More Flexible Active Directory Management
ActiveRoles takes the tedium out of AD.
When it comes to laying out an administrative structure for your organizational
domain model, Windows 2000 Active Directory is far more flexible than
Windows NT 4.0. However, even Active Directory, while making it easy to
move users, groups, computers and even Organization Units (OUs) around,
still only allows you to have one perspective on your AD structure. Furthermore,
delegating control over a set of objects using the Delegation of Control
Wizard requires that these objects all be in the same OU hierarchy-not
always the case. This is where FastLane ActiveRoles fits it.
ActiveRoles uses three main concepts to allow an Active Directory designer
or architect to enhance the administrative structure for Active Directory:
- ActiveRoles. A set of permissions for various AD objects that
can be delegated to users or groups. A good collection of pre-configured
ActiveRoles ships with the product and others (including some for Exchange
2000) can be downloaded from the vendor's Web site.
- Business Views present a view of the AD structure different
from AD itself so that administration is more flexible. You can take
objects from several OUs and create a Business View to which administration
can be delegated without changing the original AD structure.
- Business Rules, a set of rules that can be enforced when objects
(users, groups, computers, etc.) are created or modified. This is the
most powerful component of the product with its ability to automate
many of the tasks that you would otherwise perform manually.
Getting ActiveRoles installed and working was reasonably painless, although
the CD could use an AutoPlay program. On a positive note, technical support
was quick in solving a problem with the trial license key that I received.
|ActiveRoles allows you to create roles and views of
your Active Directory infrastructure that make management of permissions
easier, and almost automatic, by using Business Rules. (Click image
to view larger version.)
ActiveRoles runs in three different modes. In Local Mode the roles, rules
and views defined are only available to the user who installed Active
Roles. In Domain or Forest mode, this information is stored in AD and
replicated to other domain controllers so everyone can potentially access
it (assuming they have permissions to do so). Switching to Domain or Forest
mode requires a modification of the Active Directory schema, a process
that can't be reversed once completed. If you have several architects,
you may want to choose this, but make sure you're a Schema Admin before
doing so. When switching, you have the option to migrate your data as
After we went to print, Quest announced the release
of FastLane ActiveRoles 4.0, a significant upgrade that
extends the reach of ActiveRoles into Group Policy.
An innovative "ActiveRSoP" (Resultant Set of Policy)
feature allows you to explore the results of "what-if"
scenarios (for example, if user Joe logs into computer
MABEL that's added to a particular OU, what final permissions
result from that combination?).
A second feature called ActivePolicies lets you create
templates to ease the deployment of Group Policy Objects
to multiple domains in a consistent fashion.
Other improvements include undo/redo in the user interface,
improved business views, and the ability to save a baseline
for any portion of AD. You can later compare the current
settings to the baseline to see what's changed. Finally,
a new COM interface makes it possible to control ActiveRoles
by scripting common operations.
Configuring Business Rules, Active Roles and Business Views is quite
straightforward through the Active Roles MMC snap-in. The snap-in also
shows the current AD structure, but-in what I consider a major annoyance-it
doesn't allow you to create users, groups or OUs. You must use the AD
Users and Computers snap-in to do so and then use the ActiveRoles MMC
snap-in to assign the roles to the objects you create. While you can always
create a custom MMC console with both snap-ins, it would be nice to be
able to do everything from the ActiveRoles MMC console.
FastLane ActiveRoles can be a valuable tool for the design, on-going
administration and management of Active Directory in medium to large enterprises,
where the number of objects and the way they're managed tend to require
different perspectives simultaneously. Small companies may not need the
flexibility that it offers.
Damir Bersinic, MCSE, MCDBA, MCSA, MCT, is an independent consultant, trainer and author.