Active Directory (AD) management falls into two categories: service management and data management. Service management is the care and feeding of the AD service itself—the domain controllers (DCs), the logical AD structure and directory partitions, and replication between DCs. AD data management is about how you fill this empty shell of a directory with security principals: users, computers, and groups. It's about how you manage these objects, using tools such as Group Policy. And finally, it's about how you maintain the life cycle of these objects. For example, is this computer object obsolete? Should this group continue to exist? Is this group owner still correct? Should this user still exist, and is its group membership current?
Object life cycle management in AD is a neglected practice. IT shops of all sizes are very focused on the beginning of object life cycle management—for example, creating users and assigning them to groups, so that those users can quickly become productive. After users are active, stages of object life cycle management include creating new groups when projects and organizations change and removing users and groups when they no longer require access.
One of AD’s main functions is to seamlessly connect users to the resources they need. The first two phases of an object’s life cycle, creation and modification, are driven by this clear business need of putting users and resources together. Where most home-grown object management fails, however, is the last phase of the life cycle: getting rid of what should no longer be there—for example, user accounts that should be disabled or removed, security groups that have incorrect membership (or no membership at all) or an obsolete manager, and computer objects for computers that no longer exist. This tends to be a problem because, unlike in the phases of creating and modifying objects, there’s no immediate business need that drives cleanup. As a result, large enterprises can easily have tens of thousands of security groups—and trying to manually keep them accurate is impossible.
This is where AD tools that specialize in managing users, groups, and computers come in. These tools can save a company a great deal of time and money by automating the creation, modification, and deletion of AD objects. In addition, AD management tools provide benefits by ensuring that object attribute formats (e.g., naming standards, telephone numbers) are consistently enforced across the forest. This makes life easier for downstream applications that pull identity information from AD.
How might you justify such a utility? Security can be a big driver for this kind of tool, because these tools help minimize risks from stale users and groups. Attestation (the process of verifying the need and configuration of a security principal on a regular basis) ensures that a group keeps up with its need and is removed when the need is gone. For example, with these tools, you’d want to immediately enable attestation for all groups that have elevated rights in AD so that any employees who leave the team are quickly removed. Attestation workflows are important object life cycle management components, and about half the products in this buyer's guide include these workflows.
Another important security driver is change auditing. When combined with reporting capabilities and the enhanced auditing capabilities in Windows Server 2008, tools that provide change auditing can tell you what changed in your directory, when it changed, and who changed it. This points to another strength of these tools: compliance. The need to comply with government requirements alone can justify your purchase. Sometimes, justification is as simple as proving that purchasing a utility with efficient or self-service password reset capabilities will save money compared with the Help desk overhead and lost productivity of a manual reset process. Other features that might be important to you are synchronization with other directory services, both on premises and in the cloud (i.e., Microsoft Office 365), sophisticated Group Policy management, and AD object recovery.
AD object management tools are a necessary add-on for any midsized to enterprise-level business. The labor savings they generate and the security and compliance needs they meet will quickly repay their investment. See the buyer’s guide table for a summary of AD object management tools, including their most useful features.
Editor's Note: Some vendors you might expect to see in this Buyer's Guide said they didn't have a product that exactly matched the criteria or didn't respond to our requests for information about their products.
