Active Directory management & automation

What's New in Softerra Adaxes 2010.2

Version: 2.5.6029.0
Release Date: July 29, 2010

Among other helpful features and improvements, Softerra Adaxes 2010.2 introduces support for Microsoft Exchange, provides a set of PowerShell cmdlets for Active Directory management, allows importing and exporting AD data, provides new actions and conditions for Business Rules, and much more. Below are the highlights of the new major features and important changes in Softerra Adaxes 2010.2.

Microsoft Exchange Support

The new version of Adaxes allows you to simplify, automate and secure the management of Microsoft Exchange (2003, 2007, and 2010). Adaxes enables administrators to work with Active Directory and Exchange servers that belong to different Exchange organizations and AD forests within one administrative environment. This means that administrators don't any longer have to switch between several tools for performing administration tasks for Active Directory and Exchange. Also, with the help of Adaxes, it is now possible to automate provisioning of Exchange mailboxes, delegate responsibilities to perform Exchange tasks to non-administrative staff, simplify and speed up the creation of Exchange mailboxes, etc.

Exchange Recipient Management

Similar to Active Directory Users and Computers (ADUC) with Exchange 2003 snap-in, Adaxes provides means for creating and deleting mailboxes, mail-enabling and mail-disabling recipients, removing Exchange-specific properties from AD objects.

Exchange Tasks Manu
Create Exchange Mailbox

When creating mailboxes for several users or mail-enabling several recipients, Adaxes lets you specify how to generate aliases and select mailbox stores for each new mailbox. Rules used for selecting mailbox stores make it possible to uniformly distribute mailboxes among storage groups and databases in your Exchange environment.

Create Exchange Mailboxes in Bulk

When creating users and contacts in Active directory, the object creation wizards now have an option to create a mailbox or establish an e-mail address in Exchange right after a user or contact is created.

Create User Wizard - Launch Create Mailbox Dialog

All Exchange-related operations supported by Adaxes can also be performed via the Active Directory Web Interface. Since the Web Interface also suits perfectly for the use by non-administrative staff, for example, Help Desk, it is possible to delegate Exchange tasks to this personnel, thus reducing the workload of AD administrators.

Exchange Tasks in Web Interface

The fact that Adaxes uses the role-based security model that allows granting rights without modifying the native Active Directory permissions makes the delegation of duties a secure, granular, and controlled process.

In order to grant rights necessary to perform Exchange tasks, Adaxes now has a built-in Security Role called Exchange Recipient Manager.

Simplified Creation of Mailboxes and Mail-Enabling of Recipients

With the help of Property Patterns it is possible to specify how e-mail aliases are generated by default, what mailbox stores are allowed to use and provide rules for default selection of these mailbox stores.

Property Pattern for Mailbox Store

For example, you can specify that when a mailbox is created for a user located in a specific OU, only certain mailbox stores must be available, the mailbox store with the least number of mailboxes must be selected by default, the mailbox alias must be generated using a specific template (e.g. %username%%department%). As a result, you don't have to care about what mailbox alias to specify, or what mailbox store to select - everything is specified and selected for you automatically based on the rules provided.

Automated Provisioning of Exchange Mailboxes

Using Business Rules it is possible to automate the creation of Exchange mailboxes for Active Directory users. You can configure how Adaxes will generate mailbox aliases and select mailbox stores for each new mailbox created automatically. Considering that Business Rules have a flexible assignment mechanism and can be executed only when certain conditions are met, you can configure automated provisioning of Exchange mailboxes taking into account all the specifics of your organization's environment.

Automate Provisioning of Exchange Mailboxes

Once automatic mailbox creation is configured, Adaxes will create Exchange mailboxes when a user is created manually (using either Administration Console or Adaxes Web Interface), when user accounts are imported to Active Directory during a synchronization process, when a user is created using a PowerShell script, etc. This reduces the risk of human errors and saves time of the personnel responsible for Exchange management.

top of page

Active Directory Administration with PowerShell

Due to its power and flexibility, Windows PowerShell is becoming more and more popular among system administrators. Using PowerShell is particularly essential for Active Directory administrators, as it allows them to automate their routine AD management tasks, gives extensive means for bulk Active Directory management, and provides a robust command line interface for daily AD administration. Using the AD PowerShell module provided by Adaxes makes scripting even more consistent and powerful, as lets users benefit from features like automated provisioning, approval-based workflow, logging, enterprise standard enforcement, etc.

