Product Reviews

More Flexible Active Directory Management

ActiveRoles takes the tedium out of AD.

When it comes to laying out an administrative structure for your organizational domain model, Windows 2000 Active Directory is far more flexible than Windows NT 4.0. However, even Active Directory, while making it easy to move users, groups, computers and even Organization Units (OUs) around, still only allows you to have one perspective on your AD structure. Furthermore, delegating control over a set of objects using the Delegation of Control Wizard requires that these objects all be in the same OU hierarchy-not always the case. This is where FastLane ActiveRoles fits it.

ActiveRoles uses three main concepts to allow an Active Directory designer or architect to enhance the administrative structure for Active Directory:

  • ActiveRoles. A set of permissions for various AD objects that can be delegated to users or groups. A good collection of pre-configured ActiveRoles ships with the product and others (including some for Exchange 2000) can be downloaded from the vendor's Web site.
  • Business Views present a view of the AD structure different from AD itself so that administration is more flexible. You can take objects from several OUs and create a Business View to which administration can be delegated without changing the original AD structure.
  • Business Rules, a set of rules that can be enforced when objects (users, groups, computers, etc.) are created or modified. This is the most powerful component of the product with its ability to automate many of the tasks that you would otherwise perform manually.

Getting ActiveRoles installed and working was reasonably painless, although the CD could use an AutoPlay program. On a positive note, technical support was quick in solving a problem with the trial license key that I received.

ActiveRoles allows you to create roles and views of your Active Directory infrastructure that make management of permissions easier, and almost automatic, by using Business Rules. (Click image to view larger version.)

ActiveRoles runs in three different modes. In Local Mode the roles, rules and views defined are only available to the user who installed Active Roles. In Domain or Forest mode, this information is stored in AD and replicated to other domain controllers so everyone can potentially access it (assuming they have permissions to do so). Switching to Domain or Forest mode requires a modification of the Active Directory schema, a process that can't be reversed once completed. If you have several architects, you may want to choose this, but make sure you're a Schema Admin before doing so. When switching, you have the option to migrate your data as well.

Upgrade News

After we went to print, Quest announced the release of FastLane ActiveRoles 4.0, a significant upgrade that extends the reach of ActiveRoles into Group Policy.

An innovative "ActiveRSoP" (Resultant Set of Policy) feature allows you to explore the results of "what-if" scenarios (for example, if user Joe logs into computer MABEL that's added to a particular OU, what final permissions result from that combination?).

A second feature called ActivePolicies lets you create templates to ease the deployment of Group Policy Objects to multiple domains in a consistent fashion.

Other improvements include undo/redo in the user interface, improved business views, and the ability to save a baseline for any portion of AD. You can later compare the current settings to the baseline to see what's changed. Finally, a new COM interface makes it possible to control ActiveRoles by scripting common operations.
—Mike Gunderloy

Configuring Business Rules, Active Roles and Business Views is quite straightforward through the Active Roles MMC snap-in. The snap-in also shows the current AD structure, but-in what I consider a major annoyance-it doesn't allow you to create users, groups or OUs. You must use the AD Users and Computers snap-in to do so and then use the ActiveRoles MMC snap-in to assign the roles to the objects you create. While you can always create a custom MMC console with both snap-ins, it would be nice to be able to do everything from the ActiveRoles MMC console.

FastLane ActiveRoles can be a valuable tool for the design, on-going administration and management of Active Directory in medium to large enterprises, where the number of objects and the way they're managed tend to require different perspectives simultaneously. Small companies may not need the flexibility that it offers.

About the Author

Damir Bersinic, MCSE, MCDBA, MCSA, MCT, is an independent consultant, trainer and author.


comments powered by Disqus

Subscribe on YouTube