In the last post of this series I described Active Directory management features of AD Manager Plus. Note that you can win a license worth 2,695 US dollars (see info at end of the article). Today I will introduce the tool's delegation and reporting features.
- OpenVPN IPv6 and IPv4 configuration - Mon, Mar 1 2021
- 4sysops author and member competition 2020 - Fri, Jan 1 2021
- Assign an IPv6 address to an EC2 instance (dual stack) - Tue, Dec 15 2020
Active Directory Delegation ^
You probably know that the Active Directory User and Computer interface (ADUC) supports delegation. This allows you to assign specific AD management privileges to help desk personnel . The idea behind AD Manager Plus's delegation feature is the same; however, the tool's capabilities are more sophisticated.
The main difference to the delegation feature in ADUC is that ADManager Plus allows you to configure delegation roles. These roles are basically templates which you can reuse to assign a certain set of privileges to a user or a user group. Another advantage of ADManager Plus is that you cannot only apply delegation roles to a single container, but also to multiple containers in one step.
ADManager Plus distinguishes between the delegation of security roles and help desk roles. The help desk roles are for configuring privileges regarding user management, whereas the security roles are for delegating all kinds of Active Directory management tasks. That is, it is also possible to delegate user management tasks with security roles.
Another important difference is that you can assign security roles to AD users or groups whereas help desk roles are assigned to ADManager Plus help desk technicians. These users can also have a domain account, however, help desk rules can be configured without affecting Active Directory while assigning security roles always involves changes to Active Directory privileges just like with ADUC delegation. Help desk rules have the advantage that support personnel doesn't require explicit AD privileges which improves security. When a help technician modifies an AD object, AD Manager will sign-on to the domain with sufficient rights and will perform the modification on behalf of the technician.
The best part about the help desk rules is that you can keep track of all assigned privileges. This is somewhat difficult with delegation in ADUC because the privileges are deeply hidden in the Access Control Entries (ACE). But ADManager Plus can also help you get an overview over internal AD delegation rules. With its ACE search feature you can find all kinds of privileges that have been assigned to a user or a user group.
Active Directory Reports ^
Active Directory reports is the third major function of AD Manager Plus. There are 13 different report sections: User (27), Password (8), Group (11), Computer (12), Exchange (27), Contact (2), Terminal Services (2), GPO (14), OU (8), NTFS (4), Security (6), Other(3), and Compliance (16). The number in parentheses stands for the number of available reports in each section. As you can see ADManager Plus supports quite a few different reports.
In most cases, you just have to click on the report's link to run it. Sometimes, you can specify additional parameters like the containers you want to include or the time period. The result is always a list of AD objects with some of their important attributes. If you click on one of the objects, ADManager Plus will display all its attributes.
It is quite useful that you can then select objects in the list and modify their attributes. Sometimes, ADManager Plus offers special modification options that fit the corresponding report. For instance, if you generate a report of users whose passwords have expired you can disable them all with a mouse click.
Reports can be printed or exported in common formats (CSV, PDF, XLS, HTML, CSVDE). It is also possible to schedule each report separately and send it in the desired format to a configurable email address.
The only weakness I found in ADManager Plus is that the help file lacks a search function. However, I enjoyed playing with ADManager Plus because its interface is self-explanatory. Even inexperienced help desk technicians will be able to use the tool after a short instruction. Most important here is that ADManager Plus can be configured to only display those functions that the support personnel needs. Admins will like the powerful bulk modifications features and the comprehensive reporting capabilities. The tool can be recommended for organizations of all sizes because it supports multiple domains.
If you want to take part in this raffle, just send an email to:
with the subject line
AD Manager Plus.
Please, add your name and the name of your organization for which you want to use the license. The deadline of this contest is November 12, 2009.