Active Directory management & automation


Scheduled Tasks for Active Directory Management

Active Directory management involves a lot of activities that must be performed on a regular basis. Very often such activities must be carried out during off hours and require a long time to complete. Here is a list of typical routine actions that usually need to be performed periodically:

  • send e-mail notifications to users whose passwords are about to expire,
  • notify managers about soon-to-expire accounts of their subordinates,
  • delete inactive user and computer accounts from Active Directory,
  • add users to groups based on predefined rules,
  • move users across OUs if certain conditions are met,
  • synchronize Active Directory with external data sources,
  • update properties of Active Directory object using modification templates, etc.

With Adaxes you can quickly and easily automate such tasks, and you don’t need to be a software developer to do this!

Scheduled Tasks is a very powerful feature for Active Directory automation that enables you to schedule the execution of practically any operation on Active Directory objects. A Scheduled Task periodically performs a predefined set of actions on each object included in the activity scope of the task. For example, a task that applies to user objects can be executed for all users in a domain, for members of specific groups, for users located in specific Organizational Units, for individual users, etc. If necessary, you can exclude specific users, groups and OUs from the scope of activity of the task. With the help of conditions, you can control whether certain actions must be performed on a particular Active Directory object.

Active Directory Management - Scheduled Tasks


On how to create Scheduled Tasks, see Schedule Tasks for Active Directory Management.

Workflow Automation and Monitoring

When it comes to Active Directory automation, you will often want to control the execution of some critical operations, like deleting inactive accounts or adding/removing users from security groups. A great feature of Scheduled Tasks is the ability to control their execution by submitting specific task actions for approval. Actions that require approval will not be executed until approved by a person in charge. Adaxes sends e-mail notifications to all authorized approvers once an operation is submitted.

Scheduled Tasks - Approvals

To monitor operations performed by a Scheduled Task, Adaxes provides you with great reporting capabilities. With the help of the Activity History view, you can find out what actions have been carried out by the task, when, on what objects, etc.

Scheduled Tasks - Activity History View

Password Expiration Notifications

For users, passwords always expire unexpectedly. This often results in an increased number of Help Desk calls and losses in productivity. This is not a problem if a user logs on to Windows interactively (via Ctrl + Alt + Del), as Windows notifies users when their passwords are about to expire. However, if a user account is used only for VPN connections, accessing file shares or working with web applications like Outlook Web Access, users are not notified about password expiration, and as a result, forget to change their passwords in time.

Active Directory: Password Expiration Notifications

With the help of the built-in Scheduled Task called Password Expiration Notifier, you can easily automate sending of email or SMS notifications to inform users about password expiration in advance. All you need to do is enable the Password Expiration Notifier task.

To change their passwords, users can use Adaxes Active Directory Web Interface.

Account Expiration Notifications

Sometimes it is important to notify the account owner and his/her manager about expiration of the account. With the help of the Account Expiration Notifier task, you can easily enable automated sending of account expiration notifications to users and their managers. To start sending account expiration notifications, just enable the Account Expiration Notifier task.

Active Directory: Account Expiration Notifications

Deleting Inactive Computers from Active Directory

Keeping Active Directory clean of unused computer accounts is very important. However this can be a tedious process as it is difficult to distinguish inactive computers from computers used occasionally, or computers that have not been rebooted for a long time.

The Inactive Computer Deleter task helps you automatically purge inactive computer accounts from Active Directory. To identify unused computers, the task uses a complex algorithm that takes into account a lot of factors.

Deleting Inactive Computers from Active Directory

If a computer is inactive for a certain period of time, the Inactive Computer Deleter task submits a request to disable this account and marks this computer as inactive. If the computer is not enabled during some time after it was marked as inactive, the task submits a request to delete this computer account. The computer is deleted only after the operation is approved by an authorized person.

For more details, see Delete Inactive Computers from Active Directory.

Deprovisioning Inactive Users

Active Directory may contain a lot of user accounts that are not required any longer, e.g. accounts of terminated employees, expired accounts of external subcontractors, etc. It is very important to periodically purge Active Directory from such dormant accounts.

It is highly NOT recommended to delete terminated user accounts from Active Directory. Instead, user accounts must be properly deprovisioned. For example, you may need to forward all incoming emails of the terminated employee to the his/her manager, move the user's home directory to a new location, hide the user's mailbox from Exchange address lists, disable the user for Lync, etc.

To introduce strong and reliable mechanism for deprovisioning of inactive user accounts, Adaxes provides a built-in Scheduled Tasks called Inactive User Deleter.

Active Directory: Deprovisioning Inactive Users

If a user account is inactive during a certain period of time, the Inactive User Deleter task submits a request to execute the built-in Custom Command called Deprovision for this account. You configure this Custom Command to execute deprovisioning operations specific to your environment. After a certain period of time, the Inactive User Deleter task submits a request to delete the deprovisioned user account. The user account is not deleted, until the operation is approved by a responsible person.

For more details, see Automatically Deprovision Inactive AD Users.

Automated Management of Group Membership

With the help of Scheduled Tasks, you can also automate the management of group memberships in Active Directory. Based on certain conditions, you can automatically add or remove AD objects from security groups or distribution lists. For example, if you want all users located under a specific Organizational Unit to be members of a specific group, you can create the following Scheduled Task:

Active Directory: Automated Management of Group Membership



Along with Scheduled Tasks, Adaxes offers other helpful features for effective Active Directory management that allow you to automate user provisioning and deprovisioning, securely delegate rights using the Role-Based Access Control model, ensure the uniformity and validity of data in Active Directory, and much more.