The following excerpt is from Chapter 2 of the free eBook "Administrator shortcut guide to Active Directory security"...
written by Derek Melber and Dave Kearns and available from a link at Realtimepublishers.com. Click for the complete book excerpt series.
Directory tools, part 2
For some administrators, especially those that are non-IT employees, the full-blown administrative tool that comes with the adminpak.msi can be too much. Thus, instead of teaching and encouraging these administrators to use the tools, you can create Taskpads that narrow the scope of what they see in the interface. Taskpads are created within each snap-in and can be very specific with their focus.
An example of a Taskpad is providing delegated administrators the ability to see only user accounts and giving them the option to only reset the accounts' passwords. This option is useful for a non-IT employee that has been delegated the privilege to reset passwords for an OU full of user accounts. Typically, administrators must open Active Directory Users and Computers, then navigate to the correct OU. Once they arrive at the OU, they see all of the objects in the OU, including groups, computer accounts, other contacts, printers, shares, and other OUs. This view can be quite confusing. The Taskpad will show them a single view of the user accounts in the OU in which they have been delegated the ability to reset passwords. They will then have one option, which is to reset passwords for these user accounts. Figure 2.2 shows a Taskpad for resetting passwords for an OU.
Figure 2.2: An MMC Taskpad providing the delegated administrator the ability to reset passwords.
The use of Taskpads can save many calls to the Help desk or the administrative staff, as users who have not been educated in the finer points of the administrative tools can quickly access the tasks that they need to perform. These Taskpads can also be placed on a central server, e-mailed, or manually copied to provide access to all administrators.
These tools and features perform useful services for data administrators and service administrators, but they can be clumsy for large organizations and fall short when there are too many resources, objects, servers or users. Many of the tools have built-in limitations to show only 10,000 AD objects. These limitations can be overcome, but when an organization has 20,000 users, 50,000 groups, and 25,000 computer accounts, the list of objects can take a very long time to refresh in these graphical tools. At this stage, it can become a task in itself to try and find the object that you are looking for.
In addition to the lack of scalability of these tools, there is another limitation. The MMC can't import or support all of the features required to administer the domain and AD. Both data administrators and service administrators need a tool that can combine every feature that they might need to control, along with fully customizable interfaces. Such a tool would provide a onestop shop for all of their needs, with the robust interface capable of supporting the customization required to make the job easy. There are many third-party tools available that provide such features. These solutions meet almost any need for data administrators and service administrators, including:
- AD migrations
- Active templates for easy delegation
- GPO administration and migration
- Cross-platform integration and management
- Built-in recovery for AD
- Advanced ADSI management
- Advanced AD querying
If your company is struggling to keep on top of AD security and management tasks, these tools can help centralize those tasks, making administration and delegation for everyone involved easier and more efficient.
Click for the next excerpt in this series: Group Policy Management Console.
Click for the book excerpt series or visit Realtimepublishers.com to obtain the complete book.