ADManager Plus Session 2 - Non-invasive AD delegation, automation, and AD workflow.

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

Shh hello everyone a very good afternoon to everyone thank you very much for joining today's session my name is Vivian Stockton and I am the pre-sales consultant for the Active Directory team here at manage engine now this is going to be the second session in our ad manager plus evaluation series now when I say evaluation series this series here this two-week series is dedicated for our evaluators people who would like to know more about the application all right so day one yesterday we focused on a different set of topic we focused on Active Directory management and also we saw some of the crucial reports that you can generate using ad manager plus without having to use PowerShell or any other complex methodologies so that was the agenda for a day one now day two today we will be discussing a different set of topic within the application we will be talking about Active Directory delegation we will be talking about automation and then workflow so let me quickly dive into the today's topics here so this is what we covered in the last session it was all about ad and office 365 management and reporting we saw something very crucial the video of these sessions will be available to you and we'll be able to share it with you in a day or two all right now day two so I told you that we will be focusing on three topics now talking about the first topic which is Active Directory delegation I'm going to show you how to create customized roles within a tea manager plus and securely delegate those roles to other users in your Active Directory infrastructure automation is how can you automate the regular processes or the routine things that you do in Active Directory something like user creation our user deep provisioning so as and when users leave the organization's their accounts need to be managed as well for security reasons so you cannot leave the accounts as such so how do you automate the process of deep roasting accounts now the third topic is all about Active Directory workflow now workflow is going to be a request and approved methodology so instead of the technicians are other users performing actions directly in Active Directory what they do is if they want a specific action to take place they raise a request to their higher level of approval it can either be a line manager or an IT technician or an IT administrator and the idea administrator reviews the request that has been raised if the request is valid the administrator approves else the request is rejected with a reason so I'm going to show you how things are done using ad manager plus let me log in here real quick so I'm going back to ad manager plus right here and I'm going to log in to the tool using my admin credentials now I would request you to log into your tool as well so that you would get a feel on what I'm talking about okay now Eddy management reports yes we have covered these two topics now we will be focusing on these three features delegation workflow and automation let me start with delegation here so I'm going to talk more about examples here rather than talking about the feature you can relate to it in a better manner if I talk about a real-time use case all right so let's say you are going to add a user to the application all right now before talking about 80 delegation I'd like to tell you something here now the whole point or the benefit of using the ad delegation within ad manager plus test now this helps you achieve two things all right and those two things the first thing is this ad delegation allows you to securely delegate tasks to other active directory users without having to elevate their native Active Directory functions for instance if a user a has certain set of permissions in Active Directory but you want him to perform an action that is not within his permission boundary you can very well create a customized role with an ad manager plus for that action and then grant it to the user and that is in no way going to alter the user's native Active Directory functions so the permissions that you delegated to the user will only be valid if the technician is logged into ad manager plus the minute he hit signs up I mean he signs out of the application his or her Active Directory Commission's will still remain unaltered now that's the first benefit now second benefit when you have too many people logging into your domain controllers and then performing actions or logging into your servers and performing actions the task of administering are monitoring the actions done by those users becomes hectic that becomes complex as well so when you have too many users logging into your domain controllers and performing actions you lose control at some point or the other so in order to overcome all that we have something called as delegation here that's the second benefit of going with delegation one is inappropriate permission assignment can be avoided second one unwanted access to domain controllers by other users in your Active Directory infrastructure can be overcome using the delegation that's why you need delegation here so let me quickly talk about a role so we have something called help desk rolls right here on the left hand side now if you go to the help desk roles you have some default roles so as you can see here create users is a role move users is another role reset password unlocking user accounts now all these roles are nothing but actions that this role can perform an act rectory alright so these are the default rules that are available in the application now if you'd like to create your own customized role in order to map to a user you just go to create new role here so what I'm going to do now is I'm going to create a role for for IT technician alright so I'm just gonna name it role for IT tech now I want this IT technician or I want this role to be able to perform certain Active Directory actions now those actions are mentioned right here besides the checkboxes now all these checkboxes that you see here are the actions that you can map to this role and the actions are categorized based on the objects here so you have a category for user object another category for computer another category for contact object and for group mailbox and even file server and office 365 so it's just a matter of selecting the checkboxes here okay now for this role I want this role to create