Product Reviews

More Flexible Active Directory Management

ActiveRoles takes the tedium out of AD.

When it comes to laying out an administrative structure for your organizational domain model, Windows 2000 Active Directory is far more flexible than Windows NT 4.0. However, even Active Directory, while making it easy to move users, groups, computers and even Organization Units (OUs) around, still only allows you to have one perspective on your AD structure. Furthermore, delegating control over a set of objects using the Delegation of Control Wizard requires that these objects all be in the same OU hierarchy-not always the case. This is where FastLane ActiveRoles fits it.

ActiveRoles uses three main concepts to allow an Active Directory designer or architect to enhance the administrative structure for Active Directory:

  • ActiveRoles. A set of permissions for various AD objects that can be delegated to users or groups. A good collection of pre-configured ActiveRoles ships with the product and others (including some for Exchange 2000) can be downloaded from the vendor's Web site.
  • Business Views present a view of the AD structure different from AD itself so that administration is more flexible. You can take objects from several OUs and create a Business View to which administration can be delegated without changing the original AD structure.
  • Business Rules, a set of rules that can be enforced when objects (users, groups, computers, etc.) are created or modified. This is the most powerful component of the product with its ability to automate many of the tasks that you would otherwise perform manually.

Getting ActiveRoles installed and working was reasonably painless, although the CD could use an AutoPlay program. On a positive note, technical support was quick in solving a problem with the trial license key that I received.

ActiveRoles allows you to create roles and views of your Active Directory infrastructure that make management of permissions easier, and almost automatic, by using Business Rules. (Click image to view larger version.)

ActiveRoles runs in three different modes. In Local Mode the roles, rules and views defined are only available to the user who installed Active Roles. In Domain or Forest mode, this information is stored in AD and replicated to other domain controllers so everyone can potentially access it (assuming they have permissions to do so). Switching to Domain or Forest mode requires a modification of the Active Directory schema, a process that can't be reversed once completed. If you have several architects, you may want to choose this, but make sure you're a Schema Admin before doing so. When switching, you have the option to migrate your data as well.

Upgrade News

After we went to print, Quest announced the release of FastLane ActiveRoles 4.0, a significant upgrade that extends the reach of ActiveRoles into Group Policy.

An innovative "ActiveRSoP" (Resultant Set of Policy) feature allows you to explore the results of "what-if" scenarios (for example, if user Joe logs into computer MABEL that's added to a particular OU, what final permissions result from that combination?).

A second feature called ActivePolicies lets you create templates to ease the deployment of Group Policy Objects to multiple domains in a consistent fashion.

Other improvements include undo/redo in the user interface, improved business views, and the ability to save a baseline for any portion of AD. You can later compare the current settings to the baseline to see what's changed. Finally, a new COM interface makes it possible to control ActiveRoles by scripting common operations.
—Mike Gunderloy

Configuring Business Rules, Active Roles and Business Views is quite straightforward through the Active Roles MMC snap-in. The snap-in also shows the current AD structure, but-in what I consider a major annoyance-it doesn't allow you to create users, groups or OUs. You must use the AD Users and Computers snap-in to do so and then use the ActiveRoles MMC snap-in to assign the roles to the objects you create. While you can always create a custom MMC console with both snap-ins, it would be nice to be able to do everything from the ActiveRoles MMC console.

FastLane ActiveRoles can be a valuable tool for the design, on-going administration and management of Active Directory in medium to large enterprises, where the number of objects and the way they're managed tend to require different perspectives simultaneously. Small companies may not need the flexibility that it offers.

About the Author

Damir Bersinic, MCSE, MCDBA, MCSA, MCT, is an independent consultant, trainer and author.

comments powered by Disqus

Reader Comments:

Tue, Apr 18, 2006 Anonymous Anonymous

I like EmpowerID WebManager. It offers the same flexible delegation and is a 100% web 2.0 application that can integrate with SharePoint.

Wed, Dec 7, 2005 Anonymous Anonymous

I have been watching this beast called AR in a rather large AD installation for a couple years now. Not only is it an unweildy beast that has turned administration into a nightmare of administrivia, but the deployment of it has been almost impossible to complete. The Security project manager that fronted this brainstorm on the environment has tried to dump and run so many times it's not funny. He does everything he can to make his recommendation now look like anyone else's responsibility.

The tool is so complex that when the teams end up using it, they have to work around it to fix the unavailability they provide to the customer. Be really, really careful if you decide to go with something like this product, can cause real problems with poor and half-way implementations.

