Bob's Identity Management Blog » ActiveRoles Server

Delegation over mail enabled users and contacts only

Bob — Thu, 18 Aug 2011 12:49:21 +0000

The ActiveRoles product comes with Roles (a.k.a. Access Templates) that use the native permission model to provide delegation. To perform delegation you need to identify the Role, the Trustee (in this case an OU Admin) and the scope. The first two are simple as you just select an Access Template and a user or group while the third can also be simple if you understand how to define custom scopes using Managed Units. In this video I will show you how to delegate managing email address over mail enabled users and contacts, but not mailbox enabled users or groups.

Top 10 Reasons ActiveRoles Beat the Competition

Bob — Mon, 25 Jul 2011 09:00:56 +0000

I get one question frequently from both customers and colleges. “Why was ActiveRoles able to so easily beat the competition over the past seven years?” Unfortunately, there isn’t a single answer, rather it is a combination of design elements put into the product over time.

Purpose Built for Active Directory -Unlike other solutions, ActiveRoles was purpose built for Active Directory while other solutions were built to manage the Windows NT account database. Because solutions originally built for Windows NT could only be retrofitted to perform AD management they are not able to take advantage of core AD features many of which are discussed in this brief.
Integrated and timely support for key Microsoft platforms -Active Directory, Exchange, ADLDS SharePoint, ADSI and PowerShell are critical platform components that must be supported. While other products may take years to support the latest versions of these products, ActiveRoles typically supports them on the day they are released or at a maximum of 60 days post release.
Compatibility with Active Directory’s Security Model – The Active Directory permission model is based on a set of Access Control Lists that link directory rights to delegate trustees allowing the delegated admin to exercise those rights to perform some task in AD. Unlike ActiveRoles Server, most solutions require the use of a proprietary permission that have little or no understandable correlation to AD rights they grant. When the ActiveRoles service starts, the service creates a virtualized version of the AD rights used in the ACLs and then extends the list with several virtual permissions. To the person administrating security in ActiveRoles they seen an almost identically list of rights with the same look and feel of the native AD rights. ActiveRoles Server also has the added advantage of combining these rights into Roles for clarity and accuracy of security assignment and easy delegation of administration. A side benefit of compatibility with the Active Directory Security Model is the vast knowledge available on how AD permissions work and which permissions are required to perform specific tasks.
Compatibility with Active Directory Service Connection Points – A standard Active Directory service known as Service Connection Points (SCPs) allow applications to inform Active Directory of the applications presence in the enterprise. It is important to note that SCPs require no agents, customer configuration or changes to Active Directory. When the ActiveRoles Service executes it registers an SCP so that any console or web UI can locate the service instantly.
Compatibility with Active Directory’s DirSync service – A standard Active Directory services known as DirSync allow applications to instantly see what changes are happening within AD. This is the same service Domain Controllers use to exchange change information to determine what items need to be replicated. . It is important to note that the DirSync service requires no agents, customer configuration or changes to Active Directory. The ActiveRoles service listens to the DirSync service for changes made directly to Active Directory that may require ActiveRoles to perform some action such as enforce a group’s membership or send a change notification.
Virtual Unified Schema – Unlike other solutions that use a fixed schema and won’t recognize schema extensions, ActiveRoles uses a virtual unified schema built from the schemas of the domains being managed. When the ActiveRoles service starts it reads the schema of each domain being managed and adds that schema the ActiveRoles unified virtual schema. This unified virtual schema also includes any schema extensions that may be present in a particular domain so that applications that require data be populated during user provisioning or cleared during user deprovisoning can be supported. ActiveRoles also adds a set of virtual attributes to allow for more granular delegation over attributes or to allow other data not stored in AD to be associated with an object.
Real-time vs. Cached Data -To avoid the chance that two administrators open an AD object and view different information the retrieval of AD data must be done without caching of the data. Unlike many solutions that either load object data into a cache or into a separate database before an administrator accesses the object, the ActiveRoles service retrieves the data in real-time.
Security Integrated Workflow -The role based delegation of administration provided by ActiveRoles Server not only allows the customer to control what AD operations each administrator, help desk admin or end user can perform it also provides the security context for change approval and workflow. By integrating a workflow engine and workflow editor directly into ActiveRoles, the customer avoids the need to configure and maintain multiple products and maintain multiple delegation models.
Unified Storage -Unlike other solutions that may require both Microsoft SQL and Microsoft AD LDS or Microsoft Access, ActiveRoles requires only Microsoft SQL Server for operation. Both ActiveRoles Configuration and reporting utilize Microsoft SQL Server. Less moving parts make ActiveRoles is simpler to deploy and maintain.
Embedded Extensibility - Because no off the shelf product will meet every need a customer may have the ability for the solution to be extended easily and in a maintainable way. In addition to both an external ADSI and PowerShell interface, ActiveRoles provides an embedded script editor, script library directly in the product so that the system can run a script in response to some event such as when a user performs an operation in Active Directory.

bv-Admin EOL – RIP

Bob — Fri, 08 Jul 2011 10:07:54 +0000

Some of you may not have heard that Symantec’s bv-Admin was officially end-of-lifed and is no longer supported as of early in 2011. Originally a Windows NT management tool, later it was retrofitted to manage AD. While bv-Admin had several ground breaking features for its time, the acquisition of Bindview, development challenges and competitive pressures appear to have taken their toll. http://www.symantec.com/business/support/index?page=content&id=TECH131120

Setup FREE Syncronization from AD to AD/ADLDS in 15 minutes or less!

