Automation for Active Directory, Microsoft 365, and Google Workspace with ManageEngine ADManager Plus

• Author
• Recent Posts

Brandon Lee

Brandon Lee has been in the IT industry 15+ years and focuses on networking and virtualization. He contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Latest posts by Brandon Lee (see all)

• ManageEngine OpManager: Comprehensive monitoring for on-prem, cloud, and containers - Thu, Mar 23 2023
• Install K3s, a lightweight, production-grade Kubernetes distro - Mon, Mar 20 2023
• VMware NSX Advanced Load Balancer: Installation and configuration - Fri, Mar 10 2023

As businesses continue to support IT operations across both on-premises and cloud environments, the disparity and size of the toolset can grow. Traditionally, it may require various tools and processes to provision users across multiple environments. In addition, the procedures for managing users across these environments can differ, causing unnecessary management burdens. ManageEngine ADManager Plus is a solution that streamlines user creation, management, automation, and delegation across both on-premises and cloud environments.

What is ManageEngine ADManager Plus?

ADManager Plus is a web-based management tool that provides unified management and reporting for Active Directory, Exchange, Google Workspace, and Microsoft 365. It takes routine, complex, combined, and customized tasks performed across on-premises Active Directory environments and cloud SaaS environments, and streamlines them so that they are simple to perform.

ManageEngine ADManager Plus provides robust Active Directory and cloud SaaS user management and automation

It provides a web-based graphical UI that is intuitive and easy to use. It includes management, reporting, workflow, automation, auditing, and other features that allow IT admins to carry out their tasks effectively and efficiently.

It also includes prepackaged reports, making finding and querying information from Active Directory much easier. Using these built-in reports, administrators can fetch vital information from AD and use it to demonstrate compliance with IT regulations such as GDPR, HIPAA, FISMA. The reports can also be exported and scheduled to be delivered at specific times.

Why not Active Directory Users and Computers or PowerShell?

Active Directory Users and Computers is the basic tool most admins use to manage Active Directory objects in their environments. It can perform rudimentary tasks. However, it is lacking in many ways. For example, while you can manage most of the properties of users, groups, and computers, the tool does not scale well when you need to update or work with many objects simultaneously.

Also, if you have tried to use Active Directory Users and Computers to delegate permissions to other users to perform operations, you most likely found the tool clunky. The delegation process can be challenging and nonintuitive. In addition, it has no automation features natively built in, and it is a "fat installation" that must be installed locally on the workstation with "line of sight" access to a domain controller.

PowerShell is a robust scripting and automation tool that can perform just about any operation needed in Active Directory. However, it requires expertise and technical skills to ensure scripts are written to target the correct objects and have the necessary safeguards to ensure that automation and bulk operations do not cause unintended results.

PowerShell is also not very user friendly for a nontechnical person. It would lead to challenges to hand over a PowerShell script to nontechnical staff and expect them to know how to use it effectively to perform Active Directory tasks that can be delegated.

ManageEngine ADManager Plus features

ManageEngine ADManager Plus has many capabilities and features that help businesses solve the challenges of managing, automating, and delegating access to Active Directory environments. What features are included with ManageEngine ADManager Plus? It provides many built-in capabilities and features that allow admins to carry out user lifecycle management operations more effectively and efficiently. Note the following features, including but not limited to the following:

• Active Directory Management—Simplified Active Directory management, allowing bulk creation and modification of users, computers, contacts, groups, OUs, GPOs, and more.
• AD Bulk User Management—By importing CSV files or integrating with HCM solutions and HR databases (such as Oracle and MS SQL), you can create, modify or delete users in bulk and reset their passwords.
• Active Directory password management—With the ManageEngine ADManager Plus solution, you can reset multiple user account passwords, configure the password settings in Active Directory, and perform account enable and disable operations for accounts whose passwords expire.
• Microsoft Office 365 management and reporting—You can generate reports on users and groups in your Microsoft Office 365 environment. This can be done in the same console in which you manage your on-premises Active Directory environment.
• Inactive/disabled user account management—One of the features of ADManager Plus is the ability to clean up your Active Directory environment by generating a list of inactive or disabled accounts. From this report, you can then easily delete, enable, or move them.
• Mobile Active Directory management—This enables admins to perform password reset operations, account enables/disable, unlock, and account deletion from a mobile device, including iOS and Android.
• Group management—You can perform bulk group management operations. The tool can create, move, delete, and modify groups and group members. You can also modify distribution lists and configure/change Exchange attributes.
• Terminal services management—You can modify the terminal services home folder, profile path, session duration, start programs, and change remote settings for multiple user accounts.
• Google Workspace provisioning—You can provision individual user accounts or accounts in bulk in Google Workspace using a single console.
• AD reporting—Choose from over 200 included reports. The reports query data from Active Directory and allows you to perform management actions directly from the reports. For example, admins can query information such as last logon times, inactive users, group members (including nested group members), NTFS permissions, recently created, modified, or deleted users, etc.
• AD user photo management—With ManageEngine ADManager Plus, admins can also manage AD user photos. This includes uploads, crops, edits, replacing and removing profile pictures, and performing operations in bulk, such as multiple users in an OU or all AD users at once.
• Active Directory backup and recovery—This provides backup and recovery capabilities for Active Directory, allowing admins to identify and easily reverse unexpected deletions or other unwanted actions in Active Directory.
• Automation—With ManageEngine ADManager Plus, you can perform many automated tasks and operations across the environment, including bulk changes, using a CSV, HRMS Integration, Data Sources Oracle, and SQL.
• Granular delegation—With the granular delegation feature, you can delegate permissions in Active Directory to junior administrators or anyone who needs to carry out certain tasks in Active Directory.

