Directory Outgroup

User and device management with Active Directory (AD) is probably one of the primary tasks of IT in most companies. From time to time, IT people try to involve other departments in AD management, but this typically fails because of the complexity of the task and the technical nature of the data. ADManager Plus offers another way.

Interactions between IT and other departments could be better organized in many companies. Even in large enterprises, a user account often will not be set up in time when a new employee is hired. The use of existing data sources often means double entry of user data: The Human Resources (HR) department likely has an employee management system, the telephone control software has its own data source, and a time recording system, if in place, also has its own databases.

After creating user accounts and assigning them to organizational units or group memberships, how can an administrator make the input options of the Microsoft Management Console (MMC) Active Directory Users and Computers available to the HR department, for example, without HR changing other parameters in AD? Microsoft does not envisage a granular structure for access authorizations. Although the Windows Server 2016 Essentials Dashboard simplifies the procedure, these features are not available in larger organizations.

How ADManager Plus Works

ADManager Plus 6.6, from ManageEngine (Zoho Corporation's IT management division), lets administrators manage and maintain the company's own AD (Figure 1). Instead of the typical MMC consoles, the software offers a web-based interface that supports highly granular role-based assignment of permissions. Resetting passwords, unlocking users, user creation, and group assignments are typical tasks that ADManager offers in the browser.

In addition to precisely controlling authorizations, the solution supports bulk operations that would otherwise only be possible with scripted jobs (e.g., importing user data from CSV files with automatic creation and configuration of group memberships). Integrated reporting provides IT managers the basis for compliance checks in their own environments and for monitoring the most important settings and attribute definitions in AD. The most exciting function, however, is the ability to delegate routine administrative tasks, such as creating new user accounts, to technical or administrative staff.

Recent Enhancements

Customers and users of ADManager will be familiar with frequent functional enhancements, some of which the manufacturer launches in monthly cycles. In late summer 2017, the developers extended the software in version 6.583 to include the REST API, which allows third-party vendors to access ADManager Plus functions (e.g., for help desk tools). You can use the API calls to create users, release a lock, activate or deactivate accounts, delete commands, and reset.

In the same month, version 6.590 was released with the technology to create, modify, and delete Group Policy objects without the user having to use Microsoft's MMC or PowerShell on-board resources. Less than eight weeks later, version 6.6 added the ability to control Office 365 users and support screen dialogs in the Turkish language.

Ready for Use

The developers have made installing the software quite easy: On any Windows computer, the installer, which comes in at just under 70MB, is started by the user with admin rights. If the current computer is in a domain and the logged in user has domain admin rights, all you have to do is answer a question about the installation location and the port address for the web service.

The almost minimalistic system requirements (1GHz CPU, 1GB of RAM, and 2GB of HDD memory) could almost make you suspicious. (See the "ADManager Plus 6.6" box.) A small module for the integrated PostgreSQL database is installed with the program; in terms of software resources, IT staff only have to take care of Java.

The use of the software does not create any explicit dependencies for AD. If ADManager is not available, the administrator can use the typical MMC snap-ins for administration at any time. Only the settings required for configuration and user management are stored in the database by ADManager.

For our test, we downloaded the software from a third-party website. Unfortunately, the installation package was not completely up to date, so we had to install some updates after the basic installation. To do so, the admin stops all the services and the database from a script job. Thanks to good product documentation, all of these steps are very simple.

For the test, we installed the package on a virtualized Windows 10 in a Windows 2016 domain. In previous tests, we set up trial versions on Windows Server 2008 R2 and Server 2012 R2 – without any problems in all cases. After installation, all employees can work with ADManager in the browser. Here, too, we did not encounter any problems in the course of our tests, regardless of which browser used and on which platform.

The installation as a domain administrator means that the program can immediately access AD. In addition to AD user management, the software works with its own accounts from the database. The first user thus starts off with a predefined administrative account and a standard password. It would make more sense if the solution insisted that you immediately change the password, but this is not the case. In the basic configuration, ADManager initially uses HTTP; we converted to a more secure HTTPS connection in our lab with just a few mouse clicks. The software warns you that an unencrypted HTTP connection allows the password to be read out.

The administrative account allows the use of many, but not all, functions. Some tasks result in an authentication error, because a user with a password for further actions in the domain must first be defined in the Admin tab. Although caught by the error messages, we missed having a typical initial configuration wizard that guides newcomers through the software.

Always Welcome to the Dashboard

The Home view in the dashboard welcomes users every time they log on to ADManager (Figure 1) with a summary of the most important key domain data. At this point, IT managers can see the number of users in their own AD or the number of workstations in use and might believe that these are the latest figures. However, the numbers are not always up to date.

When we deleted objects such as user accounts during our test, it took a few minutes for ADManager to display the updated figures. The small update buttons you will find almost everywhere trigger the update. The information content is very high, as it is in other places in the solution. Of course, software appearance is always a matter of taste, but the moving Buy Now button at the top of the menus simply reminded us too much of the early days of the Internet.

