Set-QADInactiveAccountsPolicy

 Set the current user preference on what accounts to consider inactive by default.

Syntax

Here you go!

-        Certificate management
-        Support for cross-domain group membership
-        inactive accounts enumeration
-        single command to search in multiple containers
-        progress indication
-        proxy addresses management

Stay tuned and I will blog with more details around each feature over the next several weeks.

Just-in-Time manufacturing is a simple concept – rather than keep all the unassembled car parts in expensive warehouses, have them delivered to the factory at the time they are needed to assemble a car.  This idea stuck with me and has been rattling around in the back of my mind for the past twenty years. Dell later used a similar concept steal market share away from IBM and Gateway who were building huge numbers of PCs and storing them until they were sold – while Dell built PCs that were already sold.

A project I have been working on for the past year or so was applying Just-in-Time concept to the process of granting users access to applications or data. The idea is that when a user attempts to access a resource for which they have not been granted access – the access attempt kicks of a self-service process or an automatic grant of access.

While I have seen other applications perform similar activities, many people have seen Microsoft SharePoint’s basic request access feature. The challenge I see with SharePoint is that it only allows generic requests that don’t allow the user to select the level of access they wish nor does it tell the user the state of their access request. Both are needed and both must be components of any more complete solution. A more complete solution must also provide access to more than just SharePoint; files, folders and applications access are also desperately needed.

Today, we posted a technical preview of Just-in-Time Access Provisioning called the ActiveRoles AuthX Provider The provider not only integrates authentication using SAML between AD users and Google Apps, it also can trigger a self-service access request through ActiveRoles if the user does not yet have an account. Once the request is approved a Google account is created. The next time the user points his/her browser to Google Apps URL the Provider seamlessly authenticates the user by doing an account mapping of AD user to the Google account and creates a SAML token that automatically signs the user into their Google Apps account. We created a 2 minute video showing the process so you can see how this works. The video was a little long and choppy at some points so I cut it down to about 2 minutes.

 Video:ActiveRoles Access Provider

• Access Accountability
• Authorizing groups today using roles and attribute access control (ABAC) to resources
• Authorizing groups in the future with emerging technologies
• Moving from Group Management to Access Governance and the keys to success

Presented by:
Robert Bobel, Platform Director of Product Management, Quest Software
Jason Barnett, Partner and Information Security Practice Manager, Ingenuity Associates,

View Archived Webcast

Other new features include:

For more information see Stuart’s blog: http://stuharrison.blogspot.com/2009/12/quest-password-manager-46-launched.html

Congratulations and thank you to the collective Quest team for making this one of the best releases in the products 7 year history!

Now we can begin working on “the Next Generation”!

- Bob Bobel

10 hot new features in ActiveRoles Server 6.5

Click here to see how ActiveRoles integrates with other Quest products.

Click here to see the report by Kuppinger Cole on ActiveRoles.

Click here to visit the ActiveRoles community.

Click here to download ActiveRoles Server.

See how ActiveRoles fits into the Quest One Identity Management portfolio.

1. PowerShell Script Host – For a long time we have provided web service or ADSI script interfaces to extend the ActiveRoles platform. Several years ago we introduced The ActiveRoles Management Shell for AD (The AD CMDLETS) and now we have taken another step toward our PowerShell vision. In ActiveRoles Server 6.5 PowerShell can be used directly inside the platform to automate or extend capabilities.
2. Extensible Policies – Extensible policies allow third parties to deploy Administrative policies that manage, provision or Deprovision services or processes. For example, if someone had created a script to provision and deprovisoin BlackBerry Enterprise Server accounts when the AD account is created this script can be registered as an ActiveRoles. Registration is done either through the API described in the platform SDK or they can be registered manually.
3. Graphical Workflow Editor – In ActiveRoles Server 6.0.x we taught the administration service what waiting for approval meant. In 6.5 we have added a full graphical workflow editor to expose not only multi-layer approval, but also the ability to model business processes. Workflows can also be extended programmatically with PowerShell scripting.
4. Deprovision Group - Microsoft has not provided a way to disable Active Directory which would be ideal because they are the primary method by which access is granted in both Microsoft and non-Microsoft systems. ActiveRoles Server 6.5 provides a set of policies to tailor how you lock-down group objects to render them non-usable for both Security and Distribution List use. A right click “restore” is all it takes to und0-deprovisioning. This feature has also been integrated into our Attestation workflow to allow for Automated remediation when a resource owner fails to complete an access review.
5. Windows Server 2008 R2 Support – ActiveRoles Server 6.5 supports Windows Server 2008 R2 as well as running the client MMC on Windows 7 or the web UI from an IE 8 browser.
6. Windows Server 2008 R2 Recycle Bin – The Windows 2008R2 Recycle Bin is an extra layer of protection added to the deleted items process. ActiveRoles Server now supports the security delegation over restoring those objects.
7. Microsoft Exchange 2010 Support – ActiveRoles Server 6.5, in addition to provisioning and managing mailboxes on Exchange 2003 & 2007, now supports Microsoft Exchange 2010 recipient management.
8. Exchange Resource Mailboxes – In Microsoft Exchange 2007 a new type of mailbox was introduced – the resource mailbox. ActiveRoles Server 6.5 now supports resource mailboxes for both Exchange 2007 & 2010.
9. Access Request Catalog - The optional add-on module ActiveRoles Self-Service Manager, now has the ability for end-users to make requests to access resources from a list of published catalog of resources.  Resources are added to the catalog by their owners through a publication process that allows the owner to assign keywords and descriptions to make it easier for the end-users to locate and request access to the resource.
10. Secondary Resource Owners – The optional add-on module ActiveRoles Self-Service Manager, now has the ability for Resource owners to delegate management tasks to secondary group owners. This delegation allows the primary owner to assign other users or groups who will assist with the day-to-day management of access or access requests.

