Active Directory, like many enterprise-level software products, is designed to be a one-size-fits-all solution. As such, there are several gaps out of the box that can make management of your organization's users problematic.
Now that you're aware of some of the deficiencies found in AD and how third-party identity and access management tools can solve them, let's take a look at some great third-party tools your company can leverage in order to improve efficiency and accuracy in managing your users' access.
1. Zohno Z-Hire & Z-Term
Not all of the tools we'll discuss fill every single need we've identified or have all the necessary features to solve the many identity and access management problems. However, the third-party tools featured here can remediate key problem areas for many organizations.
Z-Hire and Z-Term from Zohno provide limited automation when compared to some of the other competitors in this arena, but their focus is on streamlining the two major steps in the lifecycle of a user object: creation and de-provisioning of users.
Where many Active Directory tools require a management server, or at least a client install, Z-Hire and Z-Term are both essentially front-end applications backed by PowerShell. The end result is an application that doesn't even require a client installation, however is tied to domain-joined Windows computers.
Z-Hire, intended to simplify the process of creating users, uses a template-based approach to Active Directory administration. Templates can be created and saved manually, or created from an existing user and then modified as needed. Multiple templates can be created in order to accommodate your organizational needs, and are defined primarily using standard fields found in Active Directory such as the user's name, contact information, and group membership. Z-Hire also allows you to define a custom script to be run when a user is created using a template, bringing the full weight of PowerShell to the equation.
Z-Term has many similarities to Z-Hire, such as the use of templates, though most organizations will be able to limit themselves to a few types of account de-provisioning. User objects can be disabled, moved to a specific Organizational Unit, their group membership revoked, or even their password reset. De-provisioning can be triggered immediately or can be scheduled for a later date.
Pricing & Licensing: Zohno Z-Hire and Z-Term are licensed together and start at $250 for a perpetual license for up to 1,000 users.
2. Softerra Adaxes
Softerra has managed to put together a feature complete tool for automating identity management and providing secure user control over your Active Directory-based identities. From an automation standpoint, Adaxes features the ability to ensure properties meet corporate standards, such as computer or user names. Softerra also provides the tools to automatically perform actions at various points in the identity creation process through business rules. A sample business rule shows the ability to automate the creation of a user's home directory, Exchange mailbox, and Office 365 account after the user is provisioned.
In addition to excelling at automation, Softerra Adaxes provides highly customizable web portals for use by administrators, help desk personnel, and end user self-service. Each portal can be branded with a corporate logo and colors, and configured to provide only the desired options to each type of user. Account management requests can then be routed through a workflow process to ensure each request is validated and receives the appropriate level of approval.
Pricing & Licensing: Softerra Adaxes perpetual license begins at $1,600 for up to 100 users. Annual maintenance and support is available for $480 (also for 100 users).
Editor's note: Looking for an SSO solution for your business? If you're looking for information to help you choose the one that's right for you, use the questionnaire below to be contacted by vendors with additional information:
3. Cayosoft Administrator Suite
Cayosoft's Administrator Suite includes several modules which allow you to perform a variety of tasks related to managing the lifecycle of user objects and enforcing corporate policies.
Admin Assistant, the core application, handles many of the automation and reporting features. The Suspend module is primarily used for managing user objects which have reached the end of their lifecycle, giving you a streamlined method of disabling or deleting the user account. Some of the features offered by the Suspend module, such as scheduled reactivation or retention periods, also require Policy Manager. While each of these modules are included in Administrator Suite, they can also be licensed individually.
The de-provision workflow offered by the Suspend module makes handling temporary or permanent account suspensions intuitive. Temporary account suspensions can be configured to automatically re-enable an account or to wait for administrator approval.
Admin Assistant provides several default rules which can be scheduled and enforced in order to manage default policies within your domain such as automatically disabling inactive accounts. In addition to the normal software update, Cayosoft provides regular updates to their default rule sets, known as extensions. These rule sets can be easily downloaded and imported into Admin Assistant with just a few clicks.
Pricing & Licensing: Cayosoft perpetual license is $2.50 per user (Admin Assistant), and $2 per user (Suspend). Includes one year of support/maintenance (additional years are at 20 percent of license cost). Look for an announcement of a free year of Suspend (coming soon).
4. Dell Active Administrator
Active Administrator from Dell Software is a comprehensive toolset for managing various aspects of Active Directory to include replication, trusts, and Group Policy. Because Active Administrator is an enterprise-level tool, its feature set has a focus on large businesses.
Managing inactive user or computer accounts is fairly straightforward within Active Administrator. Inactive objects can be disabled, moved to a specific OU, or have their passwords reset. Along the same lines, notifications can be sent for users approaching their account’s expiration date, or that of their password.
Where Active Administrator really excels is in the area of reporting and auditing. Rather than simply monitoring a single event log, or compiling a history of actions performed within the Active Administrator management console, each domain controller is monitored in order to maintain a comprehensive audit trail. In order to handle communication to remote domain controllers, a software agent is deployed in order to forward auditable events to Active Administrator. In addition to simply compiling an audit history, Active Administrator can be configured to immediately notify an administrator in the event of a critical audit event.
Pricing & Licensing: Dell Software Active Administrator perpetual license starts at $15.30 per user, and includes one year of maintenance. Additional maintenance can be purchased as well.
A clear takeaway from this article is that each organization should carefully evaluate their business needs when it comes to third-party identity and access management tools that tie into Active Directory administration. Each of these products offers a completely different set of features, and there are dozens more like them that offer a diverse set of tools.
Once some thought and discussion have been invested in a prioritized list of your requirements, you can then begin the process of evaluating the available solutions in order to determine which product best meets the needs of your company.