The Adaxes PowerShell Module can be used on any computer with Windows PowerShell 2.0 installed and doesn't require the availability of Active Directory Web Services (ADWS) service in your environment. The Adaxes PowerShell cmdlets can work with Active Directory either via Adaxes service or directly. If Active Directory is accesses directly, you can't leverage the power of Adaxes but still can use the PowerShell module for free without any charges.

Active Directory PowerShell Provider

Windows PowerShell includes a number of providers that lets you browse and update different data stores such as file system or Windows registry. Adaxes Active Directory module ships with a provider for working with Active Directory. With its help, you can traverse and update Active Directory using common directory navigation commands (cd, dir, del, move, etc.) in the way you did it in the old-style command prompt.

Active Directory PowerShell Provider

The Adaxes PowerShell provider implements one virtual drive named adaxes. To start working with the provider, type cd adaxes: in the PowerShell console.

PowerShell Cmdlets for Active Directory

The set of cmdlets provided by Softerra Adaxes is designed to simplify and automate Active Directory management from the command line. The cmdlets are similar to those included in the Microsoft PowerShell Active Directory module for Windows Server 2008 R2. However, when Active Directory cmdlets are used together with Adaxes service, you get some extra benefits, including:
Multi-domain management. Since Adaxes supports cross-domain AD management, cmdlets can be applied to Active Directory objects located in different AD domains, or even forests. This allows you, for example, to search for AD objects across several AD domains or update objects located in different AD forests in one operation.
Rule-based automation. With the help of Business Rules, you can configure Adaxes to automatically launch some additional actions when a certain operation is performed in AD. These rules are also effective when an operation is performed via PowerShell. For example, if you've setup some user deprovisioning rules, and launch a cmdlet to disable a user account (Disable-AdmAccount jdoe), Adaxes can automatically move the user account to a specific OU, remove the account from specific AD groups, relocate the home directory of the user, etc.
Workflow and approvals. Each AD operation performed using Adaxes cmdlets is stored in the Adaxes service log. It means that it will be possible to determine who performed this operation, when, from which host, etc. Also, if a PowerShell cmdlet is trying to perform an operation that requires an approval, Adaxes will suspend this operation until it is approved by a responsible person.

All this makes scripting more robust and secure, saves a lot of time and effort, reduces the risk of human error, and is extremely helpful when several people are involved in the Active Directory management.

Examples of Using Adaxes Cmdlets

All cmdlets in the Adaxes PowerShell module have the 'Adm' prefix on their nouns, for example, New-AdmUser or Enable-AdmAccount.

Search for users whose department is 'Sales':
Get-AdmUser -Filter {Department -eq "Sales"} -Server example.com

Create a new user account:
New-AdmUser -Name "John Smith" -SamAccountName "john.smith" -Path "CN=Users,DC=example,DC=com" -Server example.com

Disable a user account using the credentials of the domain administrator:
Disable-AdmAccount JohnDoe -Server example.com -Credential EXAMPLE\Administrator

Add a user to a group:
Add-AdmGroupMember -Identity 'SalesPeople' -Members 'JohnDoe' -Server example.com

Import users to Active Directory from a CSV file:
Import-CSV C:\users.csv | New-AdmUser -Server example.com

Set the homepage of all users from Sales department to http://example.com/sales/%username%
Get-AdmUser -Filter {Department -eq "Sales"} | % {Set-AdmUser -HomePage ('http://example.com/sales/' + .SamAccountName)}

Add all disabled user accounts to a group:
Search-AdmAccount -AccountDisabled -UsersOnly -Server example.com | % { Add-AdmGroupMember -Identity 'DisabledAccountsGroup' -Members -Server example.com}

If you need a cmdlet to access Active Directory via the Adaxes service, you either need to specify the -AdaxesService parameter:
Set-AdmUser -Identity 'lisa.wilson' -Country 'US' -AdaxesService localhost -Server example.com
Or use the Adaxes PowerShell provider:
cd adaxes:
cd localhost/example.com
Set-AdmUser -Identity 'lisa.wilson' -Country 'US'

To learn about what each cmdlet does, use the built-in PowerShell help documentation via the Get-Help command, for example: Get-Help Get-AdmUser -Full.

top of page

Import and Export Data

The new version of Adaxes brings you powerful tools for importing and exporting Active Directory data. Active Directory objects can be exported to different formats, some of which are better suited for viewing the information by a human (e.g. HTML or Excel), and the others are useful when there is a need to import the data back to the directory (LDIF, DSML, CSV). It is possible to export either objects located in a container or OU that match the specific criteria, or just a number of objects selected in the Result Pane, Basket, or search results.

