Latest posts by Sander Berkouwer (see all)
- Review: Softerra Adaxes - Automating Active Directory management - Thu, Jun 4 2015
- Azure Multi-Factor Authentication - Part 8: Delegating Administration - Tue, Apr 28 2015
- Azure Multi-Factor Authentication - Part 7: Securing AD FS - Thu, Apr 23 2015
Adaxes to the rescue ^
Luckily, Softerra comes to your rescue. With its Active Directory Management and Automated Provisioning capabilities in Softerra Adaxes 2014.1 (version 3.7.11709.0), it delivers a flexible new way to manage Active Directory—not just Domain Controllers, but also every aspect of the objects within it.
Through an intermediate service, new functionality is offered to Active Directory admins, help desk personnel, and even ordinary colleagues in a way that most suits their needs. Admins and help desk personnel can use the special Active Directory Management Console, the web interface, or the Adaxes PowerShell Module. Colleagues can use the self-service website for their needs.
All the components of Adaxes (the Adaxes service, Administration Console, Web Interface, PowerShell Module, etc.) are included in a single installer that only weighs 47 MB.
Active Directory Management ^
The Adaxes service acts as the management gateway to Active Directory Domain Services on your Domain Controllers. This service, which you can install on Windows and Windows Server installations, requires Active Directory Lightweight Directory Services (ADLDS).
The Adaxes service uses a service account to provide its services. You will have to grant this account the create all child objects and delete all child objects rights within the scope of Adaxes management. Although members of the built-in Administrators security group in the Active Directory domain have these permissions by default, it is advised not to use an account that is a member of this group. The logon must also have the logon as a service user rights assignment on the Windows installation you are installing it on. Unfortunately, Softerra doesn’t support group Managed Service Accounts (gMSAs) for the Adaxes service.
You can install and host the Adaxes service on multiple hosts, which allows for easy high availability and load balancing. TCP port 54782 is the single network port that all the other components use for communication with the Adaxes service. With this approach, it’s not hard to put certain Adaxes services (such as the Self-Service Web Interface) in a perimeter network.
The Adaxes Administration Console (admc.exe) offers flexible functionality for admins to manage their Active Directory. It has some tricks up its sleeve to transform Active Directory management nightmares into beautiful management dreams.
Business Units to ease OU inflexibility
One of the big headaches Active Directory admins face is the inflexibility of Organizational Units (OUs) in Active Directory: user objects can only be members of one OU at a time, OUs can’t span domains and group memberships, and OU memberships often collide.
Adaxes introduces the concept of Business Units. Business Units may contain specific objects, group members, container children, and query results. You can combine these types of memberships into one Business Unit. Even stronger, you can even exclude typical memberships:
Granular Business Unit memberships
Because Adaxes supports Business Unit memberships across domain boundaries and across forest boundaries, admins in environments with multiple domains and/or forests will be pleased with the Adaxes Management Console because it makes their work much more practical. Adaxes automatically adds the domain in which the Adaxes service is installed to the managed domain list, but admins can add any domain using custom connection credentials for each. This way, a single management console can be created for the entire environment.
In our current world with cloud services, it’s important to strive for Active Directory attribute integrity. Remember that Dynamic Access Control (DAC) adds a lot of flexibility with its claims-based access to files and folders? Remember that Active Directory Federation Services (AD FS) can make web-based authentication and authorization decisions on any attribute of either the user object or the computer object? When their claims are based on attributes with incorrect or absent values, functionality for the end user breaks.
The method to combat this specific type of Active Directory rot is through robust provisioning.
Although many organizations still struggle to configure new hires and layoffs manually in Active Directory, Adaxes can help. It offers:
- Property patterns
For instance, Adaxes helps fill in attributes such as the user logon name quickly, based upon the first name and/or last name, when you create a user object:
Property patterns to get usernames and such right the first time
Of course, you can specify your own property patterns with ease.
- Business rules
With these built-in rules, you can automatically create home shares, create Exchange mailboxes, enable users for Lync, and even activate Office 365 accounts for users. Enable them, tweak them, enjoy them.
