AD Group Manager - Self-service Active Directory group administration

Learn how AD Group Manager makes Active Directory administration easier by delegating group membership duties to those who understand their users' access needs the best.
Latest posts by Timothy Warner (see all)

I have a lot of admiration for software companies that develop point solutions. A point solution is a product that solves a single business problem. Sadly, I've seen businesses fail when they attempt to make software that tries to tackle too many use cases and dependencies.

Albus Bit produces point-solution software centered on Active Directory Domain Services (AD DS). In fact, I've reviewed a couple of their tools previously here at 4sysops:

Today we will examine AD Group Manager, which aims to make your security compliance easier through self-service AD group administration. Let's start with a fictional case study example that will quickly give you a feel for how this product fulfills a legitimate IT business need.

Case study ^

Let's imagine you are the lead systems administrator for your organization. Recent security audits have flagged sloppy Active Directory group management. Some security groups contain user accounts from employees who have long since left the company. Other security groups do not give required user access to resources.

Pat Finnegan, team lead of the Legal department, has been particularly vocal about this problem. "Can't I manage our groups myself? It would be a heck of a lot more efficient!"

"Great idea!" you reply. "I have just the tool for you, Pat." Take a look at the following screenshot, and I'll explain what the Legal team looks like:

Our case study environment

Our case study environment

  • Pat Finnegan: An ordinary AD user delegated with the ability to manage Legal AD group membership
  • Staff Attorneys: A domain global security group that contains full-time corporate attorney employees
  • Nelson Angstrom: Currently an intern who will become a full-time member of the Legal team tomorrow

Our goal here is to give Pat self-service access to the non-administrative Active Directory security and distribution groups that fall within his department. This is where Albus Bit AD Group Manager comes in. Before we install the software, we first have a bit of Active Directory homework to do.

Prepare the environment ^

AD Group Manager relies upon built-in Active Directory schema properties to determine which groups to allow Pat to manage.

As a domain administrator, I need to associate Pat Finnegan as the manager of the Staff Attorneys group. From Active Directory Users and Computers, we open the Staff Attorneys Properties sheet, navigate to Managed By, and resolve Pat's user account name.

Be sure to select Manager can update membership list, or AD Group Manager won't work.

Enabling AD group management

Enabling AD group management

Next, we install AD Group Manager on Pat's desktop workstation. Pat will then start the application under his own credentials and get to work curating the Staff Attorneys group membership.

Use AD Group Manager ^

AD Group Manager assumes the current user's AD domain credentials; I will show you shortly how you can customize this. In the meantime, examine the following annotated user interface screenshot, and I'll explain it:

AD Group Manager interface

  • A: The program populates this metadata based on the user's AD account properties.
  • B: The program populates this list based on the previously mentioned Managed By AD schema attribute.
  • C: Click this button to enumerate members of the selected group.
  • D: You can customize the properties that display here.
  • E: The delegated manager can adjust the group membership here.

In the next screenshot, we observe Pat adding Nelson Angstrom to the Staff Attorneys group.

Adjusting AD group membership

Adjusting AD group membership

Note that Pat can remove group members as well. Click Export group members (Excel) to create a report. Here's a screenshot showing the results:

Reporting group membership in Excel

Reporting group membership in Excel

Configuration and customization ^

Click Options to customize AD Group Manager behavior. The General tab lets you specify which AD property columns appear in the group and member views. You can specify alternate credentials on the Advanced tab; this is particularly useful in multi-domain and event multi-forest environments. The Auto updates tab is self-explanatory. Here is a composite screenshot of the Options pages for your reference:

AD Group Manager configuration options

AD Group Manager configuration options

The AD Group Manager says that you can use Group Policy to customize the tool centrally, but the implementation is a bit "hacky." Essentially you need to add registry keys and values to the key path HKEY_CURRENT_USER\Software\AlbusBit\ADGroupManager. The relevant Group Policy path is User Configuration\Preferences\Windows Settings\Registry. You can read more about this in the docs.

Wrap-up ^

Because AD Group Manager is a point solution, you wouldn't expect a complicated, enterprise-scale licensing model. The good news here is that the Enterprise license costs $299 USD and allows you to deploy the tool on as many computers as you want, usable by as many users as you want. Albus Bit does make a free trial available as well.

Supposedly Steve Jobs once said, "Do not try to do everything. Do one thing well." In that regard, Albus Bit did an excellent job with AD Group Manager.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads by becoming a member!

0
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account