The software more than compensates for its lack of style in terms of functionality. Logged in as an administrator, users can access the full set of commands directly from the web interface, from creating new users and computers, composing groups, and moving root to adjusting mail settings for Exchange servers. However, delegation of tasks is a core function of the software. In the simplest case, a user with administrative authorization selects an existing account in AD and assigns a help desk role to it in the AD Delegation tab.

This role contains several templates that the administrator uses to determine which attributes and commands HR employees, support employees, or technical staff can use. Fortunately, the ADManager developers adhere to the good style of delivering the software with ready-made roles and templates that serve as models for new projects.

Winner in Daily Business

Microsoft's built-in dialogs for AD have grown dear to IT staff over the years, but they are not particularly practical. Even people who want to be friendly about it are likely to consider the tabs for the user settings rather distinctive. In comparison, ADManager is far more convenient. For example, when it comes to defining login names, the software typically suggests a first name-last name model, which admins can customize according to their preferences. However, IT managers can easily map far stranger constructions with ADManager: Automatic replacement of non-standard characters, removal of unwanted spaces and dots, or incrementing an appended number, even with leading zeros to avoid duplicate logon names – all were easily accomplished in our lab with the software. In practice, you can also create users or lock computers from iPad or iPhone apps if the mobile devices can access the server directly on the WiFi network (Figure 2).

A very useful bulk management solution is also at hand: If you want to create several accounts at once or reset the passwords for a whole group of users at the same time, it is intuitively possible with the program. All the functions are largely self-explanatory, and even in single-step workflows, ADManager often offers the possibility of adding an intermediate step. For example, if the administrator notices that they need an organizational unit for new users when loading 20 user accounts from a CSV import, they can branch off to do so in the meantime.

In the Automation tab, administrators can create a User_Exit process with just a few mouse clicks. If someone has not logged in for 30 days, their user account is automatically set to Disabled or removed from a group. ADManager comes with this simple but useful workflow function for simple but regular processes. Once you have converted your processes into computer-readable processes in this way, it is easy for the service desk to carry out these steps securely and quickly. In the depths of the settings, you will find everything you need for your daily work, such as what the policy for deleting a user object should look like: Should the software permanently delete the mailbox in Exchange or should it run another user-defined script? This is determined by the task owner at the click of a mouse.

The software inspires admins with its smart strategies: Anyone who has worked in user management on a regular basis knows that subsequent changes can occur with some time lag. The overview of Recently password changed users report makes it very easy to find these accounts.

The integrated workflow function in ADManager Professional also supports basic mapping of change management steps. With a single mouse click, the administrator determines how the software interprets the deletion of a user. The administrator also uses ADManager to manage delivery options with ease for Microsoft Exchange.

Superior Reporting

As far as creating reports and overviews is concerned, ADManager provides everything that Microsoft's on-board resources tend to output in a tabular form. Even administrators who otherwise tend to limit themselves to the bare figures and technical details should be happy. The program evaluates all conceivable information in AD in such a way that it always answers the most unusual questions that your superiors might have.

The best examples of this are Recently deleted users, Users in more than one Group, Users without logon script, or Users never logged on. ADManager is not limited to the 32 reports for user objects; it continues with segments Password, Groups, Computer, Exchange, Contacts, GRO, OE, NTFS, Security, Office 365, and Conformance reports in similar detail.

By default, the software selects the usual default values, such as for one week. With a few mouse clicks, the IT professional or technical staff can limit the evaluation to specific organizational units. The software exports the results of the evaluations in CSV, Excel, HTML, and PDF formats, and the administrator can also have reports mailed regularly on request.

For the Cloud and Other Purposes

Although enthusiasm for user administration in Microsoft Office 365 is still quite muted in some countries, this technology is likely to see far greater spread, especially in the US. Cloud-based resource management is still a future topic in other countries. Separated from the traditional on-premises AD, administrators encounter unexpected difficulties in the cloud, because only PowerShell scripting and the native functions are available for automation. ADManager allows provisioning not only for Office 365 accounts, but for Google G Suite accounts, Skype, and Lync, as well.

When processing day-to-day tasks, the software frees the administrator from the need for extensive programming and scripting; however, some programming skills are required to trigger external systems. After processes have been completed, the software can trigger scripts with variables (e.g., to delegate user creation or standard software updates).

Conclusions

In large and distributed enterprises, this software solution impresses with its extended user management capabilities. All ADManager Plus dialogs are far easier to use and more user friendly than the standard windows the administrator usually has to deal with. Excellent adaptability to your own wishes makes the solution even more exciting. Thanks to quick installation and very simple commissioning, we recommend the program for your own testing (see Table 1), especially because no changes at all need to be made to AD. In conjunction with this program, the manufacturer offers additional software, such as an auditing solution, an Exchange reporter, a self-service portal, and a program for evaluating Windows event displays. ADManager Plus provides a complete product family for the administration and configuration of IT systems.