- Security roles
Adaxes comes with built-in security roles. You can make colleagues members of these roles, or they become members automatically when you specify their account in the Manager field of a group or OU.
You can specify operations that require approval by a so-called approver. Among others, approvers can be specific users or groups, a manager of the target object, or the owner of the target object.
- Scheduled tasks
These scheduled tasks notify colleagues of account expiration and password expiration as well as automatic deletion of inactive user and computer objects.
- Custom commands
These commands can help with quick and rule-based deprovisioning.
The interface is well thought through. For instance, the ability to generate a password for a user object you are about to create is fabulous! (It exists in the web interface too.)
Generating a password when creating a user object
In addition to these management capabilities, Adaxes offers a solution for colleagues to reset their password through the Adaxes Web Interface, in case they have forgotten their password. Colleagues get invitation emails asking them to enroll. After successful enrollment, they can use the functionality.
Of course, you can assign and configure password self-service reset using the same granular methods used to specify Business Units:
Using granular scoping for self-service too
Every action through the Adaxes service is logged, cross-domain and cross-forest. Adaxes also includes an option to use a syslog server for logging, so your Security Administrator has no problem delivering information to external accountants:
Logging properties for the Adaxes service
Even though the Adaxes Active Directory Management tool is super awesome, the Adaxes Active Directory Web Interface might prove to be even more useful to your organization for day-to-day tasks. Just like its full-blown sibling, the Web Interface allows for the same methods of Active Directory management, even from Macs and iPads, if your colleague admins prefer to.
Adaxes’ Web Interface capabilities might prove to be the key to put Active Directory management where organizations really need it: in the hands of help desk personnel and business managers. That sounds scary, right? Don’t worry, Softerra has your basic needs covered by offering default web interfaces:
- Web Interface for Administrators
This web interface allows admins to perform practically all operations in Active Directory.
- Web Interface for Help Desk
This web interface allows help desk personnel to handle tasks related to user account management, such as resetting passwords, unlocking accounts, enabling and disabling accounts, and modifying general user account attributes.
- Web Interface for Self-Service
This web interface allows colleagues to accomplish self-service tasks. They can update their information, change their password, and perform basic searches in Active Directory.
You can customize these three built-in web interfaces to offer the flexibility you need to get work done safe and sound.
There’s even a separate web service for SPML 2.0-based provisioning solutions.
Although all security sensitive info exchanged between your browser and the Adaxes Web Interface(s) is encrypted by default, make sure you configure these websites to use a certificate. The default installer creates websites for http:// use.
Another neat feature, included with Adaxes, is the Adaxes PowerShell Module for Active Directory:
Cmdlets in the Adaxes PowerShell Module for Active Directory
Microsoft has included PowerShell support for Active Directory in the most recent versions of Windows Server. However, Windows Server 2008 and earlier lacks this functionality, and the PowerShell module for Windows Server 2008 R2 doesn’t yet offer much functionality. Especially for admins running these versions of Windows Server as Domain Controllers, or Windows Vista and Windows 7 as Active Directory management workstations, the PowerShell module might be really attractive.
Adaxes Active Directory Management offers many advantages over the plain Active Directory management features found in Windows Server, especially in environments with multiple domains and/or forests.
Every Active Directory admin will appreciate the web interface for help desk personnel and the web interface for self-service, with its granular self-service password reset capabilities.
In environments running Windows Server 2003 (R2) and Windows Server 2008 (R2)-based Domain Controllers, the PowerShell module and the many tips and tricks offered by the Adaxes Administration Console (admc.exe) will make it easier to automate tasks.
In environments running Microsoft’s latest and greatest, some of the features will be redundant to features from Microsoft itself: There is an Active Directory PowerShell module in Windows Server 2008 R2 and up. Windows Server 2012 adds Dynamic Access Control (DAC) and the Active Directory Administrative Center (dsac.exe) offers many management capabilities.
Of course, Adaxes comes at a price. I feel the information above provides more than enough information to build the business case for Adaxes. If not, Softerra offers a free trial of their Adaxes Active Directory Management solution.