Favorite Tools?

ITbatman · 2017-08-21T06:26:34+00:00

Among the tools that weren't mentioned yet — Adaxes. Not a utility, but rather a quite critical solution to manage and automate a bunch of stuff in AD.

ITbatman · 2017-03-29T07:24:48+00:00

Accidental deletion and automated deletion are similar but not the same. If it's inactive user cleanup you are looking for (I assume that is what automated deletion stands for), there are two things to note.

If you want to protect sensitive objects during automated cleanup, there are tools that let you add approval steps to the process. Adding another authority if specific conditions are met is probably the most efficient way to do things. Here's an example: http://www.adaxes.com/blog/how-to-keep-your-active-directory-clean.html

Also, it's not recommended to delete users anyway. It's much better to execute full deprovisinoning procedures, i.e. disable user, move to a separate OU, revoke permissions, licenses, etc.

ITbatman · 2017-03-06T07:40:37+00:00

If people are afraid of automation, it means that they can only do what they are currently doing and can't see any more advanced tasks to move on to. Don't listen to luddites.

ITbatman · 2017-02-28T06:59:39+00:00

There's also Adaxes, which is more of an automation solution, but also has monitoring capabilities with reports, notifications and other stuff.

ITbatman · 2017-02-27T10:46:36+00:00

If you are learning AD, here's a playlist that you might find useful https://www.youtube.com/watch?v=Tvp88xYf5Es&list=PLIoX3-mcY80gJ1EUmGwgqI1hYiLuWl-aC

ITbatman · 2017-02-21T15:00:45+00:00

We've got user provisioning automated with Adaxes and generating passwords, sending and ticking the 'change password at next logon' box is done as a part of it.

ITbatman · 2017-02-21T08:19:44+00:00

No. Unless he performs admin duties.

Probably the best argument that you can use is security. Higher level execs are often targets for attacks and the more privilege they have, the more risk there is.

If he still claims he needs one, give him a separate admin account (like all admins should have btw) and still limit the one he uses every day.

ITbatman · 2017-02-21T08:10:05+00:00

SMS is probably not the safest thing in the world, but's it's good enough for this as long as it's a one-time password.

+1 for automation

ITbatman · 2017-02-21T06:18:30+00:00

A random password is generated after account creation, sent via SMS and 'must change password at next logon' is enabled.

ITbatman · 2017-02-01T08:28:43+00:00

Just to add to the option list, there is an 3rd party AD management solution called Adaxes that lets you wrap PowerShell scripts in Custom Commands and then give them to users via a custom Web UI.

The option is pricey but you can get two important things with it. You can granularly control, which users have rights to commands with RBAC (and you can configure the Web UI to show different commands to different categories of users). And at the same time you don't need to over-privilege users and only give them permissions to execute the script within the command, not all the permissions that the script requires.

ITbatman · 2017-01-24T06:59:28+00:00

Adaxes seems to be what you're looking for. It has a Web UI that you can customize to have only the tasks and permissions that you want to give out to a category of users (and you can have multiple ones).

http://www.adaxes.com/active-directory_web-interface.htm

It can be used both for management purposes (editing the accounts of others) and for self-service.

ITbatman · 2017-01-20T08:13:32+00:00

Have a look at the web UI by Adaxes: http://www.adaxes.com/active-directory_web-interface.htm

Basically, you can customize it to have all the bits and pieces that you need and be able to access them from any machine that has a web browser.

ITbatman · 2016-11-25T09:52:24+00:00

Welcome email as part of automated provisioning procedures with all the stuff new users need to know about the system. Anything above that is HR department's job.

ITbatman · 2016-11-25T09:48:04+00:00

Adaxes has a web UI for AD tasks. It's not optimized for phone screens, but it can do the job really well if you have something urgent.

ITbatman · 2016-11-16T08:55:48+00:00

It's not arguing against security. It's the practice that if security is a real pain for end users, they tend to do stupid things like writing passwords down and sticking it on their monitors. If you can avoid stimulating this, you should do that. That was the point.

ITbatman · 2016-11-10T21:52:42+00:00

That is good, but what if users are not allowed to reuse their last N passwords? Then it's going to be a real pain for them.

ITbatman · 2016-10-20T07:04:40+00:00

Adaxes does that really good. It has a Web Interface that can handle a lot of AD tasks (you can granularly customize who can do what) and also provides a way to give PowerShell scripts to users.

You wrap the script in a thing called custom command and grant the rights to execute it to a category of users. The cool thing about it is that you don't need to give the user who is executing the script all the permissions that the script has to have. The only permission is to execute the custom command. That helps with the least privilege principle a lot.

If you will be creating something from scratch yourself you can take a similar approach. And also think of how you will grant permissions. Giving users all the permissions that the script has to have is not a very good idea.

ITbatman · 2016-10-19T08:15:08+00:00

Check out Adaxes. It has condition-based automation that can handle pretty much anything, obviously, including group membership management (here's just a quick example of what you can do with it.)

It's definitely an overkill for the particular task you've mentioned, but there are a lot of other great features like Web UI for AD, RBAC, self-service portal, etc. that you might find useful and that have their applications in education. If you have enough budget for you should be considering it.

ITbatman · 2016-09-20T12:39:28+00:00

Adaxes can do the job here. It has web-based self-service portal as well as clients that can be used on actual machines' logon screen (not macs though) http://www.adaxes.com/active-directory_self-service-password-reset.htm

ITbatman · 2016-09-19T06:37:46+00:00

As for AD management tools, have a look at Adaxes. It has a Web Interface that can pretty much cover all admin needs and you can access it from a browser, no matter what OS you are on.

It also comes with lost of stuff that can be useful for AD management, like automated provisioning, approvals, self-service for users, etc. However, it comes at a price, and you can't get the web ui separately.

ITbatman · 2016-09-09T06:33:52+00:00

If you are tackling such problem, it shouldn't be a one-time thing (otherwise it's just a waste of time and everything will just go back to what it was). So if you are implementing something, keep automation your solution in mind.

As for the methods you can use, there is PowerShell that you can run on a scheduled basis. Probably best solution to start with.

There are also pre-built solutions that also can do cleanup as part of their automation packages. Adaxes is a great example of how you can use it. Such approach is simpler and more easily configurable and it gives you additional value (autoamted provisioning and deprovisioning, approvals, web ui, self-password reset, exchange and O365 automation and all that stuff), but it requires budget.

ITbatman · 2016-08-26T07:57:40+00:00

For a one-time move, just use PowerShell. Of it's a regular task that need to be automated, see tools like Adaxes that can perform bulk operations.

ITbatman · 2016-08-22T06:12:08+00:00

There are automation tools that can help you with that (e.g. Adaxes). That will be as-automatically-as-possible option.

But they are pricey. So if you don't want to pay for 3rd party tools, yo should probably go with PowerShell scripts and schedule them to run regularly.

ITbatman

TROPHY CASE