Bob — Fri, 10 Dec 2010 18:17:02 +0000

What is ActiveRoles Quick Connect Express? With the latest release of ActiveRoles Quick Connect we bundled the Synchronization engine, the AD connector and the ADLDS (formerly ADAM) connector together. The big news here is that we labeled this core piece “Quick Connect Express” and you can download and used it to sync objects between those systems. For those of you who remember Microsoft’s IIFP – this package was my way of picking up the torch when Microsoft stopped updating IIFP several years ago.

Major benefits

After you install the application it takes less than 15 minutes to setup a sync between systems; so this thing is extremely easy to use
Synchronize Users, Groups, Group memberships and almost all other objects in AD
Built-in rules for user name generation and attribute transformation
Efficient Group Membership Synchronization
Sync Passwords between systems using the password capture agent for Windows clients
Hosting company and consultant friendly
Integrated PowerShell scripting for extending functionality

Download it here http://www.quest.com/activeroles-server/quickconnect-express-for-active-directory.aspx

Other free stuff from my team

SPML web service for provisioning AD or ActiveRoles Server http://www.quest.com/activeroles-server/spml.aspx
PowerShell commandlets for AD and ActiveRoles Server http://www.quest.com/activeroles-server/extensible-platform.aspx

Freeware use - becuase this is freeware Quest Support is not included without an actual purchase of the software. We do have an excellent forum where the answers to basic questions may have already been answered and of course you can always post a question of your own. http://activeroles.inside.quest.com/index.jspa

ActiveRoles Sever 6.7 GA

Bob — Wed, 01 Dec 2010 02:02:06 +0000

I am very proud to announce that ActiveRoles Server 6.7 and Quick Connect 4.7 become generally available (GA) today. Look for the new product to be on our download servers over the next several hours. As with all previous releases – this release has several building blocks that when exploited will have a huge impact on both our customers and the market. Below I have included a What’s New list for the core ActiveRoles Product. Over the next three days I will provide some additional posts discussion some of these new features in a little more detail.

What’s New in ActiveRoles Server 6.7

The ActiveRoles Market -Improvements to policy extensions and workflow extensibility allow for more efficient tools for creating and deploying custom policy types that will be posted to the ActiveRoles Market

Improved Import/Export -For some time, ActiveRoles has come with a tool to import and export configuration settings and this tool has been improved and will continue to evolve from importing and exporting roles and policies to much more. The next version will provide the ability to import and export entire new solution scenarios including scripts, policies, workflow activities and web interface customizations.

Entitlement Profile – All-in-one view of each user’s entitlements to IT resources, which provides detailed
information about the applications, services and data locations the user is entitled to access, use or manage

Microsoft Outlook Approve/Reject buttons – Approval management tools integrated in Microsoft Office Outlook

Reply to approve a request – Approval management using e-mail clients directly from desktop or mobile devices

Workflow activity extensions – facilitates the creation, deployment and use of custom script-based activities

Simplified Self-Service UI – Improvements to self-service pages, to make it easier for self-service users to locate, select
and join groups and distribution lists

Simplified Workflow Notifications - Improvments to make approval notifications easier to both read and action.

New granular workflow triggers for Group Membership Requests – New workflow start options to distinguish between the “add to group” and “remove from group” requests

Improved Workflow GUI Editor – New workflow options for configuring approval rules, notification recipients and notification messages

See all parts of AD, not just the parts you own – Unmanaged account domains to reduce ActiveRoles Server licensing costs for areas of Active Directory not being managed by ActiveRoles Server

MMC Tabs for OCS – Ability to configure domain user accounts for Microsoft Office Communications Server 2007 or 2007 R2, by using the ActiveRoles Server console

Attestation for all AD Objects- Extended attestation capabilities, including the ability to review and certify almost any aspect of directory data, including data specific to user log-on accounts, service log-on accounts, group memberships, computers, contacts, and other types of directory objects.

To download this new version please go to: http://www.quest.com/common/registration.aspx?requestdefid=7910

Microsoft PKI/Certificate Management made easier

Bob — Wed, 08 Sep 2010 17:40:12 +0000

Dmitry Sotnikov posted a brief article talking about the new PowerGUI power pack based on the ActiveRoles PowerShell CMDLETS (a.k.a. Quest’s AD CMDLETS) for Microsoft PKI management.

Read the article here.

Download the latest version of CMDLETS here.

Remaining ActiveRoles Server User Group Meetings for 2010

Allison — Wed, 08 Sep 2010 15:03:07 +0000

An ActivecRoles user’s group meeting may be headed for a city near you.

Düsseldorf, Germany Oct 6th (TEC)
Cleveland, Ohio Oct 12
Boston, MA Oct 14th
London, England October 18th or 19th (Date to be determined)
Houston, Texas October 26th

Please email Allison Main or Bob Bobel for additional information or to register.

