User provisioning, deprovisioning, and reprovisioning can be extremely complex and difficult-to-manage processes that take a lot of time and effort. When a new employee starts, this employee needs an Active Directory account, Exchange mailbox, home folder, the employee's user account must be added to certain security groups and distribution lists, etc. When an employee leaves, the AD account of this employee must be disabled and removed from all distribution lists and security groups, the user home folder must be relocated or deleted, user accounts in various applications must be deactivated, and much more.
If Active Directory provisioning involves a series of manual activities performed by a human, the user provisioning and deprovisioning can easily become extremely complex, tedious, and time-consuming tasks accompanied by various kinds of errors and faults. To eliminate the issues related to the process, all operations involved in the Active Directory provisioning must be automated. The process automation reduces administrative costs associated with the user account management and acquires especial importance when multiple persons (Help Desk, support, administrators) are involved in the Active Directory provisioning.
Softerra Adaxes allows automating the entire process of Active Directory provisioning, management, and deprovisioning based on organization-specific rules and policies. All user provisioning and deprovisioning activities are performed automatically based on the data entered when a new user is created, updated, moved, disabled, or deleted in Active Directory.
For example, when an Active Directory user account is created for a new employee, Adaxes can automatically create an Exchange mailbox and a home folder for the user, add the user to certain security and distribution groups, move the user to a specific OU, enable the user for Lync, execute an external program or PowerShell script to create an account in an HR system, send a welcome e-mail, etc.
When an employee is promoted or transferred to another department, updating the Active Directory account of this employee will automatically change the group membership of the user, move this user to a new OU, modify necessary properties of the account, the changes will be automatically synchronized with other systems using either SPML connectors or scripts.
When an employee leaves the organization, you just need to execute the built-in Custom Command called Deprovision. This Custom Command will perform all the necessary user deprovisioning operations in a single turn. For example, it can move the employee's user account to a special OU, change its group membership, modify the account options, set the user password and logon name to random values, relocate or delete the user home folder, hide the user's mailbox from the GAL, disable the user for Lync, etc. For more details, see Configure User Deprovisioning.
The advantage is obvious - by performing only one operation in Active Directory, a number of Active Directory provisioning and deprovisioning actions are run automatically, relieving IT personnel of many mundane, repetitive, and error-prone tasks. Basically, with the help of Adaxes it is possible to automatically execute additional actions before or after any operation performed on any object type in Active Directory.
Softerra Adaxes facilitates Active Directory provisioning by enabling IT administrators or managers to track, approve or deny any change made in the Active Directory. The approval process helps controlling critical operations in Active Directory and allows avoiding errors when provisioning and deprovisioning users.
If an operation requires an approval, its execution is suspended until it is approved by a responsible person. Adaxes can be configured to send approval requests for any operation performed in Active Directory provided certain conditions are met:
Softerra Adaxes enables automated Active Directory provisioning, administration, and access management, making your Active Directory environment more stable and secure, reduces administrative costs and human errors. Automated group membership management and role-based security model eliminate the need to manage complex Active Directory permissions, and ensures that administrative access rights are granted and revoked timely.