In the last post of this series I described Active Directory management features of AD Manager Plus. Note that you can win a license worth 2,695 US dollars (see info at end of the article). Today I will introduce the tool's delegation and reporting features.

Latest posts by Michael Pietroforte (see all)

Active Directory Delegation ^

AD Manager Plus Security RolesYou probably know that the Active Directory User and Computer interface (ADUC) supports delegation. This allows you to assign specific AD management privileges to help desk personnel . The idea behind AD Manager Plus's delegation feature is the same; however, the tool's capabilities are more sophisticated.

The main difference to the delegation feature in ADUC is that ADManager Plus allows you to configure delegation roles. These roles are basically templates which you can reuse to assign a certain set of privileges to a user or a user group. Another advantage of ADManager Plus is that you cannot only apply delegation roles to a single container, but also to multiple containers in one step.

ADManager Plus distinguishes between the delegation of security roles and help desk roles. The help desk roles are for configuring privileges regarding user management, whereas the security roles are for delegating all kinds of Active Directory management tasks. That is, it is also possible to delegate user management tasks with security roles.

AD Manager Plus Help Desk RolesAnother important difference is that you can assign security roles to AD users or groups whereas help desk roles are assigned to ADManager Plus help desk technicians. These users can also have a domain account, however, help desk rules can be configured without affecting Active Directory while assigning security roles always involves changes to Active Directory privileges just like with ADUC delegation. Help desk rules have the advantage that support personnel doesn't require explicit AD privileges which improves security. When a help technician modifies an AD object, AD Manager will sign-on to the domain with sufficient rights and will perform the modification on behalf of the technician.

The best part about the help desk rules is that you can keep track of all assigned privileges. This is somewhat difficult with delegation in ADUC because the privileges are deeply hidden in the Access Control Entries (ACE). But ADManager Plus can also help you get an overview over internal AD delegation rules. With its ACE search feature you can find all kinds of privileges that have been assigned to a user or a user group.

Active Directory Reports ^

AD Manager Plus Reports Active Directory reports is the third major function of AD Manager Plus. There are 13 different report sections: User (27), Password (8), Group (11), Computer (12), Exchange (27), Contact (2), Terminal Services (2), GPO (14), OU (8), NTFS (4), Security (6), Other(3), and Compliance (16). The number in parentheses stands for the number of available reports in each section. As you can see ADManager Plus supports quite a few different reports.

In most cases, you just have to click on the report's link to run it. Sometimes, you can specify additional parameters like the containers you want to include or the time period. The result is always a list of AD objects with some of their important attributes. If you click on one of the objects, ADManager Plus will display all its attributes.

AD Manager Plus Password Expired Users It is quite useful that you can then select objects in the list and modify their attributes. Sometimes, ADManager Plus offers special modification options that fit the corresponding report. For instance, if you generate a report of users whose passwords have expired you can disable them all with a mouse click.

Reports can be printed or exported in common formats (CSV, PDF, XLS, HTML, CSVDE). It is also possible to schedule each report separately and send it in the desired format to a configurable email address.

Conclusion ^

The only weakness I found in ADManager Plus is that the help file lacks a search function. However, I enjoyed playing with ADManager Plus because its interface is self-explanatory. Even inexperienced help desk technicians will be able to use the tool after a short instruction. Most important here is that ADManager Plus can be configured to only display those functions that the support personnel needs. Admins will like the powerful bulk modifications features and the comprehensive reporting capabilities. The tool can be recommended for organizations of all sizes because it supports multiple domains.

If you want to take part in this raffle, just send an email to:

contests-at-4sysops-com

with the subject line

AD Manager Plus.

Please, add your name and the name of your organization for which you want to use the license. The deadline of this contest is November 12, 2009.

1 Comment
  1. John McIntyre 12 years ago

    Hi There,

    Thanks for sharing your thoughts - they're insightful and appreciated indeed.

    Hey, have you tried the Gold Finger yet? It's a new FREE, SUPPORTED and Microsoft endorsed tool for Active Directory, designed by Microsoft's own Program Manager for Active Directory Security. (We came across it on ActiveDirSec.com.)

    You can use it to instantly find out which Active Directory accounts are locked out, disabled, expired, have no passwords etc.

    Gold Finger can be instantly deployed on any domain-joined machine and offers over 200 security reports covering Account, Group, Computer, GPO, Container, OU, Exchange and AD ACL Management.

    We've been using it for the past three weeks now and it has been immensely useful. It also has an inbuilt search that outdoes most search tools out there. The best part is that it's 100% supported, so if we ever have a problem, we can get FREE support for it.

    DOWNLOAD LINK: I believe you can download your own free copy from http://www.paramountdefenses.com/goldfinger.php.

    If you're into AD reporting, this is a very useful tool to have in your toolset.

    Best wishes,
    John

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account