Active Directory Automation: The Next Step toward the Brave New World?

IT is changing. Cloud services, whether public, private, or hybrid, introduce a new focus for operations teams. We are no longer fixated on building and maintaining infrastructure—we need to concentrate on automating management, delivering services, and developing future iterations of our systems to make the enterprise more capable, more agile, and more profitable. Even the biggest companies, those still maintaining on-premises systems and support teams, increasingly concentrate on freeing up their IT departments from day-to-day firefighting and allowing them to produce new ways of enabling their users and the business’s overall productivity. Underpinning a large number of enterprises are many infrastructure components into which considerable investment and development have gone—and, usually, a large amount of administration by IT support units. One of the main ones is Microsoft’s Active Directory (AD). From its arrival in 2000, it has grown from a centralized domain management system into a broad range of directory-based identity-related services.

Active Directory Management

Managing AD involves a lot of work—not just provisioning users and computers, but performing cleanup and managing policies, DNS, and many other areas. Concentrated primarily within the Active Directory Users and Computers (ADUC) management console tool or the more up-to-date Active Directory Administrative Center (which arrived in Windows Server 2008 R2), AD administration is often complemented by manual processes and custom scripts. Digging into custom attributes sometimes involves some heavier scripting or use of the ADSI Editor tool. Processes for managing AD are subject to user error and lack of standardization, and can’t handle huge numbers of requests.

Of course, many companies have invested a lot of time and resources into developing custom tools and interfaces to support this, even going so far as to delegate processes out to the users themselves. This requires a lot of tuning and tweaking as the software evolves along with the business needs, and it involves an obvious need not only to have the requisite skills in-house, but also to maintain those skills in-house. However, this approach completely cuts against the mantra of the “brave new world” of the cloud era, where IT departments are supposed to be freed from the day-to-day struggle of staying on top of management issues.

If you break AD, you’re going to have serious problems, because it is intricately entwined into just about every other piece of software that your business uses. If it’s not maintained properly, you can find yourself in an organizational nightmare that in the end may cost you serious money to bring back on an even keel. And we’re not even starting down the path of upgrades to the core AD functionality. All in all, AD is bulky, mission-critical, and time-consuming, and it often requires a full team of operators just to deal with it.

It’s clear that AD is an area that could seriously benefit from automation, and not just custom automation through PowerShell, but a standards-compliant automation that will function just as well after major upgrades as it did previously. If we can automate the building of our servers and workstations—another area where we previously had to employ huge teams of operators just to cope with the workload—then surely Active Directory could be dealt with in the same way, couldn’t it?

Softerra Adaxes

There are a number of products out there that sit in this area, but by far the most comprehensive I’ve come across is Softerra’s Adaxes product. It’s more of a suite than a specific product, in my opinion, because it provides functionality across a wide swath of areas that some vendors only address singly (for instance, Adaxes has a self-service password reset feature, which other vendors offer as a standalone product). A whole load of functionality is tucked away inside the suite.

There’s far too much functionality to cram a rundown of each feature into a single article, to be fair. It covers things as diverse as role-based security admin, task automation, approval-based workflows, reporting, self-service, dynamic business units, Exchange management, Office 365 management, scheduled tasks, logging, reporting—the list goes on and on. It’s all fully customizable to your enterprise, and PowerShell support runs right through it.

An Example: User Provisioning and Deprovisioning

One area that everyone is probably intimately familiar with is that of provisioning new users. Since the NT4 days, creating new users has traditionally been handled by a help desk armed with enterprise-specific processes. Adaxes finally manages to give this a real injection of modernity, without the need to invest in a custom solution.

It offers a full web interface and a more “traditional” administrative console, but you can also use or create cut-down versions of the web interface to delegate specific tasks or sets of tasks. For instance, you could allow help-desk staff to perform user-based operations without needing access to any other functionality. You could configure a self-service portal for standard users that allows them to perform basic tasks such as updating photos or names or changing their passwords.

One of the coolest things about Adaxes is how you can configure actions that happen after a new user is created. I can still remember, in my support days, creating users, creating home drives, creating profile folders, setting permissions, creating Exchange mailboxes, and many more things besides. Most of this can be automated through Adaxes and launched automatically once the user is created. You can even delegate the user creation across to specified account managers, so when new staff are onboarded, their line manager simply goes and fills in the required fields, a user is created from a template, and then all other administrative tasks are launched in the background. The need to contact the help desk is completely eliminated, freeing IT staff from laborious, repetitive tasks and removing any potential for error.

But you don’t just perform user provisioning and “post-creation” configuration: you can deprovision users, too. When a user leaves, you might have to disable or expire their account, archive the home directory, move their OU, remove them from global address lists, forward their email to a delegate—just as with the initial provisioning, the list is possibly very long and detailed, depending on the organization. This could take a help-desk operator twenty minutes or so to complete, but with Adaxes, you just use a rule. Once it is set up and verified, you simply forget about it.


I think Adaxes is a product with a whole load of potential. Naturally, there is an initial investment of time on the enterprise’s behalf to get it up and running, but setting up some of the simpler features (like user provisioning and self-service) is really quick and straightforward. I was impressed with how easy it is to start demonstrating a quick ROI and from there get the “foot in the door” that would allow you to extend it to much more of your existing AD.

Is it the magic bullet that is going to clean up one of those “nightmare” Active Directory implementations that we’ve all seen? Of course not: it’s really about improving efficiency and saving money through automating your day-to-day operations in a much more granular way than is possible through any of the standard tools or consoles out there. But in the new world of IT, where we are supposed to free up our staff to enable the business with cutting-edge new services, it’s definitely a big win. Automating the management of such a core part of the environment always will be.


Posted in Transformation & AgilityTagged , , ,