Active Directory management & automation

Custom Commands for Active Directory Management

Day-to-day Active Directory management involves many routine and recurring tasks that often require multiple steps to complete. For example, everytime an employee is assigned to a new project, goes on vacation, or departs on sick leave, a number of actions must be carried out in accordance with appropriate procedures and company policies. Such actions may include updating account options, modifying group membership, changing email forwarding settings, sending e-mail notifications, etc. Not only is the manual performance of all these operations is error-prone and takes a lot of time, but also requires that the person in charge knows and follows all proper policies and procedures.

With Adaxes you can define your own custom commands to perform complex and multi-step Active Directory management tasks with a single click of a mouse.

Active Directory Management: Custom Commands

On how to create Custom Commands, see Create a Custom Command.

Once a Custom Command is created, it will appear in the user interface and users will be able to execute this command just in the way they execute any other operations in the Adaxes Administration Console or Web Interface.

Active Directory Management: Execute Custom Command (ADMC)

Active Directory Management: Execute Custom Command (Web Interface)

Actions and Conditions

A Custom Command can execute multiple actions on the selected Active Directory objects in a single turn. With the help of Custom Commands, you can perform practically any operations on Active Directory objects, including:

  • modifying AD objects using templates (e.g. %username% assigned to the Alpha project by %initiator% on %datetime%),
  • adding and removing AD objects from groups,
  • moving objects to new AD locations,
  • resetting user passwords (either to random values or using templates),
  • enabling or disabling accounts,
  • creating Exchange mailboxes,
  • enabling and disabling users for Lync,
  • creating, moving, sharing and deleting user home folders,
  • executing external programs and PowerShell scripts,
  • sending e-mail notifications,
  • and more...

If necessary, certain Custom Command actions can be executed only if specific conditions are met. This allows you to configure a Custom Command to perform different sets of actions depending on the object properties, membership in AD groups, account status, location in AD; on whether the user who initiated the operation is a member of a specific group or Business Unit, etc.

Active Directory Management: Custom Command Conditions

Rights to Perform Custom Commands

To execute Custom Commands, users must be granted appropriate permissions. The rights for Custom Command execution, as well as any other rights in Adaxes, are granted with the help of Security Roles. This enables you to, for example, allow specific users or groups to perform a Custom Command only on the AD objects located under a specific OU, on the members of a specific group or Business Unit, on all objects located in one or several AD domains and forests, etc. You can allow or deny specific users or groups to perform either a specific Custom Command or all Custom Commands defined in Adaxes.

Active Directory Management: Rights to Perform Custom Commands

For more details, see Grant Rights to Execute Custom Commands.

Approval Requests

You can allow users to execute Custom Commands only after approval is granted by an authorized person. When a user initiates a Custom Command that requires an approval, this command is suspended until it is approved or denied by at least one of the assigned approvers.

If necessary, a request for approval can be sent only if certain conditions are met. For example, if the user who initiates the Custom Command is not a member of the Administrators group.

Active Directory Management: Approval Requests

Approval-based workflow is essential when you need to delegate certain tasks to non-technical staff. For example, you may want to allow regular users to assign themselves to a project and put this activity under control of the project manager. Using the Web Interface for Self-Service users will be able to assign themselves to a project, and the project manager will decide whether to approve or deny the assignment.

Active Directory Management: Approvals for Self Service

Executing Scripts via Custom Commands

Very often administrators use scripts to perform complex tasks in Active Directory. However, running scripts from the command line is time-consuming and has certain disadvantages. For example, it is impossible to execute a script on the results of an Active Directory report or on specific members of an Active Directory group. The situation becomes even more complicated if there is a need to delegate a task that is handled by a script to non-technical people.

With Custom Commands all these disadvantages are easily avoided, as Custom Commands enable users to launch scripts directly from the user interface at a click of a mouse. This helps you standardize and significantly simplify the whole process of Active Directory management.

To pass information about an Active Directory object to a script, you can use value references in the script arguments ( cscript.exe MyScript.vbs %username% ). When a Custom Command is executed, these value references will be replaced with property values for each selected Active Directory object.

Active Directory Management: Execute Scripts via Custom Commands

To launch a script on Active Directory objects, users will just need to select these objects in Adaxes Administration Console or Web Interface and execute the corresponding Custom Command.

Active Directory Management: Execute Scripts using Web Interface

Built-in Custom Command for User Deprovisioning

When an employee leaves a company, the user account of this employee should be deprovisioned. Typical deprovisioning steps include disabling the user account, hiding the user's mailbox from the GAL, forwarding employee's e-mail address to a manager or peer team member, moving the user object to a specific OU, changing group membership of the user, relocating the user's home directory, disabling the user for Lync, etc. Performing all these tasks manually is very time-consuming, highly error-prone, and consequently, can lead to various security breaches.

Custom Commands allow you to automate and standardize the process of user deprovisioning and make sure that all necessary operations are performed timely, quickly, and accurately.

Adaxes provides a built-in Custom Command for user deprovisioning called Deprovision. This Custom Command performs a set of typical deprovisioning operations that can be customized to meet the specific needs of your company. For example, you can add an action to this custom command that will automatically move the deprovisioned user accounts to a specific Organizational Unit.

Active Directory Management: User Deprovisioning

For more details, see Configure User Deprovisioning.

Apart from Custom Commands Adaxes offers other crucial features for efficient Active Directory management that allow you to automate user lifecycle management, securely delegate responsibilities using the Role-Based Access Control model, ensure the integrity and validity of Active Directory data, and much more.

? Waiting

Progress status: Checking...