I have a lot of admiration for software companies that develop point solutions. A point solution is a product that solves a single business problem. Sadly, I've seen businesses fail when they attempt to make software that tries to tackle too many use cases and dependencies.
Albus Bit produces point-solution software centered on Active Directory Domain Services (AD DS). In fact, I've reviewed a couple of their tools previously here at 4sysops:
- AD FastReporter – Fast and flexible AD reports
- NTFS Permissions Auditor: No-nonsense file system security auditing and reporting
Today we will examine AD Group Manager, which aims to make your security compliance easier through self-service AD group administration. Let's start with a fictional case study example that will quickly give you a feel for how this product fulfills a legitimate IT business need.
Case study ^
Let's imagine you are the lead systems administrator for your organization. Recent security audits have flagged sloppy Active Directory group management. Some security groups contain user accounts from employees who have long since left the company. Other security groups do not give required user access to resources.
Pat Finnegan, team lead of the Legal department, has been particularly vocal about this problem. "Can't I manage our groups myself? It would be a heck of a lot more efficient!"
"Great idea!" you reply. "I have just the tool for you, Pat." Take a look at the following screenshot, and I'll explain what the Legal team looks like:
- Pat Finnegan: An ordinary AD user delegated with the ability to manage Legal AD group membership
- Staff Attorneys: A domain global security group that contains full-time corporate attorney employees
- Nelson Angstrom: Currently an intern who will become a full-time member of the Legal team tomorrow
Our goal here is to give Pat self-service access to the non-administrative Active Directory security and distribution groups that fall within his department. This is where Albus Bit AD Group Manager comes in. Before we install the software, we first have a bit of Active Directory homework to do.
Prepare the environment ^
AD Group Manager relies upon built-in Active Directory schema properties to determine which groups to allow Pat to manage.
As a domain administrator, I need to associate Pat Finnegan as the manager of the Staff Attorneys group. From Active Directory Users and Computers, we open the Staff Attorneys Properties sheet, navigate to Managed By, and resolve Pat's user account name.
Be sure to select Manager can update membership list, or AD Group Manager won't work.
Next, we install AD Group Manager on Pat's desktop workstation. Pat will then start the application under his own credentials and get to work curating the Staff Attorneys group membership.
Use AD Group Manager ^
AD Group Manager assumes the current user's AD domain credentials; I will show you shortly how you can customize this. In the meantime, examine the following annotated user interface screenshot, and I'll explain it:
AD Group Manager interface
- A: The program populates this metadata based on the user's AD account properties.
- B: The program populates this list based on the previously mentioned Managed By AD schema attribute.
- C: Click this button to enumerate members of the selected group.
- D: You can customize the properties that display here.
- E: The delegated manager can adjust the group membership here.
In the next screenshot, we observe Pat adding Nelson Angstrom to the Staff Attorneys group.
Note that Pat can remove group members as well. Click Export group members (Excel) to create a report. Here's a screenshot showing the results:
Configuration and customization ^
Click Options to customize AD Group Manager behavior. The General tab lets you specify which AD property columns appear in the group and member views. You can specify alternate credentials on the Advanced tab; this is particularly useful in multi-domain and event multi-forest environments. The Auto updates tab is self-explanatory. Here is a composite screenshot of the Options pages for your reference:
The AD Group Manager says that you can use Group Policy to customize the tool centrally, but the implementation is a bit "hacky." Essentially you need to add registry keys and values to the key path HKEY_CURRENT_USER\Software\AlbusBit\ADGroupManager. The relevant Group Policy path is User Configuration\Preferences\Windows Settings\Registry. You can read more about this in the docs.
Because AD Group Manager is a point solution, you wouldn't expect a complicated, enterprise-scale licensing model. The good news here is that the Enterprise license costs $299 USD and allows you to deploy the tool on as many computers as you want, usable by as many users as you want. Albus Bit does make a free trial available as well.
Supposedly Steve Jobs once said, "Do not try to do everything. Do one thing well." In that regard, Albus Bit did an excellent job with AD Group Manager.