exchange 2000 Server). Registered users will be able to download these ActiveRole Packs from the FastLane Web site. FastLane also plans to designate an area of its Web site for users to trade custom ActiveRoles.

The ability to group ActiveRoles logically within the list view would benefit organizations that deploy many roles. However, version 2.0 doesn't offer such a feature.

Assigning ActiveRoles
After you define an ActiveRole, you assign it to the AD object to which you want to apply the role's specified permissions. At the same time, you designate who will have the selected object's role. To assign the Win2KLab Sr. Help Desk role to the entire AD domain, I right-clicked the top-level domain object and selected Manage Permissions, which launched the Control Wizard that Figure 2 shows. I clicked Add, selected SrHelpDesk in the resulting dialog box, then clicked OK to return to the Control Wizard. At this point, the Account column listed the SrHelpDesk group, and the Apply To column listed This object and all child objects (other Apply To options are This object only and Child objects only). Next, I clicked within the bounds of the Role column, and a drop-down box appeared. I selected Win2KLab Sr. Help Desk and clicked Finish. A green square appeared on the domain object's icon in the DM/ActiveRoles interface to show that the object is a controlled object, and the lower-right pane listed the newly applied ActiveRole information.

I used the same process to assign all ActiveRoles, and I accepted the default setting for inheriting permissions from parent objects in all cases. The same mechanism that lets you assign roles lets you change role assignments. To remove an object from DM/ActiveRoles' control, right-click the object and select Remove From Control from the resulting menu.

Because the product uses native ACEs that you can modify outside of DM/ActiveRoles, the software includes a utility—Check ActiveRoles—for verifying that object access permissions match the permissions that you specify in the applied role. As a test, I changed some ACEs on an object, then right-clicked the controlled object and selected Check ActiveRoles. I received a message that the native permissions were out of sync with the ActiveRoles-defined ACEs. The message asked whether I wanted to add the missing ACEs to the native permissions. I clicked Yes, and DM/ActiveRoles restored the ACEs to their ActiveRole-defined states.

The Role Composition Console
The Role Composition Console (RCC) is integral to maintaining a simple approach to a complex task. You can use the RCC to choose the visible attributes for a given object. In its development of DM/ActiveRoles, FastLane selected appropriate attributes for standard AD objects, but for schema additions, you'll want to use the RCC.

The RCC is analogous to a restaurant menu. You don't want to order your meal ingredient by ingredient, but you might want to know what comes on a hamburger and be able to hold the onions. The RCC assures you that the application presents only pertinent attributes to the DM/ActiveRoles interface. To test the RCC, I installed a mock AD-integrated application (intended only to extend the schema) that I named ADAPP (as in AD application). I selected a small subset of the available attributes, saved the changes, and returned to the main interface to use the ADAPP object to create a role. When I set access rights for the ADAPP object, only the attributes I specified in the RCC were available.

Reporting
You easily can create detailed reports about controlled objects, accounts, ACEs, and ActiveRoles. I right-clicked the Reports node in the treeview and selected New, Report Template. In the resulting Report Template Wizard dialog box, I provided the type of information I wanted the report to include.

Overall, the wizard-driven reporting tool proved intuitive and easy to use. In minutes, I created several reports detailing my environment. After the wizard completed a report, the name that I gave the report template appeared in the list view; I then could use the report template by double-clicking the listing. The ReportViewer, launched by double-clicking a report template, displayed report output that I could print or save as an HTML document. However, the product lacks the ability to schedule reports and automatically save the output for historical reference.

A Flexible and Powerful Tool
If you're serious about leveraging the power of AD in your environment, take a look at DM/ActiveRoles. The product's ability to simplify AD management saves hours of work and creates a more suitable environment for task delegation. You will find the ability to edit an ActiveRole and have those changes propagate to affected objects especially useful.

The software's documentation is thorough in most categories but shallow in its explanation of how to create ActiveRoles. However, FastLane provides knowledgeable and helpful support engineers who can answer any questions you might have about the product. Other minor usability shortfalls were the inability to logically group ActiveRoles in the list view—including this feature would enhance productivity in environments in which many roles are necessary—and the inability to schedule automated reporting, which would enhance the product's utility.

Judging solely on the likely productivity gains from using DM/ActiveRoles, the price of $7 per managed user is a good value. The efficiency and peace of mind that comes with knowing who has which permissions make DM/ActiveRoles a tool I strongly recommend for deploying and managing AD in a corporate environment.

DM/ActiveRoles 2.0
Contact: FastLane Technologies * 902-421-5353 or 800-947-6752
Web: http://www.fastlane.com
Price: $7 per managed user
Decision Summary:
Pros: Simplifies Active Directory rights management; provides native AD Access Control Entries to ensure compatibility with native tools; offers AD-enabled mode, which ensures robust scalability
Cons: Includes no mechanism for grouping ActiveRoles within list view; offers no function for automated reporting; documentation lacks some helpful detail even though it covers all functionality