Since it hit the scene with the release of Microsoft Windows 2000, Active Directory has been a great way to handle everything from workstations to account logins. The tools that ship with Active Directory get better with each release as well, with the addition of Active Directory Administrative Center in Windows Server 2008 R2, the tools keep getting easier to use and leaving little room for improvement by third-party companies. I have been working with Active Directory for a while now and do occasionally try some of the third-party tools; this time around, I will be working with ADManager Plus from ManageEngine (Figure A, right), and maybe it will find itself in my permanent toolkit.
Managing your environmentWhen I completed setup for ADManager, which was very straight forward, I landed on a web-based dashboard (which looks quite good in Firefox 4 - see Figure B).
The dashboard (click to enlarge)
On this page, the number of Active Directory assets are displayed in sections of the dashboard and each of these groups can be drilled into for further detail allowing administrators to get a quick look at what their environment contains.
There are many common tasks within Active Directory: adding and managing users, creating groups, etc., that are likely done on a semi-regular basis, but some of these things are not bulk edit friendly using the built-in tools. ADManager Plus goes a step further and allows importing of CSV files to enable bulk editing through Microsoft Excel.Note: I know that csvde and ldifde can be used to manage objects using external files and they work great, but an easy-to-use interface wins me over all the time. Many times, the command-line tools require me to re-learn the syntax because my environment changes so infrequently, but a tool to import the csv files with a few clicks is a huge relief.
I also found that the bulk actions options within the web interface were very easy to use. This method allows you to build an object by entering the required items into a wizard style form — rinse and repeat for each object of that type that you are creating and commit the changes to Active Directory all at once when all the object entry is complete.
Since all Active Directory environments are completely the same — oh wait — the odds that there are Active Directory environments that are anywhere near identical is completely impossible to imagine. The only thing similar is the process of creating objects, or is it?
When I was tooling around the ADManager Plus web application, I almost missed a link called User Templates. At first, I was not sure what to expect; after all, the default layout and options for creating or modifying a user object are almost burned in my memory, so what could a template possibly do for me? Check out this scenario.
Suppose you have an IT department with one senior administrator who is in charge of pretty much everything and in discussions about modifying infrastructure for a software upgrade. Bringing in interns from the local community college (studying network design or some other IT-related major)to help is a possibility. Before the project begins, three interns are hired to help with general support (adds, moves, changes) and they will be starting a week before the project cutover. With the help of templates, they would have time to learn the nuances of your system and hit the ground running.
Sure, the simplest concepts of adding a user/group/mailbox can be spun through in short order with those who are willing to learn, but keeping the schemes the same and ensuring that all the questions by the interns get answered as they are creating users would take time.This is where creating a custom user template for Active Directory stood out as a great idea, and you may be able to think of other handy uses. The fields for the template I created are shown in Figure C.
Custom user template (click to enlarge)
This can help ensure that your users are mail-enabled with the correct default email address and the good old email@example.com email address is configured for them as soon as they are added. It just simplifies things a little.
Available for configuration
When configuring ADManager Plus, the application was very intuitive in finding services available for management. A feature that I have forgotten a time or two when creating groups and users is mail enablement. Out of the box, if you do not create the item on the Exchange server (using ADUC) the Exchange items of the profile are missing. This will then require that you edit the object on the Exchange server to configure these items.
Because the idea of user templates seemed like such a no brainer when looking at the features offered, I was more than pleased to find that Exchange was detected during the initialization of the software and could be configured immediately. When specifying that the custom template should enable mail for users it created and which format(s) their email addresses should take, the settings for Exchange just appeared and configuration happened without additional steps.
Since my environment doesn't have an Office Communications Server, the options on that tab in the template process were disabled.
Removing work but adding layers
Almost all organizations have some type of Human Resources department or an individual who provides the seemingly endless stream of paperwork required to bring a new employee on board. Why not allow HR to also begin the workflow to create the Active Directory account and associated Windows environment goodies that go with it? ADManager Plus has a feature for that.
On the top level of tabs, visible in the application, there is a tab labeled Workflow which allows the configuration of steps to create objects in Active Directory. The application also allows the admin to specify roles within ADManager Plus to delegate certain screens to other departments, making it simple to put the creation of users in the hands of HR.Figure D shows ADManager Plus when the hrassociate user is logged in.
HR logged into ADManager Plus (click to enlarge)
Using a workflow to add new employees might be even better than the interns scenario mentioned above. For example, the hiring manager might create the request for a new employee, and then the forward it to HR for review with other documentation. While the new employee is completing the HR documents, the HR staff can ensure the spelling and email addresses look correct and approve the object. Then the helpdesk staff or IT department gets the request and can create the object.
This creates a paper trail of sorts and reduces the amount of last minute-request for resources for new employees.
On the AD Reports tab, there are sections of reports for the different object types within Active Directory and even reports to help with NTFS permissions. Due to the number of reports available, I could go on forever to cover them all, but there are reports for just about anything you can think of.
Suppose you wanted to know how many disabled user accounts exist in your environment — there is a report for that which displays all of these items in a grid right in your browser.
Now that you have seen a report listing all of the user objects in the environment that are disabled, you should probably get to cleaning those up. I know I was a bit surprised when I ran the report to find approximately 42 user accounts disabled.
One last feature I found particularly cool is the RoboRequester used with a work flow. This is a scheduled process that takes a specified action against your Active Directory environment. For example, you could set up a scheduled report every three months that looked in Active Directory and removed any user objects that have been disabled for 120 days. This way, accounts that are disabled get cleaned out of Active Directory on a regular basis. It works for other object types as well.
In looking at some of the pricing options on the Internet, the product seems to be quite affordable for small and medium businesses. The cost can get large if there are a lot of help desk technicians in an organization as each needs a license, but the base price for the professional license (including unlimited Active Directory objects) is $795/yr.
I like this application for the ease of use that it brings to the table. In a heavy helpdesk environment, this tool could be worth the price of admission in the workflow and templating features alone because of the time it might save in training and explaining how an environment is configured.
I was a little disappointed that the Groups management features are only available in the Professional version, but they do work in the trial.
ADManager Plus has a 30 day free trial, available here; I encourage you to give it a look.
Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.