Absolute Power: Controlling the Risk of Domain Admins

Allison — Wed, 08 Sep 2010 14:56:53 +0000

Upcoming Live Webcast

9/21/2010 11:00:00 AM EST

Register Today!

One of my frequent consulting activities is performing audits of Active Directory for corporate Internal Audit departments and hardly an audit has gone by where I wasn’t obligated to bring to Board’s attention the number of all-powerful administrators present in Active Directory. This is a real risk that has to be addressed. With an infrastructure security technology like Active Directory you can’t have scores of people with admin authority. There’s just too much room for mistakes and malicious acts. And the worst does happen – I’m sure you’ve heard the horror stories.

I’ve long preached about Active Directory’s built-in delegation of control feature that allows you to follow least privilege within the IT department. In this webinar I will show you how to get the majority of people out of the Domain Admins group and grant them just the granular authority they actually need.

I will also show how can audit both the delegation of admin authority as well as the use of admin authority. What I mean is using the security log to monitor when you make Bob an admin/subadmin as well as when Bob uses that authority to do something like creating a new user account.

Then I’ll look at ways to ensure that emergencies can still be handled after removing basically everyone from the domain admins group.

Even with all these capabilities though I find that many companies fail to secure admin authority and implement least privilege. Plus I find so many IT departments where admins are wasting time doing the basically clerical tasks of carrying out the menial and repetitive access control and account management changes already initiated and approved by managers and the HR department. With that in mind you will be interested in seeing how this webinar’s sponsor, Quest, can take you beyond the capabilities I demonstrate and make it so easy and manageable to follow least privilege and reduce IT staff workload through self-service and automation. So you’ll see how you can solve these problems using native AD functionality and then how to take it to the next level.

Automatically Provisoning and Deprovison Postini

Bob — Thu, 02 Sep 2010 12:07:45 +0000

Today our team uploaded an Policy Extension to the ActiveRoles community for Postini! This policy will both provision and deprovision Postini gateway accounts when the associated Active Directory account is updated. To use this policy you simply download the policy, install it in ActiveRoles Server then configure the policy with your Postini account details. The new policy is free for ActiveRoles customers and you can download the the new policy here: DOWNLOAD NOW

ActiveRoles Change History showing Postini Provsioning

AD CMDLETS 1.4 now live!

Bob — Thu, 15 Jul 2010 14:07:16 +0000

The 1.4 version of the ActiveRoles AD CMDLETS went live a few moments ago and you can download them here http://www.quest.com/powershell/activeroles-server.aspx.

AD CMDLETS Version 1.4 (Early look)

Bob — Tue, 18 May 2010 13:23:30 +0000

In late June or early July, a new version of the Active Directory PowerShell CMDLETS will be released. I wanted to give everyone a teaser about the new features to be added.

Here you go!

-        Certificate management
-        Support for cross-domain group membership
-        inactive accounts enumeration
-        single command to search in multiple containers
-        progress indication
-        proxy addresses management

Stay tuned and I will blog with more details around each feature over the next several weeks.

ActiveRoles DC User’s Group

Bob — Tue, 27 Apr 2010 16:00:36 +0000

Late last week I was in Washington DC where we held our first DC User’s group at our Rockville, MD location. It was a pleasure to speak with the attendees and to discuss their requirements around ActiveRoles. It still amazes me that when I was given the ActiveRoles product we had around 60 customers and now we have user groups around the world.

ActiveRoles Toronto User’s Group

Bob — Sun, 25 Apr 2010 23:34:06 +0000

Early last week I had a great opportunity to meet with customers in Toronto to speak about ActiveRoles and our future direction. The secret is that I actually got more out of the session than they did by hearing the challenges they face every day as they meet the expectation of their employers. On the way out to the airport I got to see the Toronto Star building – Hemingway worked for the Star as a journalist early in his career.

Moving from Group to Access Management

Allison — Mon, 29 Mar 2010 20:37:15 +0000

Managing access to applications and data resources can be a time-consuming and error-prone process. IT administrators are often asked to grant access to sensitive data without knowing the business justification why a user should have it. The result may be inappropriate authorization, access delays, or groups that are bloated, outdated and inaccurate. This lack of accountability may cause security breaches and compliance audit failure. During this archived webcast, you’ll see how ActiveRoles Server enables:

Access Accountability
Authorizing groups today using roles and attribute access control (ABAC) to resources
Authorizing groups in the future with emerging technologies
Moving from Group Management to Access Governance and the keys to success

Presented by:
Robert Bobel, Platform Director of Product Management, Quest Software
Jason Barnett, Partner and Information Security Practice Manager, Ingenuity Associates,

View Archived Webcast

ActiveRoles Server added to 115 UK schools!

Bob — Wed, 10 Feb 2010 00:09:21 +0000

I stumbled upon a really interesting article about how Unity Partnership (a venture between Mouchel and Oldham Councils in the UK) was deploying ActiveRoles Server to provide group provisioning and to control management rights for the staff and students. To read the article here.