Product: Softerra Adaxes
Product Homepage: click here
Free Trial: click here
Day-to-day administration of Active Directory environments involving hundreds or thousands of users can be cumbersome and time-consuming if all you have are the built-in tools included in the Windows Server platform. Common tasks like provisioning user accounts often requires performing several steps such as adding users to groups, configuring a home directory, creating an Exchange Server mailbox, and so on. Deprovisioning users can be even more complex and is often neglected, resulting in orphaned user accounts and unmonitored mailboxes.
Administering a distributed Active Directory environment also requires dividing administrative responsibilities among different administrative groups such as service administrators and helpdesk personnel. While the built-in Delegation of Control Wizard allows you to delegate permissions to users or groups for performing administrative tasks on directory objects contained in organizational units or domains, there are no built-in tools in the Windows Server platform for role-based administration of Active Directory. And if you do delegate the necessary permissions to helpdesk personnel so they can perform their job role, there is no way to customize the built-in tools for this purpose.
While the Active Directory Administrative Center introduced in Windows Server 2008 R2 provides an enhanced Active Directory data management experience, the Administrative Center is not customizable and does not support role-based administration or simplify the task of delegating permissions. Clearly there is a gap to be filled with regard to Active Directory management, especially for organizations that have distributed environments with many users and computers to manage.
Softerra Adaxes fills the gap with powerful tools and capabilities that now make it easy to automate and streamline common Active Directory administration tasks such as provisioning and deprovisioning users, modifying membership in groups, or creating and retiring organizational units. Adaxes also provides built-in security roles for delegating privileges to users who are assigned the task of managing accounts, updating the personal information of users, or helping users when they have problems. Adaxes also provides a web-based interface for Active Directory administration and a self-service portal for users to perform actions like resetting forgotten passwords, which can be one of the biggest drains on helpdesk resources.
Installation and Configuration
I performed my evaluation of Adaxes in two ways: by downloading the product from http://adaxes.com/download.htm and installing it in a test environment, and by trying out the live demo available from http://adaxes.com/info_livedemo.htm.
Installation and configuration of Adaxes was straightforward on Windows Server 2008 R2. Preparatory steps involved installing the .NET Framework 3.5 SP1, creating a service account, and assigning the service account permissions on the computer object of the installation system. Post-installation tasks were guided by links to easy-to-follow tutorials on the Softerra website.
Accessing the live demo on the Softerra website required installing Java in my web browser. The remote system with Adaxes installed was then accessed using the VNC Client remote control software from RealVNC. The first time I accessed the demo, it took about 10 minutes for the demo to initialize. On subsequent sessions access was almost immediate.
Adaxes includes two administration tools:
- The Admin Console shown below.
- The Web Interface, which is described later in this review.
You can also optionally install the PowerShell Module for AD provided you have Windows PowerShell 2.0 installed on your system.
Security roles allow administrators to control which users can perform which operations on which Active Directory objects. Adaxes includes a number of built-in security roles as shown below, but you can also create custom roles if these are needed in your environment:
Roles are defined by allowing or denying various permissions to them. The next screenshot shows some of the permissions for the built-in Help Desk role, which allows you to see some of the tasks users who are assigned this role can perform:
Assigning a role to a trustee (user or group) is easy. You simply right-click in the Assignments pane shown above, click Add Assignment, select users or groups (or built-in identities like Authenticated Users, Everyone, or Self) to assign the role to, select the container (domain or OU) in Active Directory that the trustees will be assigned over, and you’re done. The next figure shows user Albert Fromm having Help Desk role privileges over members of the Accounting Staff group:
A nice touch is that all operations performed using Adaxes are logged, which can be very helpful to companies for auditing and compliance purposes. For example, by selecting the Logging node in the console tree of the Admin console, you can see that the above role assignment was logged as the entry named Modify Help Desk:
Double-clicking on a log entry displays additional information concerning the operation performed. You can also drill down directly into the management history of a particular role by right-clicking on the role and selecting New Tasks and then Management History. Doing this displays a dialog showing only those log entries that are associated with that particular role:
A few of the built-in roles have special purposes. For example, the User Self-Service role defines what actions users can perform on their own user accounts. The Service Log Role allows trustees to read the service log and nothing else. And the Blind User role can be assigned to trustees to prevent them from viewing objects in specified Active Directory containers (domains or OUs) or virtual containers called Business Units that are described later in this review.