Export Active Directory Objects Manu

The formats available to export data are LDIF, DSML (v.1 and v.2), MS Excel, CSV, Plain Text, and HTML. When exporting data, among available exporting options, you can specify what object properties you want to export, whether property values must be presented in a human-readable form, document formatting options, etc.

Export Active Directory Data to Excel

Adaxes allows importing data represented in the following formats: LDIF, DSML (v.1 and v.2), and CSV. During the data import, it is possible to exclude the SAM properties from the import and modify the object DNs, thus enabling to import objects to a location that differs from the original one. Since the CSV format was not initially designed for importing directory data, Adaxes allows defining some additional options, such as how to retrieve object DNs and object types from the document, in the course of importing CSV files.

Import Active Directory Data from CSV

The import/export operations can be done either using intuitive and easy-to-use wizards in the Adaxes Administration Console or using a command line tool - admimex.exe. This tool can be used, for example, to schedule importing or exporting data, or make it a part of a synchronization process. For example, to import a DSML document to AD, you need to run the following command line:
admimex.exe /i /d DSML /f c:\file.xml.

top of page

New Business Rule Actions

We carry on enhancing and improving the ability of Adaxes to automate Active Directory administrative tasks. This release lets you automatically launch some new Business Rule actions and improves already existing ones.

Run External Program or PowerShell Script

This Business Rule action allows an automatic execution of an external program or PowerShell script before or after an operation is performed in AD. The text of the script can contain value references (e.g. %username% or %mail%), which allows passing information about the object, on which the operation is performed, to the script. For example, with the help of this action you can configure Adaxes to automatically create an account in a third-party application when a user is created in Active Directory or log information about newly created users in CSV files.

Run Program or PowerShell Script Action

Send E-mail Notification

From now on, you can create a Business Rule that will send an e-mail notification before or after a certain operation is performed in Active Directory. To include the information about the object, on which the operation is performed, you can use value references (e.g. %username% or %fullname%). With the help of this action, you can configure Adaxes to notify you about all critical operations performed in AD.

Send E-mail Notification Action

Create Exchange Mailbox

This action makes it possible to automate provisioning of Exchange mailboxes. For details, see Automated Provisioning of Exchange Mailboxes.

Create Exchange Mailbox Action

Value References in Update Object Action

Now it is possible to use value references when updating Active Directory objects via Business Rules. For example, you may want to automatically change the homepage of an AD user when his/her department is changed. For this purpose, you can create a Business Rule that will be triggered after somebody changed the department, and automatically set the Web Page property to 'http://example.com/sales/%username%'.

Value References in Update Object Action

Value References in Home Directory Actions

Previously, in 'Create Home Directory', 'Share Home Directory', and 'Move Home Directory' Business Rule actions it was possible to use only one value reference - %username%. Now, following the wishes of many customers, we implemented the ability to use references to any property of the user, whose home directory is created, shared, or moved.

Value References in Home Directory Actions

top of page

Other Improvements

Considering your suggestions and demands, we step-by-step make Adaxes better. Among the features described above, Adaxes Administration Console and Web Interface have also undergone some small, but pleasant improvements and enhancements that you will notice once you start using it. Some of them are highlighted below.

Exchange Reports

Now Adaxes is enriched with Microsoft Exchange-specific reports. These reports let Exchange server administrators and managers obtain detailed information on users distribution lists, mailbox stores, e-mail addresses, proxy addresses, etc.

Automatic Sorting of Objects in Console Tree

Automatic Sorting in Console Tree Now you have an option to automatically sort objects displayed in the Console Tree. With this option enabled, all AD objects displayed in the Console Tree, are always sorted by their display names either ascending or descending.

Enhanced Assignment of Security Roles

Now, when assigning a Security Role that grants permissions to configure Adaxes service only, the activity scope is always automatically set to Configuration Objects, thus decreasing the risk to specify an assignment that will never be effective.

top of page

Adaxes Service on Windows Vista and Windows 7

Owing to the fact that Microsoft has eventually released Active Directory Lightweight Directory Services (AD LDS) for Windows Vista and Windows 7, it is now possible to install Adaxes Service on these operating systems. Prior to installing Adaxes Service on Windows Vista or Windows 7, you need to manualy install AD LDS: AD LDS for Windows Vista, AD LDS for Windows 7.

? Waiting

Progress status: Checking...