Browse By Category

Free Power Tools Brochure
Get Mark Minasi's
17-page guide today!



      

advertisement

Get Newsletters

  • Get the Latest News
  • Product Updates
  • Helpful Tricks
  • Productivity Tips

Subscribe Now!

January 25, 2010 05:25 PM

4 AD Management Tools

Windows Server's Active Directory has evolved into a complex system. These products can help you through the rough spots.
Rating: (4)
Eric B. Rux
Windows IT Pro
InstantDoc ID #103318

It’s hard to believe that we've been living with Active Directory (AD) for 10 years. If you were in IT during the years preceding this huge paradigm shift, you've witnessed the evolution of how Windows domains are administered. Gone are the days of everyone in IT being a domain administrator. Now, domains can have structure and granular security permissions.

With all that capability, however, came the necessity of forethought and careful planning. If you've ever taken over a poorly planned AD implementation, you understand this necessity all too well. And every day, many administrators face the fact that AD encompasses only one of many user-provisioning tasks. Many companies have Exchange, Research in Motion (RIM) BlackBerry devices, Enterprise Resource Planning (ERP) databases, Human Resources (HR) systems, and countless other systems that users need to have access to. Many of you might also be in the middle of security audits. Sarbanes-Oxley (SOX), Statement on Auditing Standard 70 (SAS70), the Health Insurance Portability and Accountability Act (HIPPA), and other regulatory laws have forced us to rethink how we accomplish daily tasks and how we account for who does them.

Each of the four products in this month’s comparative review—Ensim Unify Enterprise Edition, ManageEngine ADManager Plus, NetIQ Directory and Resource Administrator, and Quest Software ActiveRoles Server—attempts to take on one or more of these challenges: setting up granular security permissions, user provisioning on multiple systems, and AD auditing. Some try to do everything out of the box, and others use a modular approach.

Test Parameters
To test each product, I ran through five typical administration tasks that the build-in Microsoft tools either don’t do or don’t do very well. Those tasks are user provisioning (e.g., AD, Exchange, BlackBerry, ERP), Exchange provisioning (e.g., data store based on last name/department), delegation of duties, user de-provisioning a user (e.g., scramble username, reset password, remove from external system), and reporting for audits.

These four products have similar methods for helping you streamline the process of provisioning a new user. If every new user needs to be a member of the ERP Application global group, for example, this feature will be important to you. Another common example of user provisioning is integration with the HR database. Perhaps you'd like AD to be populated with the data from the HR database, or vice versa. Depending on the application, you might need to have a good scripting background to get the most out of this feature.

I installed each product in a typical Windows 2003 Active Directory Doman with Exchange 2003. I used VMware so that I could host multiple servers on one physical machine.

Ensim Unify Enterprise
Unify Enterprise walks you through a helpful “prerequisite check” for your system, then proceeds through a very simple installation routine. The product runs on Windows Server 2008 or Windows Server 2003 and requires IIS, ASP.NET, .NET Framework 2.0, and the SMTP service. Once the installation is complete, a Quick Start guide launches, walking you through some basic steps, such as setting general preferences and notification parameters.

Unify Enterprise has the cleanest GUI of all the products in this review. Through the easy-to-navigate interface, I immediately attempted to create a new user. Doing so led me to want to create a Template User, and in just a few minutes I had nice SpokaneUser and SeattleUser templates. (You can also add users by using a comma separated value—CSV—file.) If your dedicated Help desk staff spends most of its day administering users and computers, this is the interface they'll want to work in.

To help you delegate correct permissions for users, Unify Enterprise includes four built-in roles: System Administrator, Help Desk Administrator, HR Administrator, and Employee. Of course, you can create custom roles, but these four will get you started. For example, the Help Desk Administrator can perform the following tasks: Change and reset passwords, edit user properties, add security groups, and so on.

