Product Reviews

Manage the Forest and the Trees

Administer your entire Active Directory domain from one location.

• By Rick A. Butler
• 03/01/2006

While the tools that come with Windows Server work just fine for most Active Directory management tasks, they aren't really set up to manage your entire enterprise from a single spot. You have to at least connect to a domain and look at its properties or connect to a local system to see the GPO. You don't really have a clean interface for all-encompassing GPO management right out of the box. Usually, you have to customize the Microsoft Management Console to build an interface that pulls in the entire forest.

REDMOND RATING Documentation 20% 9 Installation 20% 9 Feature Set 20% 8 Performance 20% 8 Management 20% 9 Overall Rating: 8.6 —————————————— Key: 1: Virtually inoperable or nonexistent 5: Average, performs adequately 10: Exceptional

Active Administrator fills that gap by taking a top-down approach to administering your entire AD domain. ScriptLogic has taken some major steps forward with the 4.0 release of Active Administrator, which is poised to be a solid enterprise AD management tool. (See our review of Active Administrator 3.0.)

The new version has a host of improvements. My personal favorite on the new feature list is AD Object Restore. If you've ever done something as boneheaded as wiping out the CEO's user account or blowing away an entire organization unit (OU), you will love this one as much as I do. AD doesn't have any sort of object level recovery to easily fix this problem, and as you know, you can't just recreate an object or objects you've accidentally deleted. If you've found yourself in this situation, you know it usually meant making the walk of shame to the tape vault.

After finding the correct backup tape, you'd have to restore a domain controller and do an authoritative restore in Directory Services Restore Mode (DSRM) -- all the while praying there haven't been many changes to AD since your inadvertent delete. With Object Restore, you can easily restore a single object in AD -- whether a single account or an entire OU -- without the usual madness. Life hasn't been this good since single mailbox restores in Exchange.

Active Management
Active Administrator 3.0 introduced Active Templates as a means of delegating and managing the permission levels in AD -- without providing unnecessary privileges. These templates are really cool if you absolutely need to know who has what level of permission. You can create a template defined by permissions. Users are assigned roles based on an AD task, so you can do things like provide users "almost" administrative access to their machine or give junior administrative rights to a help desk technician. The Active Templates let you provide the right amount of access your users need to get their jobs done without providing too much access. If you need to customize the templates for specific tasks and permissions, you can certainly do that as well.

[Click on image for larger view.]

Figure 1. Active Administrator’s Object Restore window lets you specify object and attributes to restore.

In version 4.0, these templates are actually self-healing, using a service that fixes anomalies within the templates. If a setting were changed in the policy, a service in Active Administrator would revert that setting back to how it was originally specified in the template. It would also alert you to the change.

This is a cool upgrade from Active Administrator 3.0, where you would have to review your templates regularly to ensure compliance.

In short, when you set role-based user security to a specific standard, it stays that way. With some GPO settings, a savvy user can make certain changes to the GPO, whether or not he is authorized to do so by IT management. Active Administrator keeps the settings as specified in the template.

Auditing Made Easy
If you have to monitor AD security and you have multiple domain controllers, you have to visit each DC and scroll through each log to find the events you're hoping aren't there. Active Administrator's AD Auditing (which has been part of Active Administrator since version 3.0) is cool because you can now check these event logs from one location.

You can also configure the logs to send alerts for certain events. For example, if one of your administrators on the other side of the country goes messing around with your "Computer's" container or users, you'll know about it right away -- not after something has already gone wrong.

Get a Handle on GPOs
Active Administrator gives you easy access to solid GPO management features. You can look at each policy in your forest, figure out where it's linked, review statistical information, copy to another domain and adjust it accordingly. It also keeps a historical record of your GPOs so you'll know who changed what and when those changes were made. If any change you make doesn't work out the way you or one of your admins had intended, just roll it back.

Another of Active Administrator 4.0's new features that applies specifically to GPO management is the Offline Repository. If you frequently have to change your GPOs, this repository is very helpful because you can isolate your GPO, make your changes offline without affecting your production environment and publish it back when you're ready for it to go live.

[Click on image for larger view.]

Figure 2. In the Group Policy Offline Repository, you can select, edit and report on GPOs.

The Offline Repository also has a check-in/check-out management structure that lets you control who's authorized to make changes and how frequently they can do so, should you have multiple administrators managing GPOs. There's even a nifty reporting tool you can use for review or to produce a maintenance record book (for you old school techies out there).

I like this tool and I think ScriptLogic did well with the additions and enhancements to the 4.0 release. Active Administrator is simple to get up and running and easy to use. If you need some serious configuration management for your AD forest, you'd do well to consider it.