user accounts reset password and unlock accounts in Active Directory so how do I grant those permissions so I go to create users it's right here I want this role to create users create users one by one all right that's checked but I don't want this role to create users in bulk so I'm just going to deny any bulk creation or modification for this role so I have a checkbox right here which reads deny bulk modification or deny CSV import so if if I'm denying a CSV import that in turn means of this user cannot perform any bulk modification through a CSV so yes so I've checked on a deny bulk modification so I just want this role to create one user at a time and the other restriction that I want to impose to this role is I want this technician to create users one at a time but at the same time I don't want this user to be manipulating certain Active Directory attributes so not to restrict this role from manipulating certain attributes I just got a user attribute privileges now the check boxes that you see here are going to be the attributes that this role can control while creating user account now if you don't want this role to be manipulating certain attributes for example I don't want this role to be manipulating the terminal service attributes all right so what I do is I am uncheck that excuse me now if I scroll down I have a list of attributes that I can grant or restrict for this specific role I don't want this role to have control over the linked server attributes so I uncheck and I don't want this role to be manipulating let's say the email address who has email address it's right here so I uncheck email address the same holds good for any other attribute as well so you have contact you have office 365 you have Google Apps attributes now you just go ahead and define any attribute that you'd like to restrict our grant for this specific role right and then hit OK so we not only grant a role or a permission to the road we also restrict certain attributes so that this role will not have control over the attributes so creation is done I also want this role to be modifying user account but I don't want this role to be modifying user account in bulk so I uncheck or I leave the checkbox unchecked okay now the second thing I want is the next thing that I want this role to perform is to reset password for other user accounts and also if there are any locked out users I want this role to unlock those users okay so if you want anything else just a matter of selecting the checkboxes so tomorrow if you'd like to elevate the permission of this role you want this role to be manipulating the exchange attributes just go ahead and select the exchange attributes right here but for now I'm just going to leave it unchecked so this is a very basic rule that's for user object management computer object management so I want this role to create computers contact I want this role to create contacts group I want this role to create a group let's say file server management I want this role to modify and remove NTFS permission but not share permissions all right so I'm just going to leave it unchecked office 365 now I want this role to add to existing license I want this role to replace existing office 365 license but I don't want this role to remove any office 365 licenses from my user accounts so I'm just not going to grant that role here all right so that's for management now talking about reports so we have close to 200 reports that you can generate but I don't want all 200 reports available for this road I'm just going to give them few basic reports so all users report on all users report on empty attributes a report on duplicate attributes so that they can check whether there are any users with the same add attribute value in Active Directory report on lot of users and disabled users and also in active users all right and NTFS so I have a Report named shares in servers that's going to give me the list of all the shares within a selected server and its permission and then I have permission for folders so I just want the role to be generating this report under the NTFS category and administration nothing under administration so just management and reports so I saved this role for Tech successfully saved it's right here now we have just created a list of actions that that this role can perform but we have not yet mapped this role to a user account in Active Directory so the next step is mapping this role that we created to a user in Active Directory and for that I need to go to helpdesk technicians if I go to helpless technicians you have the built-in technicians here you can add your Active Directory user as a technician with an ad manager plus you go to add new technician alright and then this is where you select the Active Directory user that you're going to add as a technician select 80 users let's say I'm going to search for a user named given the user is an Active Directory user I hit OK and then this is where I choose the role that we just created the role that we created was named as role for IT tech and I'm going to search the role right here right so if I just scroll down I have the role that we just created which is role for IT tech the other ones are going to be the built-in rows I can even grant our map multiple roles to this technician but I'm not going to do that I'm just going to assign the role that we created and I hit OK now the next restriction that I get imposed on this user account is I can delegate certain or use for this user account if I don't want this user account within to be creating user accounts and all the OU's in my Active Directory infrastructure I just got to add or use and then from the OU you tree I think the oh use and which ta user can create Active Directory accounts so just - or use and I hit OK alright and then I hit save that's it so we have now successfully mapped I mean we have now successfully created a role with all the actions that we want and all the restrictions that we want and we have mapped that role to a technician or to an Active Directory user named Vivian all right now if you would like to you know elevate this users permission of the role it's just a matter of editing the technician here or editing the user and you just go ahead and change another role or maybe a map multiple rows for the user account and then hit OK so that's how you do it now apart from restricting certain or use alright so we have just granted this technician the privilege of creating