Introduction
The Active Roles Administration Guide is designed for individuals who are responsible for creating and maintaining Active Roles’ administrative structure. This document provides conceptual information about the product, and includes instructions for deploying a secure, distributed administrative structure that combines administrative policy enforcement, role-based delegation of administration, and flexible administrative views.
This guide also provides information for performing administrative tasks using the Active Roles web interface for Azure Active Directory and Office 365. The document includes instructions to help delegated administrators and help-desk operators perform day-today Azure AD administrative activities.
Active Roles facilitates administrators to configure and monitor Active Roles replication using Microsoft SQL Server tools. This guide details the SQL Server agents used during replication, accounts and logins used to access SQL Server, and strategies for monitoring and troubleshooting replication.
The Active Roles Administration Guide is supplemented with the Active Roles User Guide that provides information about the Active Roles console user interface, and includes instructions to help delegated administrators perform day-to-day administrative activities using the Active Roles console.
About Active Roles
Active Roles (formerly known as ActiveRoles®), delivers a reliable, policy-based administration and provisioning solution, allowing enterprises to fully benefit from Active Directory and Microsoft Exchange deployment.
One of the most valuable features of the product is the ability to automate provisioning tasks on directory objects in compliance with corporate administrative policies in corporate Active Directory and Exchange environments.
Active Roles provides consistent enforcement of corporate policies, a role-based administrative model, and flexible, rule-based administrative views, creating a reliable and secure environment for distributed administration and account provisioning.
Active Roles Main features
Before proceeding with the upgrade ensure to perform a database backup.
Active Roles (formerly known as ActiveRoles®) provides out-of-the-box user and group account management, strictly enforced administrator-based role security, day-to-day identity administration and built-in auditing and reporting for Active Directory and Azure Active Directory (AD) environments. The following features and capabilities make Active Roles a practical solution for secure management of objects in Active Directory and Active Directory-joined systems:
- Secure access Acts as a virtual firewall around Active Directory, enabling you to control access through delegation using a least privilege model. Based on defined administrative policies and associated permissions generates and strictly enforces access rules, eliminating the errors and inconsistencies common with native approaches to AD management. Plus, robust and personalized approval procedures establish an IT process and oversight consistent with business requirements, with responsibility chains that complement the automated management of directory data.
- Automate object creation Automates a wide variety of tasks, including:
- Creating user, groups, and contacts in Active Directory and Azure AD
- Creating mailboxes on Exchange Server and assigning licenses in Office 365
- Managing on-premise Exchange and Exchange Online properties
Active Roles also automates the process of reassigning and removing user access rights in AD and AD-joined systems (including user and group de-provisioning) to ensure an efficient and secure administrative process over the user and group lifetimes. When a user’s access needs to be changed or removed, updates are made automatically in Active Directory, Azure AD, Exchange, Exchange Online, SharePoint, Skype for Business, and Windows, as well as any AD-joined systems such as Unix, Linux, and Mac OS X.
- Day-to-day directory management Simplifies management of:
- Exchange recipients, including mailbox assignment, creation, movement, deletion, permissions, and distribution list management
- Groups
- Computers, including shares, printers, local users and groups
- Active Directory, Azure AD, Exchange Online and AD LDS
Active Roles also includes intuitive interfaces for improving day-to-day administration and help desk operations via both an MMC snap-in and a Web interface.
- Manage users, groups, and contacts in a hosted environment Provides Synchronization Service to operate in hosted environments where accounts from client AD domains are synchronized with host domains. Active Roles enables user, group, and contact management from the client domain to the hosted domain, while also synchronizing attributes and passwords.
- Consolidate management points through integration Complements your existing technology and identity and access management strategy. Simplifies and consolidates management points by ensuring easy integration with many One Identity products and Quest products, including One Identity Manager, Authentication Services, Defender, ChangeAuditor, and GPO Admin. Active Roles also automates and extends the capabilities of PowerShell, ADSI, SPML and customizable Web interfaces.
Technical overview
Active Roles divides the workload of directory administration and provisioning into three functional layers—presentation components, service components, and network data sources.
Figure 1: Active Roles Components
The presentation components include client interfaces for the Windows platform and the Web, which allow regular users to perform a precisely defined set of administrative activities. The reporting solution facilitates automated generation of reports on management activities.
The service components constitute a secure layer between administrators and managed data sources. This layer ensures consistent policy enforcement, provides advanced automation capabilities, and enables the integration of business processes for administration of Active Directory, Microsoft Exchange, and other corporate data sources.
The Administration Database stores information about all permission and policy settings, and other data related to the Active Roles configuration.
On a very high level, the Active Roles components work together as follows to manipulate directory data:
- An administrator uses the MMC interface or Web interface to access Active Roles.
- The administrator submits an operation request, such as a query or data change to the Administration Service.
- On receipt of the operation request, the Administration Service checks whether the administrator has sufficient permissions to perform the requested operation (access check).
- The Administration Service ensures that the requested operation does not violate the corporate policies (policy enforcement).
- The Administration Service performs all actions required by the corporate policies, before committing the request (policy enforcement).
- The Administration Service issues operating system function calls to perform the requested operation on network data sources.
- The Administration Service performs all related actions required by the corporate policies, after the request is processed by the operating system (policy enforcement).
- The Administration Service generates an audit trail that includes records about all operations performed or attempted with Active Roles. Directory-change tracking reports are based on the audit trail.
Let us examine the three component layers.