Summary
Ensim Unify Enterprise Edition
PROS: Very simple and easy-to-navigate interface; built-in Roles help get you started
CONS: No ability to export the reports for easy access by an auditor
RATING: 3 diamonds
PRICE: $12 per user (plus $5 per user for Mobility Manager, Distribution Group Manager, and Google Apps Manager; $8 per user for Exchange Manager and OCS Manager)
RECOMMENDATION: If you need provisioning outside of Active Directory that includes BlackBerry Enterprise Server, Exchange 2007 or 2003, Google Apps, and Microsoft Office Communication Server (OCS), look no further.
CONTACT: Ensim • 877-693-6746 • 408-496-3700 • www.ensim.com

When a user is deleted from AD, you can set the following events to occur: reset the password to a random string, scramble the logon name, disable the account, move the user object to a special container, and remove the user from all security and/or distribution groups (except for those listed in an exclusion list). Also, the user’s home folder can be automatically archived to another location with the security permissions altered for manager access. The user can then be configured for automatic deletion after a set period of days.

As for reporting, one of the tabs across the top of the web console is the Reports menu. The following reports are available: Usage, Resource Status, Action Logs, and Deleted Items. Each report is quite detailed, but—from an auditing perspective—I found the most useful information in the Action Logs and Deleted Items. Unfortunately, I couldn't find a way to export the reports into a format that I could give to an auditor.

Unify Enterprise takes a modular approach, giving you the functionality to administer only AD out of the box. If you need to provision Exchange Server or another “external” system, you'll need to purchase additional components. Unify Enterprise can be extended to support BlackBerry Enterprise Server, Exchange 2007 or 2003, Google Apps, and Microsoft Office Communication Server (OCS).

ARTICLE TOOLS

Want to use this article? Click here for options!

Add a Comment

AH!!! Eric I was pleasantly reminded that Quest in fact owns Script Logic. I am a fan of Quest and their PosH cmdlets. Which in turn makes me want to check out their offering even more. Great article! Informative and concise as always. Keep up the great work.

Tim1/26/2010 9:04:21 PM

For sure this a must read for administrators that are still looking at their Active Directory DCs as NT 4.0 boxes. Your article reveals what admins should be looking at. Recently an IT manager installed MSCRM on one of his domain controllers because he thought is wasn't doing much.
I will forward them a link to this article. Seems to me this is a good part of the AD educational process that must be on going. I really like the introduction of the article. Thanks again Eric for all the work involved in this piece.
Curt Spanburgh, MVP.

CURT1/26/2010 4:04:25 PM

Excellent article Eric. I was a bit surprised not to see something from Script Logic in the comparison. I would have liked to hear your thoughts on it when compared to Quest's offering.


Tim

Tim1/26/2010 12:56:59 PM

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

windows 7 profile removal

Does anyone know of a script that will delete all domain profiles or all if easier upon reboot? With XP I used to do this with Delprof. I know there i...222-96223

advertisement

GOOGLE LINKS
SPONSORED LINKS
FEATURED LINKS

Podcasts

To successfully implement virtual desktops, IT administrators must carefully match user requirements to specific desktop technologies. Listen to this podcast to learn what you need to keep in mind when formulating your approach to desktop virtualization.

Downloads

PacketTrap IT is a comprehensive and affordable network management and application monitoring solution that solves problems associated with bandwidth, network and application performance, and connectivity. Gain insight into your network - try PacketTrapIT free for 21 days!

Web Seminars

Aside from its employees, data is an organization’s most important resource. Join Windows technical specialist and 11-time MVP John Savill to learn the best practices for managing data using features in Windows Server.
View this web seminar on demand!

eLearning Series

We bring the experts direct to you to share their real-world perspective and expertise. During each event, three sessions stream in real time, so you can learn, ask questions, and get solutions.
Upcoming event: Getting the Most with Exchange 2010 with Paul Robichaux

Subscribe to Windows IT Pro!

DevProConnections ITTV Left-Brain SharePointPro Connections SQL Server Magazine SuperSite for Windows Windows IT Pro

© Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.