Active Directory Tools
The Active Directory Tools serve to automate processes to simplify the administration of Active Directory as well as for delegation to employees who have little or no IT-know-how.
- Setting of individual passwords for local administrator-accounts
- Testing of Active Directory replication
- Delegate the maintenance of user-data in Active Directory
- Consistent interface to Active Directory, ADAM, Windows and SQL
- Create Active Directory dynamic Security Groups
Setting Local Administrator Passwords
Setting the local administrator passwords on the clients is usually done during the basic installation. The passwords of the local administrators are thus identical for all machines. This presents a substantial security gap, e.g. the password may be widely known, e.g. if it has been knowingly or even unknowingly passed on.
With FirstWare-LocalAdminPassword you can assign individual passwords for the local administrator accounts based on the computer-name. The passwords are assigned automatically. If the password of the administrator-account is required, a responsible IT administrator can calculate it using the user interface by simply setting the computer-name as the parameter.
The solution is configurable and the following options for the assignment of the individual administrator passwords are available:
- Initial setup of an individual password for the local administrator-account
- Setting a new, individual password per a defined time interval (measured in hours) expires
- Setting a new, individual password every day
Interface for administrators to get the password of specific PC:
Testing Active Directory Replication
Active Directory automatically distribututes all current Active Directory information to all Domain Controllers in the forest. The process is named replication. Should the replication of the Active Directory be interrupted, it usually is not recognized until a complaint is received. If the replication is interrupted for more than 180 days (starting with Windows 2008), the effected Domain Controller will not make or receive any changes. This is defined by the Active Directory Tombstone Lifetime, which is configurable.
You can determine the current status of the Active Directory replication with the help of the tool FirstWare-ADReplicationCheck. After opening the program, an attribute-change is executed; its replication is controlled and evaluated. In this manner you are able see which Domain Controllers have or have not received the changes. Because the Active Directory replication by a Global Catalogue Tool attribute is check, you are able to determine the replication status within a world-wide Forest consisting of numerous domains.
Screenshot of FirstWare-replicationTester:
Delegate the management of user data in the Active Directory
Active Directory is employed in many systems as the supplier for user data.
Exchange uses the Global Catalogue of the Active Directory to generate the address-books for the mail-system. The information concerning the user should always be up-to-date so that the addressbook and the telephonebook can be used by the users accordingly. Usually the updated information about the address or telephone data is entered late, since the person requiring the change has to pass the information to the responsible administrator in the IT department.
With FirstWare-Admin you can delegate the task of updating the required information.. You can allow employees who do not have the appropriate IT know-how to change the required information by using simple forms to execute changes to attributes of the users. In this manner, the Human Resources department, for example, can change address or telephone information without having to absolve an Active Directory training. You can limit the visible area of the Active Directory exactly to the OU's which a certain employee is allowed to edit.
Example-Screenshot:
Consistent interface for Active Directory, ADAM, Windows, SQL-Server
To execute actions within the directory, Active Directory is usually accessed by external systems via the LDAP-port. User, Group, or computer objects, among others, can be administered via the LDAP-provider.
Every system, in which e.g. user or group accounts are administered, supplies providers or interfaces to allow applications access for user or group administration.
With FirstWare-EntryManager we present a flexible solution which enables you to access to different systems via a single interface/port.
By using EntryManager you can provide a consistent provider that is easy to use to access the following systems:
o Active Directory
o ADAM (Active Directory in Application Mode)
o Windows Systems
o SQL-Server
The providers can be extended requires, so that access to Linux Systems or other directories is possible.
The following image shows the architecture of the system:
<back>
Create Active Directory dynamic Security Groups
To create and manage Active Directory dynamic Security Groups you can use FirstWare-DynamicSecurityGroups. Now you are able to create LDAP-Filters to define the members of a security group dynamically. You can work with dynamic distribution groups in exchange and now you can work with dynamic security groups in Active Directory.
With FirstWare-DynamicSecurityGroups you can
- define the members by LDAP-Filters in Active Directory
- define a search root
- define a whitelist with constantly members
- define a blacklist with users, which never shouldt be in this group
- get a preview of the memebers before activating the group
- define the interval for updating the memberships
Below you can see a screenshot of one of the administrative-forms:
