Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


February 2001

DM/ActiveRoles 2.0


From the February 2001 Edition
of Windows IT Pro
Ed Roth
Product Reviews
InstantDoc #16447
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Simplify AD management

As you build your Active Directory (AD) topology, you'll want to create a robust directory structure that incorporates the appropriate security for rights and roles throughout your enterprise. This task isn't easy because Windows 2000 doesn't provide an interface from which you can control all AD permissions. To address this shortcoming, FastLane Technologies created an AD management tool that extends AD's standards-based delegation model. FastLane's DM/ActiveRoles 2.0 assists with AD deployment and management by letting you consolidate access control entries (ACEs) into logical roles that you can assign throughout the enterprise.

How It Works
DM/ActiveRoles lets you collect ACEs into one ActiveRole. You then assign the ActiveRole to an AD object and a user or group. To help me conceptualize the role-assignment process, I considered role assignments from the object perspective. For example, if I assign an ActiveRole called helpdesk to an organizational unit (OU) named BigCompany for the user account Fred, then Fred has the access specified in the helpdesk ActiveRole for the BigCompany OU. After you define an ActiveRole, you can reassign it wherever appropriate. Although you use the DM/ActiveRoles interface to create and assign ActiveRoles, the underlying ACEs are native to AD, which means you can use native Win2K tools to manage AD independently of DM/ActiveRoles.

Installing DM/ActiveRoles
I received DM/ActiveRoles as a Windows Installer file email attachment from FastLane; however, FastLane plans to distribute the product on CD-ROM. I double-clicked the DMActiveRoles.msi icon to install DM/ActiveRoles to my test server. My server was a dual-Pentium III processor system with 512MB of RAM that ran Win2K Advanced Server, and I configured the server as the only domain controller (DC) for the AD domain. After I selected the full installation option, the software installed within seconds and prompted me to enter a license key, which FastLane provided by email.

The online Quick Start Guide recommends that you set the software to Directory-Enabled Mode to leverage AD's performance and availability. To set this option, I selected FastLane DM/ActiveRoles from Win2K's Start menu, then selected Configure, Directory-Enabled Mode. The program also lets you store role information locally. Local Mode lets you evaluate DM/ActiveRoles without modifying the AD schema. If you wish, you can later make a one-time transition to the recommended Directory-Enabled Mode.

The User Interface
The DM ActiveRoles interface, which Figure 1, page 122, shows, is a Microsoft Management Console (MMC) snap-in. The left pane displays the DM ActiveRoles snap-in node in treeview, the ActiveRoles Container, the Reports node, and domain OUs. The right pane displays in list view the corresponding objects for the item you select in the treeview. When you select a directory object, the list view splits horizontally to show ActiveRoles in the lower-right pane. This pane shows both directly applied ActiveRoles and ActiveRoles inherited from parent objects in the directory.

Right-clicking in the lower-right pane lets you choose between displaying ActiveRoles or a native ACL for the object you select in the treeview. When you display ActiveRoles, a dark green key icon represents directly applied roles, and a faded green key icon represents inherited roles. When you view the native ACL, an ACE specified through an ActiveRole shows the letters AR added to its icon. In the treeview, a small green square in the lower-right corner of an icon designates objects that have ActiveRoles assigned to them.

Because the interface is an MMC snap-in, you can add other snap-ins to the console to customize your environment. I added the MMC Active Directory Users and Computers snap-in to my console to give me quick access to user management facilities. You can add additional domains to the treeview by right-clicking the DM/ActiveRoles snap-in node and choosing Connect to Domain from the resulting menu.

Defining ActiveRoles
By default, only members of the Domain Admins group can manage ActiveRoles, but you can add other users and groups to the list of those with access. To test this functionality, I right-clicked the ActiveRoles Container and selected Manage Permissions from the resulting menu. This selection launched Control Wizard, which I used to add a user account named RA to the list of accounts that had permissions to access objects. I selected Full Control from the Role drop-down menu for RA. I then logged off and logged on again as RA to verify that the account could manage ActiveRoles.

You can use predefined ActiveRoles or customized ActiveRoles. I used mostly predefined ActiveRoles that I modified. To modify them, I selected the ActiveRoles Container in the left pane of the MMC snap-in, right-clicked the role I wanted to copy, and selected Copy from the resulting menu. A Copy ActiveRole dialog box appeared that listed the predefined source ActiveRole and asked me to specify a name and description for the destination ActiveRole. To modify the destination ActiveRole, I right-clicked the copy of the ActiveRole and selected Edit from the resulting menu to bring up the Edit ActiveRole dialog box. This dialog box contains a drop-down menu for object selection and a list of corresponding permissions for which you can allow or deny access.

If you select the Filter unused objects/rights check box, the software lets you focus on only managed objects. The DM/ActiveRoles manual didn't document this feature well, but a conversation with a FastLane representative clarified the feature's use. Selecting this check box simplifies editing ActiveRoles because it limits the displayed objects and rights to only those that the ActiveRole definition references. For example, when I edited my Sr. Help Desk ActiveRole, I used the filter option to narrow the number of objects from 21 to the 3 that had specified permissions. The filter also narrowed the list of permissions for those objects to only those permissions that the selected role explicitly allowed or denied access to.

You can delete unused roles from the ActiveRole Container, and you can import and export individual or multiple ActiveRoles as necessary. I created several ActiveRoles by right-clicking the ActiveRoles Container and selecting New, ActiveRole. The Create ActiveRole Wizard prompted me for the role's name and description; the wizard then presented the same dialog box that I used for editing predefined ActiveRoles. Leveraging the AD functionality that the predefined roles contain is easier than creating roles, but through trial and error, I was able to establish the permissions I wanted for the role that I had created.

FastLane plans to create ActiveRole Packs of predefined ActiveRoles for specific AD-enabled applications (e.g., Microsoft Exchange 2000 Server). Registered users will be able to download these ActiveRole Packs from the FastLane Web site. FastLane also plans to designate an area of its Web site for users to trade custom ActiveRoles.

The ability to group ActiveRoles logically within the list view would benefit organizations that deploy many roles. However, version 2.0 doesn't offer such a feature.

Assigning ActiveRoles
After you define an ActiveRole, you assign it to the AD object to which you want to apply the role's specified permissions. At the same time, you designate who will have the selected object's role. To assign the Win2KLab Sr. Help Desk role to the entire AD domain, I right-clicked the top-level domain object and selected Manage Permissions, which launched the Control Wizard that Figure 2 shows. I clicked Add, selected SrHelpDesk in the resulting dialog box, then clicked OK to return to the Control Wizard. At this point, the Account column listed the SrHelpDesk group, and the Apply To column listed This object and all child objects (other Apply To options are This object only and Child objects only). Next, I clicked within the bounds of the Role column, and a drop-down box appeared. I selected Win2KLab Sr. Help Desk and clicked Finish. A green square appeared on the domain object's icon in the DM/ActiveRoles interface to show that the object is a controlled object, and the lower-right pane listed the newly applied ActiveRole information.

   Previous  [1]  2  Next 


Reader Comments
I agree that this tool is powerful and can help with the complex managment issues involved with Active Directory and a large user base. WATCH OUT, the tool can also destroy your domain very easily. I went to a training class for the entire DM Suite of products, and when we got to DM Active Roles the instructor destroyed the test domain by removing all administrator rights from the Domain Administrators group. This meant that even the built in Administrator account no longer had the rights neccessary to administrer the domain. Since this domain was created for testing no emergency restore files were available. The result, ........ well I got home early that day.

Terminex April 26, 2001

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of September 8, 2008

An often irreverent look at some of the week's other news, including the long-awaited back to school season, Microsoft's first Seinfeld/Gates ad, some EU insights, another Netbook improvement, Opera silliness, and much, much more ...

VMware and the Future of Virtualization

What's next for virtualization and business IT? Windows IT Pro senior editor Jeff James speaks with VMware President and CEO Diane Greene on the future of virtualization technology. ...

IE 8.0 and Chrome Could Enable Next-Gen Web Apps—Unless Your ISP's Bandwidth Cap Gets in the Way

Both browsers are being positioned as the core system application that will enable the next generation of web apps--however, ISP usage caps could throw a major monkey wrench at web-based application delivery. ...
Active Directory (AD) Whitepapers Sustainable Compliance: How to reconnect compliance, security and business goals

User Provisioning and Access Control

Managing Unix/Linux with Microsoft System Center Operations Manager 2007 Cross Platform Extensions Beta
Related Events Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

IT Connections
Dive into the new Microsoft platforms and products you implement and support with the experts from Microsoft, TechNet Magazine, Windows ITPro and industry gurus. There are 70+ sessions and interactive panels with networking opportunities.

Attention User Group Leaders...
Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes and add Windows IT Pro & SQL Server Mag articles alongside your own message!.

Master SharePoint with 3 eLearning Seminars
Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!

Get SQL Server 2008 at WinConnections
Don’t miss Microsoft Exchange and Windows Connections conferences, the premier events for Microsoft IT Professionals in Las Vegas, November 10-13. Every attendee will receive a copy of SQL Server 2008 Standard Edition with one CAL.



Interested in Email Encryption?
Read about the advantages of identity-based encryption in this free report.

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Virtualization Congress Oct. 14-16 in London
Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technical Resources Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing