3 Solutions for Active Directory Management and Administration
By Denis Roman (http://ua.linkedin.com/in/denroman)
Comprehensive management of Active Directory environment is a crucial factor of supporting healthy network. When the number of user accounts increases dramatically, it is often necessary to address third party AD management solutions. In this article we will analyze 3 such solutions: · Softerra Adaxes · Quest Active Roles Server · ManageEngine ADManagerPlus Softerra Adaxes – http://www.adaxes.com
Softerra Adaxes is a comprehensive and customizable product that among other features helps manage provisioning, automation, create a self-service web portal and delegate permissions on managing of Active Directory to users. It is easy to get a trial version of the software. Softerra Adaxes website contains plenty of documentation items, demo videos, screenshots and license pricing. These greatly simplify a planning process. A helpful supplement to the software documentation would be Use Cases that are essential to IT managers. Price: $1.600 for a license with up to 100 user accounts. After installation of Softerra Adaxes a user gets admin console and AD web interface. The configuration can be backed up into a file and restored in the process of installation. The basic features are shown in the Feature Summary and the most interesting capabilities will be described further. The main functions of provisioning and management are implemented in Softerra Adaxes by means of Business Rules, Custom Commands and Property Patterns. Business Rules are a workflow for Active Directory that includes also a mechanism of approvals. The rules are triggered before or after particular actions on an object take place. For example, add a user in a group right after its creation or trigger a script after an object deletion. 
Custom Commands help store the most frequently used sequences of actions that should be applied to objects. They can be triggered as a single command or as a part of Business Rules. 
Property Patterns help create compliance policies to AD object properties, e.g. constraints, default values. 
As you can see, Business Rules, Property Patterns and Custom Commands allow administrators to implement sophisticated auto provisioning system for AD objects and ensure data consistence. Another handy feature is Business Units which allows you to create alternative logical groups of AD objects to perform operations on them. It’s worth to mention that Softerra Adaxes includes a web based component, Active Directory web interface, where apart from the main features you will also find a vast set of Active Directory reports. 
In Softerra Adaxes web part it is possible to provide users and help desk technicians with the ability to use it for password resets, AD object management, property modifications, execution of Custom Commands, etc. Delegation of permissions is based on RBAC model. 
The web part is highly customizable and it allows delegating custom tasks to end users and helpdesk technicians that is a very valuable feature. 
Softerra Adaxes also includes the ability to perform bulk operations on objects. It can be achieved by selecting the objects you need in the Result Pane, Basket or search results and performing the necessary operation. It is also possible to restore Built-In Security Roles feature to its default state. You can modify built-in Security Roles the way you need or even delete them. To discard the changes you made, you can restore built-in Security Roles to their initial state. It is worth to mention that Adaxes supports PoweShell management through a plugin and is able to work with SPML. Conclusion: Softerra Adaxes is useful for complex custom AD management scenarios, self service app creation, implementation of workflow and compliance solutions for AD. Useful features: import-export, provisioning and automation capabilities, self-service web portal, SPML connector, RBAC-based delegation, changes log, email notifications, customizable web interface, performing of Exchange tasks on AD objects, and a variety of reports. What could be adjusted there: small number of built-in provisioning patterns, poor integration with other MS apps.
Quest Active Roles Server - http://www.quest.com/activeroles-server/ Quest website contains great number of documentation, use cases and tutorials, but it is rather difficult to find license price and get a trial that complicates the planning stage and the whole process of software selection. AR Server feature set is provided here: http://www.quest.com/activeroles-server/#docs To install the software you need IIS, SQL server and MSSQL reporting services. Price: $25 per AD user; additional costs for external connections. ARS consists of the main console and a web interface. Main console: 
The core of AR server features is done through policy objects, management units and workflow. Here is a quote from docs: You can create a Policy Object that includes any number of different policies, such as format validation, generation rules for the values of object attributes, scripts that supplement administrative operations, automatic creation of user mailboxes on prescribed Exchange servers, automatic creation of user home folders and home shares, and relocation of an object to a specified container when it meets certain criteria. To setup provisioning you need to create and assign a policy object. In the policy object you will be able to define provisioning rules. You also need to add a workflow to establish highly controlled provisioning process. 
