1. Purpose Built for Active Directory -Unlike other solutions, ActiveRoles was purpose built for Active Directory while other solutions were built to manage the Windows NT account database.  Because solutions originally built for Windows NT could only be retrofitted to perform AD management they are not able to take advantage of core AD features many of which are discussed in this brief.
    
2. Integrated and timely support for key Microsoft platforms -Active Directory, Exchange, ADLDS SharePoint, ADSI and PowerShell are critical platform components that must be supported. While other products may take years to support the latest versions of these products, ActiveRoles typically supports them on the day they are released or at a maximum of 60 days post release.
    
3. Compatibility with Active Directory’s Security Model – The Active Directory permission model is based on a set of Access Control Lists that link directory rights to delegate trustees allowing the delegated admin to exercise those rights to perform some task in AD. Unlike ActiveRoles Server, most solutions require the use of a proprietary permission that have little or no understandable correlation to AD rights they grant. When the ActiveRoles service starts, the service creates a virtualized version of the AD rights used in the ACLs and then extends the list with several virtual permissions. To the person administrating security in ActiveRoles they seen an almost identically list of rights with the same look and feel of the native AD rights. ActiveRoles Server also has the added advantage of combining these rights into Roles for clarity and accuracy of security assignment and easy delegation of administration. A side benefit of compatibility with the Active Directory Security Model is the vast knowledge available on how AD permissions work and which permissions are required to perform specific tasks.
    
4. Compatibility with Active Directory Service Connection Points – A standard Active Directory service known as Service Connection Points (SCPs) allow applications to inform Active Directory of the applications presence in the enterprise. It is important to note that SCPs require no agents, customer configuration or changes to Active Directory. When the ActiveRoles Service executes it registers an SCP so that any console or web UI can locate the service instantly.
    
5. Compatibility with Active Directory’s DirSync service – A standard Active Directory services known as DirSync allow applications to instantly see what changes are happening within AD. This is the same service Domain Controllers use to exchange change information to determine what items need to be replicated. . It is important to note that the DirSync service requires no agents, customer configuration or changes to Active Directory. The ActiveRoles service listens to the DirSync service for changes made directly to Active Directory that may require ActiveRoles to perform some action such as enforce a group’s membership or send a change notification.
    
6. Virtual Unified Schema – Unlike other solutions that use a fixed schema and won’t recognize schema extensions, ActiveRoles uses a virtual unified schema built from the schemas of the domains being managed. When the ActiveRoles service starts it reads the schema of each domain being managed and adds that schema the ActiveRoles unified virtual schema. This unified virtual schema also includes any schema extensions that may be present in a particular domain so that applications that require data be populated during user provisioning or cleared during user deprovisoning can be supported. ActiveRoles also adds a set of virtual attributes to allow for more granular delegation over attributes or to allow other data not stored in AD to be associated with an object.
    
7. Real-time vs. Cached Data -To avoid the chance that two administrators open an AD object and view different information the retrieval of AD data must be done without caching of the data. Unlike many solutions that either load object data into a cache or into a separate database before an administrator accesses the object,  the ActiveRoles service retrieves the data in real-time.
    
8. Security Integrated Workflow -The role based delegation of administration provided by ActiveRoles Server not only allows the customer to control what AD operations each administrator, help desk admin or end user can perform it also provides the security context for change approval and workflow. By integrating a workflow engine and workflow editor directly into ActiveRoles, the customer avoids the need to configure and maintain multiple products and maintain multiple delegation models.
    
9. Unified Storage -Unlike other solutions that may require both Microsoft SQL and Microsoft AD LDS or Microsoft Access, ActiveRoles requires only Microsoft SQL Server for operation. Both ActiveRoles Configuration and reporting utilize Microsoft SQL Server. Less moving parts make ActiveRoles is simpler to deploy and maintain.
    
10. Embedded Extensibility - Because no off the shelf product will meet every need a customer may have the ability for the solution to be extended easily and in a maintainable way. In addition to both an external ADSI and PowerShell interface, ActiveRoles provides an embedded script editor, script library directly in the product so that the system can run a script in response to some event such as when a user performs an operation in Active Directory.

http://www.techrockies.com/symplified-raises-9m-more/s-0033073.html

Major benefits

• After you install the application it takes less than 15 minutes to setup a sync between systems; so this thing is extremely easy to use
• Synchronize Users, Groups, Group memberships and almost all other objects in AD
• Built-in rules for user name generation and attribute transformation
• Efficient Group Membership Synchronization
• Sync Passwords between systems using the password capture agent for Windows clients
• Hosting company and consultant friendly
• Integrated PowerShell scripting for extending functionality

Download it here http://www.quest.com/activeroles-server/quickconnect-express-for-active-directory.aspx

Other free stuff from my team

• SPML web service for provisioning AD or ActiveRoles Server http://www.quest.com/activeroles-server/spml.aspx
• PowerShell commandlets for AD and ActiveRoles Server http://www.quest.com/activeroles-server/extensible-platform.aspx