user account in to or use out of the ten that I have in my Active Directory domain alright so if you'd like to restrict certain groups as well alright you don't want this user to be manipulating accounts in the enterprise admin and the domain admin group so all you need to do is just go to the exclude group section hit add and then search for domain admins and you have it right here it okay so which means you have not only excluded few OU's for this user account you have also excluded certain groups alright so we were talking something about the templates as well alright so if you have 50 templates in your organization and you don't want this technician others user to be using all that 50 templates you want him to be using just one template you'd like to set that template as default you just go to add or remove template and then select just one template here and set the template as default it's right here all right now you see a green check mark which means that this template is now set as default the user will not have access to any other templates other than the ones that you have delegated alright so this is how you add a user to any manager plus and then assign them rows restrict certain oh use restricts in groups so we are talking about customized roles and at the same time granting those customized roles with all the restrictions that you want in place and you hit Save Changes that's it now this user can very well login to ad manager plus from his laptop and then perform the actions that you have delegated all right so if I'd like to I'd like to show you something here so now that I have added a technician all right so let me quickly sign out and then sign in as the technician so that you will be able to see the difference for yourself so I'm just gonna hit sign out I'm going to sign in with the technicians account alright so I am NOT typing a an application account here this is going to be the Active Directory domain credentials of that user account or of that technician alright so now if I log in as the technician here so the technician has access only to the tasks that I have delegated so you might notice that you don't have delegation you don't have workflow you don't have automation or the admin tab or anything else it's just the things that we have delegated to the rope so if you just go to reports yes just few reports that we have delegated to the role will be present right here so the rest of the fields are not there so that's how powerful and secure this delegation feature is going to be and if you'd like to elevate the role I told you it's just a matter of selecting checkboxes ok now that we have talked about roles and technicians and all that so let's say you have 20 technicians and you have given them various roles and within a team a surplus and they log in and they perform the actions now if you'd like to track the actions or audit the actions performed by those technicians you have an audit section right here are the tripled so you go to audit report and this audit report was going to give you the list of all the actions irrespective of the output it can be either a failure or a success so all the actions will be recorded in this section alright so if I'd like to find out the actions done by the user viven or the technician viven I just go ahead and select the user right here hit ok and I want I would like to track the action done by this user account in the last 90 days or let's say custom period so I choose a start and finish time it can end up with 6 months or last 365 days and the minute I hit choose and then I hit go I would have all the actions done by the technician right here ok for instance this report tells me that the admin account of AD manager plus has tried deleting user accounts and this is the timestamp of the action and the result of the action is going to be an access denied all right because the account did not have sufficient rights and the account resulted in an access denied error message so you will be able to get any my new change done by the technicians of 80 members of + now we have another section admin audit report and right now the difference between audit report and admin audit report is audit report we'll give you the list of all the actions done by your technicians in Active Directory but what if I add a new technician to ad manager + and I manipulate his roles I grant him access to view or use so I do something within the application not an Active Directory but within the application there also has to be a tracking mechanism for that as well so the admin audit report is going to give you the list of all the changes done to your technicians within ad manager plus for instance if I go to delegation and I edit the user viven and I add or remove a role from this technician and I hit okay and I hit Save Changes so this is a change now this change will be recorded in the admin audit report so if you just have a look at the change that we made it's it's real-time so the admin I've logged in with the admin account so it says that the admin modified a helpless technician named Riven and this is going to be the timestamp of modification and if I just hit the hyperlink here this is going to give me the change that I made all right so this gives the answers for who what when and where all right so that's how powerful the arting section is and if you'd like to get the list of roles mapped to a technician the restrictions that you have imposed on a technician and all that you have a separate reporting section for that as well all right so that's delegation for you so you create roles with any restrictions that you want you map it to a technician you audit the change and also you audit any role that you want so the next one is going to be automation all right so automation is something like you know you tell the application to do stuff in Active Directory on a specific date and time the application does it for you let's start with a very basic process of account creation so I'm going to talk about two things here one is account creation and the second one is going to be user account you know clean up so I'm just going to start with the first process which is account creation I got to create new automation all right so let's say user account creation alright now I have something called automation and automation policy I'll talk about automation policy in a short while but the first task that I'm going to automate is I'm going to create users automatically