It’s hard to believe that we've been living with Active Directory (AD) for 10 years. If you were in IT during the years preceding this huge paradigm shift, you've witnessed the evolution of how Windows domains are administered. Gone are the days of everyone in IT being a domain administrator. Now, domains can have structure and granular security permissions.
With all that capability, however, came the necessity of forethought and careful planning. If you've ever taken over a poorly planned AD implementation, you understand this necessity all too well. And every day, many administrators face the fact that AD encompasses only one of many user-provisioning tasks. Many companies have Exchange, Research in Motion (RIM) BlackBerry devices, Enterprise Resource Planning (ERP) databases, Human Resources (HR) systems, and countless other systems that users need to have access to. Many of you might also be in the middle of security audits. Sarbanes-Oxley (SOX), Statement on Auditing Standard 70 (SAS70), the Health Insurance Portability and Accountability Act (HIPPA), and other regulatory laws have forced us to rethink how we accomplish daily tasks and how we account for who does them.
Each of the four products in this month’s comparative review—Ensim Unify Enterprise Edition, ManageEngine ADManager Plus, NetIQ Directory and Resource Administrator, and Quest Software ActiveRoles Server—attempts to take on one or more of these challenges: setting up granular security permissions, user provisioning on multiple systems, and AD auditing. Some try to do everything out of the box, and others use a modular approach.
Test Parameters
To test each product, I ran through five typical administration tasks that the build-in Microsoft tools either don’t do or don’t do very well. Those tasks are user provisioning (e.g., AD, Exchange, BlackBerry, ERP), Exchange provisioning (e.g., data store based on last name/department), delegation of duties, user de-provisioning a user (e.g., scramble username, reset password, remove from external system), and reporting for audits.
These four products have similar methods for helping you streamline the process of provisioning a new user. If every new user needs to be a member of the ERP Application global group, for example, this feature will be important to you. Another common example of user provisioning is integration with the HR database. Perhaps you'd like AD to be populated with the data from the HR database, or vice versa. Depending on the application, you might need to have a good scripting background to get the most out of this feature.
I installed each product in a typical Windows 2003 Active Directory Doman with Exchange 2003. I used VMware so that I could host multiple servers on one physical machine.
Ensim Unify Enterprise
Unify Enterprise walks you through a helpful “prerequisite check” for your system, then proceeds through a very simple installation routine. The product runs on Windows Server 2008 or Windows Server 2003 and requires IIS, ASP.NET, .NET Framework 2.0, and the SMTP service. Once the installation is complete, a Quick Start guide launches, walking you through some basic steps, such as setting general preferences and notification parameters.
Unify Enterprise has the cleanest GUI of all the products in this review. Through the easy-to-navigate interface, I immediately attempted to create a new user. Doing so led me to want to create a Template User, and in just a few minutes I had nice SpokaneUser and SeattleUser templates. (You can also add users by using a comma separated value—CSV—file.) If your dedicated Help desk staff spends most of its day administering users and computers, this is the interface they'll want to work in.
To help you delegate correct permissions for users, Unify Enterprise includes four built-in roles: System Administrator, Help Desk Administrator, HR Administrator, and Employee. Of course, you can create custom roles, but these four will get you started. For example, the Help Desk Administrator can perform the following tasks: Change and reset passwords, edit user properties, add security groups, and so on.
Summary
Ensim Unify Enterprise Edition
PROS: Very simple and easy-to-navigate interface; built-in Roles help get you started
CONS: No ability to export the reports for easy access by an auditor
RATING: 3 diamonds
PRICE: $12 per user (plus $5 per user for Mobility Manager, Distribution Group Manager, and Google Apps Manager; $8 per user for Exchange Manager and OCS Manager)
RECOMMENDATION: If you need provisioning outside of Active Directory that includes BlackBerry Enterprise Server, Exchange 2007 or 2003, Google Apps, and Microsoft Office Communication Server (OCS), look no further.
CONTACT: Ensim • 877-693-6746 • 408-496-3700 • www.ensim.com |
When a user is deleted from AD, you can set the following events to occur: reset the password to a random string, scramble the logon name, disable the account, move the user object to a special container, and remove the user from all security and/or distribution groups (except for those listed in an exclusion list). Also, the user’s home folder can be automatically archived to another location with the security permissions altered for manager access. The user can then be configured for automatic deletion after a set period of days.
As for reporting, one of the tabs across the top of the web console is the Reports menu. The following reports are available: Usage, Resource Status, Action Logs, and Deleted Items. Each report is quite detailed, but—from an auditing perspective—I found the most useful information in the Action Logs and Deleted Items. Unfortunately, I couldn't find a way to export the reports into a format that I could give to an auditor.
Unify Enterprise takes a modular approach, giving you the functionality to administer only AD out of the box. If you need to provision Exchange Server or another “external” system, you'll need to purchase additional components. Unify Enterprise can be extended to support BlackBerry Enterprise Server, Exchange 2007 or 2003, Google Apps, and Microsoft Office Communication Server (OCS).