Freeware use - becuase this is freeware Quest Support is not included without an actual purchase of the software. We do have an excellent forum where the answers to basic questions may have already been answered and of course you can always post a question of your own. http://activeroles.inside.quest.com/index.jspa

 What’s New in ActiveRoles Server 6.7

• The ActiveRoles Market -Improvements to policy extensions and workflow extensibility allow for more efficient tools for creating and deploying custom policy types that will be posted to the ActiveRoles Market
• Improved Import/Export -For some time, ActiveRoles has come with a tool to import and export configuration settings and this tool has been improved and will continue to evolve from importing and exporting roles and policies to much more. The next version will provide the ability to import and export entire new solution scenarios including scripts, policies, workflow activities and web interface customizations.
• Entitlement Profile – All-in-one view of each user’s entitlements to IT resources, which provides detailed
  information about the applications, services and data locations the user is entitled to access, use or manage
• Microsoft Outlook Approve/Reject buttons – Approval management tools integrated in Microsoft Office Outlook
• Reply to approve a request – Approval management using e-mail clients directly from desktop or mobile devices
• Workflow activity extensions – facilitates the creation, deployment and use of custom script-based activities
• Simplified Self-Service UI – Improvements to self-service pages, to make it easier for self-service users to locate, select
  and join groups and distribution lists
• Simplified Workflow Notifications - Improvments to make approval notifications easier to both read and action.
• New granular workflow triggers for Group Membership Requests – New workflow start options to distinguish between the “add to group” and “remove from group” requests
• Improved Workflow GUI Editor – New workflow options for configuring approval rules, notification recipients and notification messages
• See all parts of AD, not just the parts you own – Unmanaged account domains to reduce ActiveRoles Server licensing costs for areas of Active Directory not being managed by ActiveRoles Server
• MMC Tabs for OCS – Ability to configure domain user accounts for Microsoft Office Communications Server 2007 or 2007 R2, by using the ActiveRoles Server console
• Attestation for all AD Objects- Extended attestation capabilities, including the ability to review and certify almost any aspect of directory data, including data specific to user log-on accounts, service log-on accounts, group memberships, computers, contacts, and other types of directory objects.

 To download this new version please go to: http://www.quest.com/common/registration.aspx?requestdefid=7910 

Read the article here.

Download the latest version of CMDLETS here.

• Düsseldorf, Germany Oct 6th (TEC)
• Cleveland, Ohio Oct 12
• Boston, MA Oct 14th
• London, England October 18th or 19th (Date to be determined)
• Houston, Texas October 26th

Please email Allison Main or Bob Bobel for additional information or to register.

Here you go!

-        Certificate management
-        Support for cross-domain group membership
-        inactive accounts enumeration
-        single command to search in multiple containers
-        progress indication
-        proxy addresses management

Stay tuned and I will blog with more details around each feature over the next several weeks.

Lacking in the previous version, SAML 2.0 is now officially supported by ADFS 2.0. SAML is the authentication protocol we used to create our Just-in-Time provisioning example I blogged about earlier this week (see JIT Provisioning). With ADFS 2.0 providers can be built for any application that uses either SAML or Claims. SAML is used by Salesforce.com, Google Apps, Service Now, Postini and many other SaaS/cloud services while Claims are now supported in SharePoint 2010 and will be introduced into many additional Microsoft applications.

Just-in-Time manufacturing is a simple concept – rather than keep all the unassembled car parts in expensive warehouses, have them delivered to the factory at the time they are needed to assemble a car.  This idea stuck with me and has been rattling around in the back of my mind for the past twenty years. Dell later used a similar concept steal market share away from IBM and Gateway who were building huge numbers of PCs and storing them until they were sold – while Dell built PCs that were already sold.

A project I have been working on for the past year or so was applying Just-in-Time concept to the process of granting users access to applications or data. The idea is that when a user attempts to access a resource for which they have not been granted access – the access attempt kicks of a self-service process or an automatic grant of access.

While I have seen other applications perform similar activities, many people have seen Microsoft SharePoint’s basic request access feature. The challenge I see with SharePoint is that it only allows generic requests that don’t allow the user to select the level of access they wish nor does it tell the user the state of their access request. Both are needed and both must be components of any more complete solution. A more complete solution must also provide access to more than just SharePoint; files, folders and applications access are also desperately needed.

Today, we posted a technical preview of Just-in-Time Access Provisioning called the ActiveRoles AuthX Provider The provider not only integrates authentication using SAML between AD users and Google Apps, it also can trigger a self-service access request through ActiveRoles if the user does not yet have an account. Once the request is approved a Google account is created. The next time the user points his/her browser to Google Apps URL the Provider seamlessly authenticates the user by doing an account mapping of AD user to the Google account and creates a SAML token that automatically signs the user into their Google Apps account. We created a 2 minute video showing the process so you can see how this works. The video was a little long and choppy at some points so I cut it down to about 2 minutes.

 Video:ActiveRoles Access Provider