Fri, Dec 21, 2001 Anonymous Anonymous

AR 4.0 offers the best of breed for AD management, groups policy management, reporting, automating via business rules and best of all, no proxy or single point of failure. I like this because I don't have to invest in new hardware. I don't have to wait for NetIQ to come with a version that will support xxx attributes. This product is very flexible and has no competition out there. I don't understand how one can say that DRA is feature rich product?? In what way? The UI in AR is very simple and straightforward. I give this a two thumbs up.

Mon, Dec 17, 2001 Anonymous Anonymous

The beauty of AR is its simplicity - other solutions should aspire to be so easy to deploy and maintain. By the way, fear mongerers, AD schema changes will be reversible in .Net server so why worry?

Mon, Dec 17, 2001 Anonymous Anonymous

awesome product, the roles-based administration makes the impossible possible... and the new rsop features are a welcome relief from FAZAM...

Mon, Dec 17, 2001 anonymous Anonymous

I installed ActiveRoles in 2 minutes. There is no deployment with AR becuase it relies on the AD infrastructure to distribute the application data. This is the beauty of directry enabled apps. It is nice to see a product that actually focuses on solving management problems opposed to the usual framework (i.e. NETIQ) message of 'deploy my product everywhere and then you may get benefits later'

Mon, Dec 17, 2001 Anonymous USA

ActiveRoles is a mandatory for AD management. Just try and do things like role-based administration, RSoP calculations and ACL security reporting using native tools. I isn't going to happen. The best part is that ActiveRoles is fully integrated into the native AD security model, let's AD do all the replication and high availability and let's you still use native tools. NetIQ asks you to throw out the native security model of AD and push everything through their tool. No thanks. ActiveRoles - nice product

Thu, Nov 29, 2001 Anonymous Anonymous

The business views are sorry. its applied on the results at the current time however DRA (netiq) is dynamic. AR 3 is the a replacement of the security tab on the objects in AD nothing more.

Thu, Nov 29, 2001 Anonymous Anonymous

This product Extends the Schema ouch.. am I ready for this now.. hmm NOT REALLY. I rather go with a product that does leaves my AD clean which I can accomplish with NetIQ's DRA.

Thu, Nov 29, 2001 Anonymous Anonymous

AR is a product for companies who do not plan on making any updates to their AD once its in place. After my eval period I also realized the fact on how difficult AR was to be uninstalled.

Thu, Nov 29, 2001 Anonymous Anonymous

I evaluated AR 3 and a product like AR cannot surive in the long run because it increases administration instead or decreasing. Their Administration model is not flexible or dynamic which means with every new object created you must modify the security. AR and NetIQ's DRA cannot be compared since DRA is a more flexible and feature rich product

Wed, Nov 28, 2001 Anonymous Anonymous

Fastlane ActiveRoles supports any object in AD, including extended schema's, and it is a non-proxy based mmc snapin.

DRA is not.

As for NETIQ's DRA, here are some limitations

NetIQ’s DRA 6.0 offers a proprietary delegation infrastructure that confounds many features of Active Directory. The value proposition of DRA 6.0 requires a customer to:
•Not use the Native Delegation within Active Directory
•Not use the native MMC tools provided with Windows 2000 Server
•Not leverage the multi-master replication of Active Directory
•Restrict the flexibility of Active Directory for future Directory Enabled Applications from Microsoft and other vendors

These characteristics of NetIQ’s DRA 6.0 product will seriously impact the value of Active Directory in a large enterprise.

Furthermore, do you want to wait for an upgrade everytime ad is extended?

Wed, Nov 28, 2001 Anonymous Anonymous

I really like the idea that as IT Roles change, I only have to update the assigned role and it updates the role membership automagically

Wed, Nov 28, 2001 Anonymous Anonymous

finally a tool I can point click and done

Wed, Nov 28, 2001 Anonymous Anonymous

MS should have included something like this in NATIVE TOOLS

Wed, Nov 28, 2001 Anonymous Anonymous

Its OK if you want to set ACLs once in the AD. But it doesn't really help much once they have been set. I looked at it & netiq's product and went with netiq becuase their product help solve my real problems.

Wed, Nov 28, 2001 Anonymous Anonymous

This product is really weak -- AD only. I personally think NetIQ's DRA product is much more robust and supports NT4, Exchange, etc.

Tue, Nov 27, 2001 Anonymous Anonymous

AD has been crying out for this functionality - the Group Policy thing rocks....

Tue, Nov 27, 2001 Anonymous Anonymous

yes ma'am!

Tue, Nov 27, 2001 Anonymous Anonymous

oh yeah

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.