so I'm going to set the policies for Automation here so I can even automate the process of disabling users enabling users deleting users and a lot more but for now I'm just going to stick to the default ones or the basic ones which is create users okay now let's say that the HR has recruited five new employees to my organization and I want five new accounts to be created next Wednesday at 10:00 a.m. all right so what I do is as an administrator I just go to the automation part and I create a new automation and I specify a template here okay if all the five accounts are going to be created for a specific department and they have a specific job role I just choose a common template else I can even define the template in the CSV file which we saw yesterday all right so I just choose a common template here so this has all the attributes that I need to populate for the user accounts and then the HR might be having a CSV file in the form of an excel sheet or a notepad and that has the name of the user accounts that are to be created so what I do here is I specify the location of the CSV file so the HR creates a CSV file and saves it in a network path I specify the network path here all right and then I define the template that is to be applied so when do I want the user account to be created I want this account to be created let's say on Tuesday right so Tuesday at 10:00 a.m. so Tuesday 10:00 a.m. all right now I hit save that's it so the minute I hit save the application will save the configurations that we have made and Tuesday at 10:00 a.m. ad manager plus or the automation will go to the location that will be have defined and then it will look for a CSV file if there is a CSV file of the location and the application will read the information of a CSV file and that should probably have the name of the user accounts the newly recruited user accounts are employees now that in combination with the user creation template is going to create user accounts in Active Directory automatically so you have the first name and the last name of the user account in the CSV file saved in a network path and you have all the other configurations including exchange office 365 group membership oh you everything in place in the template so when you bring these two things together you can create any number of accounts in Active Directory with all the values you want so and then again if you'd like to scare you can just go ahead and create a cyclic process now this automation would again execute every Tuesday at 10:00 a.m. so if there are any new users added to the CSV file by the HR the accounts will be created in Active Directory now the same can be done for deep provisioning user accounts in Active Directory so let me give you a quick example here when I say deep provisioning user accounts alright so you might be an administrator or an IT technician of an organization that has anywhere between hundred and twenty thousand or even hundred thousand employees right any IT organization will definitely have certain users who are inactive in the sense users who have not logged into your Active Directory for let's say the last 60 days or 120 days or even 300 days but those accounts will still remain enabled and active in your Active Directory infrastructure that's not good from security standpoint so you might have to remove those accounts from Active Directory so I'm not saying delete those accounts from Active Directory immediately no that's not my point here what you can do is you can find out the users who are inactive in your active our infrastructure and then maybe move them to a separate or you isolate those inactive accounts and you can also for security reasons remove the users from all the groups that they are a member of and you can wait for another 30 days and then disable the accounts and wait for another 30 days and delete the accounts from Active Directory so deep provisioning can be done in a sequence and if you're going to do it manually there are always chances of human error so you can automate the process that I just explained and the automation policy is ver you go in order to define the sequence that I just told you all right so I just go to automation policy here I create a new automation policy so I just name it as clean up ad inactive users all right now the first task that I want to be performed ought to be automated is I would like to move those inactive users to a no you that I want so I just choose a no you and I want those users to be moved to that oh you all right so I have the treeview here I'm just going to hold them to a separate oh you done now after moving them to a separate oh you I'd like to wait for five days and then remove those users from all the groups that they are a member of because some of these inactive users might be administrators or might be part of the enterprise admin groups or domain admins group so which means I'll have to first make sure that they are removed from all the groups that they are part of so that's what the second sequence of a second task in this policy does removes the users from all the groups that they are member of and I might do it for 30 days and then disable the users wait for another 30 days are qualified days and then delete the account from Active Directory so we have four actions here move users remove from group disabled users and then delete those users from Active Directory so I hit save now I have just defined a sequence of actions here but I've not executed the automation yet now in order to execute the sequence that we have just defined I go back to automation I create a new automation and then I select the policy that we just defined i go to select automation policy clean up ad inactive users is something that we created it has all the sequence that we want now I need to actually provide an input so that the application can find out the users who are inactive all right now the input is going to be in the form of a report a built-in report so if I just go to select so I have n number of reports right here that I can pick and choose from but talking about our condition or our scenario right here I want the application to find out inactive users for the last 300 days so I choose the inactive users report that's right here and I'd like to find out the users were an active for the last 300 days so 300 days I hit ok now since this is going to be an Active Directory cleanup process I would like this to be scheduled on a monthly basis alright