Let's consider two areas where ManageEngine ADManager Plus can help streamline tedious and often cumbersome processes and tasks that administrators may try to carry out using Active Directory Users and Computers (ADUC) or PowerShell. These are automation and delegation.

Effective Active Directory automation

One of the great features of the ManageEngine ADManager Plus solution is its ability to easily configure automation. In ManageEngine ADManager Plus, configuring automated tasks is a point-and-click process. You do not need to have any PowerShell scripting experience or other programming experience to stitch together automated processes and tasks.

ManageEngine ADManager Plus makes this easy with web-driven workflows and built-in preinstalled tasks out-of-the-box. Most will find these preinstalled workflows will likely do 99% of what they want to do with their Active Directory automation.

Click the Automation tab and then click Automation on the left-hand menu. Click the dashboard to display scheduled automation tasks. Click the Create New Automation button in the upper right-hand corner to create a new automated process.

ManageEngine ADManager Plus automation

Click the "+" next to Automation/Task Policy.

Adding an automation task or policy to scheduled automation

This launches the Select Task/Policy(User Automation) dialog box. Select the AD task you want to execute.

Select the task or policy you want to add for the scheduled automated task

Now that we have selected the task we want to execute, we can select the objects on which we want to execute the task. Click the "+" button next to the "Select objects" field. Here, you select the objects on which the task will be performed. These objects can be sourced from an existing report or from a CSV import.

Selecting objects on which the task will be performed

Additionally, you can select a notification template for the automated task to notify specific persons each time the task is executed.

Select a notification template to use with the new scheduled task

When you want to configure a sequence of tasks that should be executed at the specified interval, you can create an automation policy and implement it in automation. These policies will be available for implementation when you create an automation.

To create a new automation policy, click the Create New Automation Policy button in the upper right-hand corner.

Creating a new automation policy

Note that you can stitch together multiple instant tasks by clicking Add Successive Task. To add an instant task, just click the "+" button.

Configuring the automation policy to run other tasks following the scheduled task

Similar to the automated task action, select the task/policy you want to execute as part of the policy.

Select the task or policy you want to run

Easy delegation using ManageEngine ADManager Plus

If you have been tasked with delegating Active Directory tasks to end users, you know how cumbersome it can be to get the permissions configured correctly. You also have to install or grant access to Active Directory Users and Computers on a machine or terminal server, and the user must have "line of sight" access to a domain controller.

ManageEngine ADManager Plus enables the quick creation of delegated tasks in the web-driven console. Using the interface, you create technicians to which you want to delegate permissions. Then you assign the permissions you want to delegate in a role.

The delegation is even more powerful in ManageEngine ADManager Plus, since you can also delegate permissions for the following:

• AD Management
• AD Reports
• Administration
• Microsoft 365
• Backup

As you can see below, ManageEngine ADManager Plus gives nice visibility to the assigned roles, which technicians are assigned which roles, and other information. You can also view the list of all actions performed by help desk technicians and track the changes made to technicians or their role's configuration.

Click the Add New Technician button in the upper right to add a new technician.

Delegating tasks in Active Directory using ManageEngine ADManager Plus

When you click the Help Desk Roles menu option, you will see the current roles and the permissions assigned. Click the Create New Role to create new roles for specific permissions.

Create a new role to assign specific permissions to a user

Below is the screen you will see when you create a new role for delegating permissions using ManageEngine ADManager Plus. As you can see, you can delegate permissions to Active Directory, reporting, administration, Microsoft 365, and Active Directory Backup.

Creating delegated permissions in ManageEngine ADManager Plus

Wrapping up and impressions

We have only scratched the surface of what ManageEngine ADManager Plus can do. However, the features and capabilities of the solution are excellent. It takes the heavy lifting out of such tasks as Active Directory automation and delegating permissions to junior administrators or others who need to carry out tasks in Active Directory. The simple web-driven interface makes management and configuration tasks easy and is accessible using only a web browser, eliminating the need to use native AD tools or PowerShell scripts. If you are someone who is frequently on the road, you can use the ADManager Plus mobile app for Android and iOS to carry out Active Directory management. For organizations that want to have a more seamless management experience for user accounts across on-premises and cloud environments, ManageEngine ADManager Plus is a great solution that delivers.