There are not so much provisioning policies by default. But you can download more from the market place. Obviously you would want to implement provisioning logics in the workflow. The mentioned approach allows you to create a very complex and customizable provisioning/deprovisioning policies. 
Quest Active Roles Server has a very powerful report system based on MS SQL server reporting service. So, it is possible to get enough of report information and use standard features of MSSQL reporting services. Active Roles Server web part – it is a fully customizable web interface for AD and the software management. There you can build your own forms and delegate control to users. It is possible to perform granular configuration of forms, tabs, etc. All rights in AR Server are delegated through RBAC and it includes a number of preconfigured items. 
Some other Active Roles Server features that should be mentioned: Ability to run scheduled tasks, Virtual attributes – allow adding attributes without AD schema extension, Script modules that can be used in policies, Change history, Dynamic group membership – allows you to create rule based groups and use them as a policy, Dynamic management units, Support for the Exchange Resource Forest Mode. Conclusion: Quest Active Roles Server is a complex and customizable app for big environments with customizable Web GUI. Good features: granular import and export of the configuration, changes history, scheduled tasks, GUI workflow constructor, Exchange resource forest mode support, customizable web GUI. What could be adjusted there: the software does not include a lot of default predefined policies and workflows, might be not so convenient for quick AD hoc bulk operations and small environment, high product price. ManageEngine ADManager Plus – http://www.manageengine.com/products/ad-manager/ The website contains technical documentation, but its quality and number is inferior to the documentation of the previously analyzed software. Price: 1 Domain (Unrestricted Objects) with 2 help desk Technicians Included - $495 Management is performed through a web interface. Main features can be found following the link below: http://www.manageengine.com/products/ad-manager/features.html Features that should be mentioned: Users management, Exchange properties management, Ad compliance reports, Bulk User Modification including Exchange, TS, password reset. Basic capabilities of this software are displayed at this screenshot: 
AD Manager Plus includes a rather primitive workflow module which can be used as a ticketing mechanism: http://www.manageengine.com/products/ad-manager/active-directory-workflow-for-compliance.html 
The software includes a vast list of standard reports: 
Exchange reports do not contain a lot of viable information like e.g. “top users”. But there are some interesting reports like Recently Deleted Users and GPO reports: · All GPOs & Linked AD Objects · Recently Created GPOs · Recently Modified GPOs · Disabled GPOs · Unused GPOs · Frequently Modified Computer Settings GPOs · Frequently Modified User Settings GPOs · Domain Linked GPO · OU Linked GPO · Site Linked GPO · GPO Blocked Inheritance Containers · Computer Settings disabled GPOs · User Settings disabled GPOs · Frequently Modified GPOs All reports you may find here: http://www.manageengine.com/products/ad-manager/windows-active-directory-reports.html To manage access and rights in AD Manager Plus RBAC model is used. The main capabilities are shown at the below screenshot: 
As you can see there is a possibility to granularly delegate rights in this software. It is worth to point out the possibility of bulk modifications of users’ properties including Exchange and terminal services. Conclusion: ManageEngine ADManager Plus is a simple and handy application with standard user management features, plenty of reports and RBAC delegation model, web based GUI and self-service capabilities. It is possible to do simple workflow provisioning by means of this software. Good features: bulk management, reports, possibility of integration with user self service product ADSelfService Plus, competitive price What could be adjusted there: absence of API, absence of complex provisioning, no backup settings from the console, no extended export features, no standalone client. Disclaimer: This article is intended to serve general information purposes only. The information provided in the article is not intended as advice in any kind. The author cannot give any warranty as to accuracy or completeness of the information in this article. All provided data is taken from open sources. To learn the full list of the mentioned software features and capabilities it is recommended to contact the direct software manufacturer. | 