so on $15 on the tenth of every month at 4 p.m. all right now every month on the 10th at 4 p.m. ad manager plus will generate the inactive users report for the last 300 days and then it will execute the policy that we have just created right so that's about the automation and automation policy so policy is something like a sequence so you find a sequence of actions and then you map that sequence to the automation in order to execute the sequence all right so that's how you do it now whenever I talk about automation there might be few administrators RIT technicians who might be a bit skeptical about leaving things to an application so you might not want to perform I mean you might not want an application to be performing actions in Active Directory without your approval or supervision so you might want to supervise these actions even before they take place in October 3 so you might want this application to raise a request instead of actually performing an action so that you as a reviewer or you as an executor you go through the request and if you find that the request list is valid you just hit approve or execute and then the action takes place in Active Directory you might want to implement a request and approve methodology for an automated process that's when you have the small check boss coming to help you now this checkbox here if you select the checkbox which reads implement business workflow the action that you are trying to automate will be raised as a request and then it will be forwarded to the workflow section of ad manager plus so the requester here in our case is going to be the automation and the automation is going to raise a request to the next level of approval all right the next level can be a reviewer or approval or even executor and if you think that these three levels of approvals are too much for your organization you just need to cut it down to one level of approval you just edit the workflow and bring it down to one level of approval that's it so you have the automation raising a request the executor gets notified stating that a request is raised the executor has to look at the request if the request is valid the executor says ok and the action takes place in Active Directory as simple as that requestor can be associated to an automation like the one that we just discussed or it can even be a manual requester so when I say a manual requester HR can log into this tool and then create a request for all these actions that you see right here so if the HR wants to raise a request for user account creation instead of them creating an excel sheet they just log into the create request portal they hit single user creation they just tied the first name and the last name of the user account and instead of create they have something else which reads create request all right so they raise the request they do not create accounts directly in AD they raise a request by logging into ad manager plus and if you want to customize this layout for a requester you think that these many tabs are not required for a requester you'd like to keep it simple you have the templates right here so you can define your own layout own customizable layout if you want that layout to be having just ten attributes a simple form that they can use for raising request you can very well define a template and assign the template to a requester so when the requester or the HR when they log in to this tool they just have access to the 10 attributes that's it they raise a request again that gets forwarded to the next level of approval and when the reviewer says ok it gets forwarded to the approver the approver approves it gets forwarded the executor be a particular says ok the account gets created in Active Directory and since this is going to be a request and approved methodology you have notification rules that will notify the the appropriate of a concerned people in the list or in the hierarchy and you can also assign tickets based on actions if you want so if you want the creation was to be assigned to a user a and user deletion request to be assigned to an IT administrator you can define the assigning rules right here all right so a quick recap on things that we discussed in today's session so we saw about delegation how do you create customized roles and map those roles to users we also saw how to audit the changes done by your technicians of AD manager plus automation how do you create users and clean up Active Directory and perform other stuffs using the automation workflow is all about a request and approved methodology now apart from that yesterday we saw something about Active Directory management how do you create users in bulk how do you manage them manage their mailboxes office 365 how do you perform a parmesan cleanup and assign or remove office 365 licenses from inactive accounts and all that reports we discuss about crucial reports on how to get things from Active Directory with just few mouse clicks alright so you can very well make use of the help link right here so you have the help link in the top right so if you just go to the help link the help link has pretty much everything that you need to know relate it to the application that includes the troubleshooting tips and also the frequently asked questions right now if you'd like to get in touch with our tech team here for any technical assistance related to the application just go to the support tab so you can initiate a live chat session with a tech team here you can drop an email to us or you if you have a request for a new feature that is not there on the application you just go ahead and fill the form and send it out to us and you have our forums a knowledge basis and this is where you go to upgrade the application to the latest version all right now for any queries related to the application the email address that you should be shooting an email to is going to be support at ad manager plus.com so once again thank you very much for joining both decisions in this evaluation series I hope the session was useful for you if you have any questions please please get in touch with us we are more than happy to help you thank you you have a nice day bye bye

Info

Channel: ManageEngine ADSolutions

Views: 4,611

Rating: undefined out of 5

Keywords: AD Delegation, ADManager, Active Directory, Active Directory Webinar, Active Directory Automation

Id: lRIR8DlqdDM

Channel Id: undefined

Length: 40min 31sec (2431 seconds)

Published: Tue Sep 20 2016