Quest Software ActiveRoles Server
If you've ever used the built-in Delegate Control feature in the Active Directory Users and Computers snap-in, you'll feel right at home in ActiveRoles Server. The product has three default web components: Self Service, Help Desk, and Administrators.
Provisioning a new user in ActiveRoles Server was easily the most user-friendly process of all four products. The built-in policies do a great job of getting you most of the way there. And like the other products, this one requires that you go the rest of the way with scripting. If you're unsure where to begin, Quest has a handy Wiki document full of useful scripts that you can plug directly into ActiveRoles Server.
At one company I've worked with, Help desk technicians aren't allowed to create Exchange mailboxes because of the “risk that they might not create the mailbox in the correct store.” This scenario frustrates the junior technician and wastes the senior engineer’s time. ActiveRoles Server' provisioning and de-provisioning policies help in these kinds of situations.
Summary
Quest ActiveRoles Server
PROS: Extremely robust AD user-provisioning tool; has ability to propagate permissions to AD
CONS: Expensive; reporting is difficult to set up
RATING: 4 diamonds
PRICE: $25 per AD user; additional costs for external connections
RECOMMENDATION: If you need full user provisioning with detailed workflow functionality, Quest ActiveRoles is your best choice.
CONTACT: Quest Software • 800-306-9329 • www.quest.com |
When a user leaves the company, ActiveRoles Server can take care of the Exchange portion of the task as well, hiding the mailbox from the Global Address List (GAL), granting the user’s manager full access to the user’s mailbox and forwarding all new incoming messages to the manager.
This tool looks and feels the most like AD itself. When you're delegating permissions, you'll find that the ActiveRoles delegation wizard looks and feels almost identical to Active Directory Users and Computers. Also, whereas ActiveRoles is a “proxy” type tool by default (e.g., ActiveRoles Server controls the permissions, not AD), you can sync the permissions that you set up to AD if you want to. This functionality is useful if applications outside ActiveRoles Server—such as an HR database—need to access objects in AD.
Similar to NetIQ with its ActiveViews, ActiveRoles Server has a feature called Managed Units (MUs). An MU is a collection of objects that you want to group together for administration. As in the NetIQ example, this is useful if the domain wasn't designed properly or even if the administrative tasks you want to perform are outside the AD design. For example, your OU structure might be by city or department, with individual managers distributed throughout the structure. An MU could include all the managers in a particular city and then be granted the right to reset passwords.
ActiveRoles Server has robust Exchange provisioning capabilities, including user and group de-provisioning. When de-provisioning a user, you can disable the account, set the username and password to random values, remove the account from security or distribution groups, grant the manager permissions to the user’s home folder, delete the home folder, run a script (PowerShell, VBScript, JScript, or PerlScript) to disable the employee from an HR database, and schedule the account for permanent deletion.
Before the ActiveRoles Server system can be used for reporting, a Data Collector has to be installed on the server first. Another SQL Server database also has to be created to store the data. The process for getting reporting set up in this product was the most complex of all these products. In fact, throughout testing, I couldn't get the reporting to work correctly.
Editor's Choice
These products are heads and shoulders above the AD tools that Microsoft ships with Windows Server. However, don't consider them substitutes to proper planning and management! More than once, I found that if I was careless (or sneaky) enough, I could find a way for a Help Desk Technician to escalate his or her privileges and get added to the Domain Administrators group. This isn't a fault of the tools, but they can make it easier to become complacent.
Each of these products worked well and performed their tasks as advertised, but in my opinion, ActiveRoles Server edges out the competition. I appreciate that even though it has a “proxy” model like the other products, the permissions can also be synced to the native AD security structure. The built-in policies to provision and de-provision users immediately subtracts about 30 minutes of busy-work in the typical IT shop when a user is terminated. ActiveRoles Server also has a robust, built-in Workflow module. In the end, ActiveRoles Server simply impressed me the most, regardless of the trouble I experienced with the reporting feature. NetIQ Directory and Resource Administrator ranks a close second, only because ActiveRoles Server has a stronger interface.