Business rules are another powerful feature of Adaxes, and consist of a set of defined actions and conditions that are performed before or after a specified Active Directory management operation is performed. Adaxes includes some built-in rules like Create Exchange Mailbox and Create User Home Directory. These built-in rules are disabled by default and must be enabled before they can be used. You can also create custom rules, for example the User Provisioning rule shown below which is automatically executed whenever a new InetOrgPerson object is created in Active Directory:
I tried creating several rules using the wizard and found the procedure straightforward. For example, I created a rule that would automatically send an email notification to a user’s manager upon the event of the user’s account being disabled:
I created another rule that would move a user account to the Deprovisioned Users OU upon the event of the user’s account being disabled. This second rule would also send an email to the user’s manager requesting the manager’s approval before moving the account:
When you create a new rule, you must define the activity scope over which the rule will be assigned over. For example, when I created the second rule above, I assigned the rule over members of the Accounting Staff group:
I tested the rule by disabling the account of a user belonging to the Accounting Staff group, and it worked as expected:
Property patterns let you define formatting constraints and auto-generating rules for properties of Active Directory objects. Adaxes includes several built-in property patterns which you can customize as needed:
You can of course also create new property patterns from scratch using the Admin Console.
Custom commands allow you to perform complex Active Directory operations easily and can be especially useful when you need to automate frequently performed tasks. For example, the built-in custom command called Deprovision lets you perform a series of actions based on the conditions illustrated below:
Scheduled tasks can be a big help in maintaining large Active Directory environments. The built-in scheduled tasks can be used for sending users automatic notification concerning impending account or password expiration, and can help prune Active Directory by deleting inactive accounts:
Password self-service is one of my favorite Adaxes features as it enables users to reset their forgotten passwords without burdening Help Desk with this issue. This can result in minimized user downtime and lower IT operational costs, two key benefits most organizations would be happy to incur. Password self-service is defined through a series of policies you can configure, which let you specify how many secret questions the user is required to answer and what happens after a specified number of incorrect responses. By installing the Adaxes Self-Service Client on users’ computers using Group Policy Software Installation or some other approach, the user will see descriptive text and a hyperlink on their logon screen:
Clicking the link takes the users to the Self Service portal, which presents the user with the secret questions they must respond to in order to reset their password:
In my opinion, this Adaxes feature alone is almost worth the price of admission.
Business units are a powerful feature that allows you to create virtual containers that can be managed like organizational units but which can contain objects from multiple OUs or domains. For example, this screenshot of the Adaxes live demo shows a business unit called Accounting that displays all users in the Accounting department regardless of the domain, OU or site in which they reside:
The membership rules that define a business unit can be configured by specifying objects, group members, container children, or by using the results of an LDAP query as shown next:
While we’re discussing this, let me show you another cool feature of Adaxes, namely the ability to bulk modify specific properties of Active Directory objects. I’ll start by multi-selecting some users in the Accounting business unit and then I’ll right-click and select Properties as shown here:
I can now configure a property such as the Web Page for all the users that I selected:
You can’t do that with the Active Directory Users and Computers snap-in, but I’m sure you’ve always wished you could do so. With Adaxes, now you can.
Finally, let me briefly talk about the Web Interface. This is an ASP.NET application hosted on IIS that provides similar functionality to the Administration Console from within a standard web browser. Adaxes includes three Web Interface applications: an Administrator interface for performing Active Directory data management operations, a Help Desk interface that focuses on the tasks performed by Help Desk personnel, and the Self Service interface described earlier that users can use to reset their passwords. The screenshot below shows the Help Desk interface:
The Administrator and Help Desk interfaces have a Home tab for accessing tasks or objects, a Search tab that lets you search Active Directory in various ways, a My Favorites tab you can customize with frequently accessed tasks or objects, and a Basket tab that lets you add objects to a basket so you can perform operations on them in bulk. (The Admin Console has similar basket functionality.) The Administrator interface also has a Reports tab you can use to quickly generate reports, for example if you wanted to view which user accounts were created within the last 7 days. The Self Service interface only has a Search tab. I found all three consoles well-laid out and intuitively easy to use.
In conclusion, I have to say that Softerra Adaxes is a real winner when it comes to empowering mid- and large-sized organizations for streamlined and efficient Active Directory data management. I therefore rate this product 5 out of 5 – i.e. award it WindowsNetworking.com Gold Award and can recommend it without hesitation.
Licensing and maintenance pricing information for Softerra Adaxes can be found on their website at http://adaxes.com/purchase.htm. You can also download the fully functioning software and try it for a 30-day evaluation period, and Softerra provides you with full access to their technical support staff during the evaluation period.