After seeing a demo of Imanami’s GroupID, I was keen to get my hands on the product to discover if it could really solve common identity management problems that most Windows shops face, without adding huge amounts of complexity. GroupID supports Windows Server 2003 and later and Exchange Server 2003 and later. GroupID consists of four modules: Synchronize, Automate, Self-Service, and Reports—which I’ll deal with separately for the purposes of this review.
SynchronizeThe GroupID Synchronize module lets you keep Active Directory (AD) up-to-date by synchronizing information from other data sources, such as Oracle and Microsoft SQL Server databases, LDAP-compatible directories, and text files. You can use the simple wizard to map fields from your data source to AD. In addition, you can use built-in rules or create your own VBScript solutions to perform simple data transforms. GroupID Synchronize includes the ability to preview synchronization and transform results before running a job. You can also configure email alerts.
Unlike one of its main competitors, Microsoft Forefront Identity Manager, GroupID doesn’t use a metaverse, a repository where data is stored, merged, and transformed before being distributed to connected directories. GroupID Synchronize performs transforms on the fly—but the lack of a metaverse makes GroupID less flexible in terms of merging data from multiple directories. However, GroupID’s simple approach will likely be a benefit for many organizations, and its functionality is more than adequate except for the most complex systems.
The Automate module provides semi to fully automatic AD group management functionality. Based on user information held in AD, GroupID Automate can use LDAP queries to create and update AD security groups (i.e., Smart Groups) or distribution lists (DLs), as Figure 1 shows. A service runs on the machine on which GroupID is installed and periodically updates group membership. GroupID comes with a set of PowerShell commandlets for command-line automation.
Figure 1: Creating an LDAP query for a new Smart Group
GroupID Automate introduces several new group security concepts to AD. Private Groups are assigned to an owner, and group membership can be managed only by that person. Semi-Private Groups are similar to Private Groups, with the exception that users can send membership requests to the owner. No permission is required to leave or join Public Groups. Finally, Semi-Public Groups are similar to Public Groups, but email notifications are sent to the group owners as membership changes.
DLs and security groups can be expired, either manually or automatically after a set period of time. All groups created in GroupID are assigned the default expiration policy, but policies can be modified on a per-group basis. When a group is expired, initially it’s only marked as such, then deleted after a period of time that’s set in GroupID’s system configuration. SQL Server is required to expire security groups.
Dynasties in GroupID can be thought of as Smart Groups on steroids that are used to create and manage one or more child groups based on given criteria. Child groups are automatically populated under a parent Dynasty group and inherit the parent’s properties, such as group type and security settings. A query is created to determine who should be members of the child groups, but Dynasties differ from standard Smart Groups with an additional parameter, the group-by field, by which Dynasties determine how to split up the results of the query into separate child groups. For instance, you can create multiple groups in a Dynasty based on an LDAP query to list all HR managers and have the results split into multiple child groups based on a group-by field, such as Office (or physicalDeliveryOfficeName, as it appears in the AD schema). This would result in x number of groups because there are different user accounts in different offices in the returned LDAP query.
Dynasties are extremely useful for creating and managing DLs, but the logic can also be applied to security groups. Dynasty templates are included for some common scenarios, and multi-level Dynasties are also supported.
GroupID Self-Service provides one or more web portals for users to manage directory data and group memberships in AD. Considering that it can be costly to service calls to the Help desk, giving users the ability to manage groups without intervention from IT can be cost effective. Self-Service works in conjunction with the additional security descriptors that Automate adds to AD: Public, Semi-Public, Private, and Semi-Private.
Users can request membership to groups, and owners can manage those requests via the web portal. Self-Service supports workflows so that changes to AD information can be approved before being committed. Self-Service also supports anonymous or authenticated read-only access to the directory for the purposes of retrieving information to share via a spreadsheet or distribute to portable devices.
GroupID Reports is a free module that lets administrators generate reports on user, group, and computer objects in AD. Reports can be output in HTML, XLS, and XML formats. A wide variety of built-in reports can be tailored according to your needs.
Accurate Data Is the Key
AD rarely serves as an authoritative source of employee information, which limits its worth in terms of effectively managing security and communication via distribution lists. In organizations with 250 employees or more, GroupID can help fully realize the potential of AD and Exchange.