1. Automate user access throughout a user’s identity life-cycle (provisioning, re-provisioning, de-provisioning)
2. Extend cross-platform provisioning with ActiveRoles Quick Connect
3. Enforce and document a least-privilege model such that users get the right access – nothing more, nothing less
4. Empower Application/Business/Data owners to control access to their sensitive apps/data/resources and enforce periodic review and certification
5. Reduce the time spent gathering and consolidating audit data by having push-button reporting

To register for the webinar go to http://www.quest.com/common/default.aspx?backtourl=/common/registration.aspx?requestdefid=24167.

You would think this would have been obvious from the start, but after reading the actual compliance equipments themselves it is easy to see why this causes so many people trouble. For example, the Sarbanes-Oxley Act of 2002 (SOX) was created to protect shareholders of public companies from financial miss-doings that could impact their investment. I will spare you the joy of reading section 404 of the SOX requirements which deals with the IT aspect of compliance and simply tell you, you would be underwhelmed by the lack of detail and direction it contains.

 What is clearly spelled out in SOX is that the owner of an application or data should be responsible for controlling access to that owner’s resource and further there needs to be a set of controls to make sure this happens. The reasoning is simple, the application or data owner is in the best position to know and understand the business justifications for granting access to their resource. SOX doesn’t recommend what type of controls are needed only that they must exist.  

The lack of detail around IT controls – leaves everything open to interpretation as to what is required on the part of IT to comply with the regulation. Because experience and competence varies by auditor and IT team, recommendations can be anything from a paper-based procedures to implementing a new compliance layer of audit software or worse. The directory owners I see who are able to achieve sustained compliance implement software based process controls. These software based controls should always automate and enforce governance be self-document and should support real-world demonstration that the controls are in place and effective. Once these controls are in place audit preparation time drops to hours rather than the weeks or months a first audit typically would require.

Virtual Directories do have their place and can help sometimes, but they also have their own set of challenges. One challenge is that since a virtual directory must connect to multiple data sources (yes some can go beyond directories and connect to databases, applications etc…) deployments can be complex. This complexity also may exclude the use of a virtual directory if the system must provide fault tolerance or failover capabilities. When data is written to or read from the Virtual Directory, not only must the Virtual Directory service be ready but so must all of the connected systems as well. If one connected system is off-line (or slow to respond) things can break pretty quickly. You may think caching may be an option here, but from experience the chances of viewing stale data become a strong possibility that no one will tolerate. I have seen only one Virtual Directory solution provide an answer around fault tolerance but even in that case the solution only worked multiple instances of a single vendor’s directory.

Another challenge is application compatibility. If you want your fax software or asset management software to be able to be able to make a call or make an update data through a virtual directory – you better make sure that application will work with the Virtual Directory you are considering.  The three Virtual Directory products I’m familiar with all support LDAP and some have web-service extensions as well. But neither of those interfaces matter if your critical applications have not been tested and declared supported by the vendor. If the vendor doesn’t support the use of a Virtual Directory you may be better off using something more old fashion like directory synchronization.

My conclusion here is that if you looking for Directory Management solution a pure Virtual Directory probably isn’t going to be worth the trouble; especially if your central directory is Microsoft’s Active Directory. If you are a developer, however, and you need to the ability to read or update multiple data sources a virtual directory may give you the great plumbing you need.

1. Separation of Operations – this is the most popular reason and is easily attributed to security or most companies deal with. The most typical reason I see is when a customer has an internal and external.
2. Internal Politics – Politics that drive more complex deployments can be caused by internal organization politics or external global or national politics. My opinion is that there is a better chance that internal politics that at first seem to demand additional directories will fad overtime.
3. External Politics – Some countries demand security separation for specific industries such as defense or finance and in most cases this is mandatory and probably won’t change soon. Unfortunately, this situation is pretty close to #1 Separation of Operations and so using
4. “A vendor requires it” – this is the least popular because people want fewer directories and so they avoid vendors who demand such things!  This is really the very-very worst reason to deploy new infrastructure I suggest anyone being asked to do this – think twice.

Even though customer directory deployments comes in all shapes and sizes there are a few common threads that I see and how those correlate to some new technologies that are starting to be adopted.  (More on this in a couple of days)

In part 3 I will go through why I see Virtual Directories being ignored.

I am always trying to better understand these environments so I started to think about why I don’t see virtual directories – When I ask customers and parts the answer is almost always the simple “it just doesn’t fit our needs.” This answer didn’t shed much light on what was going on and I decided to try and understand why they had multiple directories in the first place. I have found for main reasons for multi-directory deployments. I am sure there are more reasons out there, but these are the most common I run accross…

Stop back tomorrow for part 2.

Information Week