White Paper

Abstract

Active Directory One is a vertical software for managing user accounts and Active Directory groups.
By means of a tabular graphical interface, you can view, edit, and store items in batch processing, overcoming the limits of the standard Active Directory interfaces.
Designed for scalability, the software improves its performance as the complexity and number of items to manage in the organization increase.
Active Directory One‘s internal engine performs application-level validity checks and checks for errors before items change in Active Directory.
Provisioning of new users or groups in the organization is simplified by an import algorithm, and de-provisioning can be designed and fully automated.
A special section of the Windows event log records the traceability of operations.

Copyright © 2021 Estesoft

Without permission, anyone may use, reproduce, or distribute any material in this white paper for non-commercial and educational use (i.e., other than for a fee or for commercial purposes) provided that the original source and the applicable copyright notice are cited.

Disclaimer

This Active Directory One Technical White Paper is for information purposes only. Estesoft team does not guarantee the accuracy of or the conclusions reached in this white paper, and this white paper is provided “as is”. Estesoft does not make and expressly disclaims all representations and warranties, express, implied, statutory, or otherwise, whatsoever, including, but not limited to: (i) warranties of merchantability, fitness for a particular purpose, suitability, usage, title or noninfringement; (ii) that the contents of this white paper are free from error; and (iii) that such contents will not infringe third-party rights. Estesoft and its affiliates shall have no liability for damages of any kind arising out of the use, reference to, or reliance on this white paper or any of the content contained herein, even if advised of the possibility of such damages. In no event will Estesoft or its affiliates be liable to any person or entity for any damages, losses, liabilities, costs, or expenses of any kind, whether direct or indirect, consequential, compensatory, incidental, actual, exemplary, punitive, or special for the use of, reference to, or reliance on this white paper or any of the content contained herein, including, without limitation, any loss of business, revenues, profits, data, use, goodwill, or other intangible losses.

Background

The high turnover of employees in medium and large organizations can have a powerful impact. It happens because the identities of the staff must stay aligned with the digital infrastructure, delays or errors in this alignment can cause serious production inefficiencies, a new employee may have to wait too long before being fully operational, or an employee after changing roles may have problems accessing the organization’s digital resources. Active Directory One helps you to accelerate and simultaneously improve the reliability of these business processes.

Templates and Projects

Active Directory One uses projects and templates that can be saved or loaded as files, and which are intended to contain everything needed to edit Active Directory user or group lists without writing directly to the AD database. When designed the entire list of entities, it is possible to carry out a series of validity checks of the prepared data and their relationships with the data already present in AD, and then store single elements, or the entire project, in Active Directory.

Templates

A template is a file that contains the attributes to be managed, their respective default values ​​, and the automatic formatting rules of the values. Templates can be customized and are created from an existing document.

When you create a new project, this is taken from an existing template. If there are no templates, a predefined template stored internally at the application level is still used. If you create a new project linked to a group or an organizational unit that contains existing users or groups, meanwhile the creation phase, the existing elements are analyzed by an algorithm that obtains the values ​​of the attributes used in the entities. Whether these values ​​occur meaningfully, the algorithm creates new default values, ​​which will then be used when creating new elements within the project. It means that when adding a new group or user to a project, all the most common attributes will be filled in automatically.

Projects

The project allows the editing of the entities. These may already exist in Active Directory or may still be stored. If the entities are already present in AD, the project highlights the differences between the values ​​being edited and the current AD values. At any time, it is possible to synchronize the editing values ​​with those obtained from the AD database or vice versa by going through an automatic validation process. As for the elements not yet present in AD, these can be stored at any time in Active Directory: also, in this case, a validation must be passed before being inserted.

Users-type projects allow users to be edited, while Groups-type projects allow you to work with groups. Each project has a scope that cannot be changed and that can be a group or an organizational unit. This scope is highlighted in the editing grid, and relation to the single record is also called a key field. If you change the key fields of the entities so that they no longer belong to the scope of the project, after they are stored in Active Directory, they will be automatically excluded from the project.

Project editing can be done on a single record or multiple records using the Values ​​window. This window, in addition to allowing simultaneous action on multiple records, allows you to simplify the creation of a new user or group, reset fields to the default value, or apply specific formatting rules at the attribute level.

The attributes with their formatting rules and default values ​​can be fully customized through the Manage Columns dialog box. All Active Directory attributes are supported, including custom ones. Active Directory One creates at user or group level-specific additional attributes marked with the Extra_ prefix that allows further functionality without adding or modifying the Active Directory schema.

For the string attributes used to contain paths in the file system, a special Data Folder rule can be applied that describes the access permissions of that path, subsequently, when stored, the Data Folder settings are applied. For example, these rules enable you to create folders in the file system referring to a security group or to create link structures that point straight to users’ folders.

Import – Export

Active Directory One uses the Excel format to import lists of users or groups into the current project.

The import algorithm is highly flexible, and to define the import structure, it needs only two fields per column. On the first line, the name of the Active Directory attribute, and the second line, the string that will be used as a column header for the same attribute, all fields in subsequent rows are considered values ​​for that attribute.

The algorithm recognizes the equalities between the incoming records and those already present in the grid and performs the union of the records considered equal, for example with the same SID or comparing other indexed fields.

Numeric or string attribute types are supported on import. To export, open a project, use the Export command, and the entire project will be exported in Excel format.

Public folders

For Groups-type projects, it is possible to automatically create a public folder for each record of the project, just set up a shared root folder on the network. During storage, the name of each public folder and its access permissions will be derived from the attributes of each group. It allows you to create public folders in instants, eliminating the possibility of error in assigning access rights.

Shortcuts

In organizations where access to the home folders of specific categories of users is required, such as a school where teachers must have access to the student’s home folders of their classes, it becomes a problem to organize this type of access because the structure and management of the folders in the file system become complex due to staff turnover. To overcome this issue, you can use a less articulated structure on the file system, such as a single folder for all students, and use Active Directory One to automatically create a shared and organized structure of shortcuts to users’ folders.

Delegated users

Users without administrative rights can still use Active Directory One via the Delegated Users command. With the delegation wizard, the administrator can allow the delegated user to work with the software in Active Directory within a planned scope in a group or organizational unit. The managing user in that context will impersonate with administrative rights using a specific set of credentials for this purpose. The software will prevent any AD write operations outside of the intended scope. The delegation can be permanent, or it can expire after a programmable period.

Active Directory One Agent – (ADOne Agent)

ADOne Agent is a service that allows you to set up a strategy for de-provisioning users in Active Directory. It also interacts with Office 365 to assign licenses and configure mailboxes. ADOne Agent sets up a list of actions that are performed by the service in a programmed order with a settable pause between consecutive actions. When all the action execution stops, the program restarts from the first with an infinite cycle until the service is stopped.

ADOne Agent – Exit Strategy (de-provisioning)

This procedure allows you to program the de-provisioning of users in a completely automated way. It is possible to define a group, an organizational unit, or the entire domain as a scope and the assignment of the user in a group, organizational unit, or account inactivity time.

When all the trigger conditions are validated, the exit strategy is activated and begins to monitor and manage the deactivation and deletion date of the account.

During the period in which the procedure is active, programmable notifications can notify the user via email.

In the delete phase, if the user has a personal folder in the file system, it is also deleted. All exit strategy is tracked in the Windows event log to keep the operation history.

ADOne Agent -Office 365 licenses

If your organization uses Office 365, after users have been created in Active Directory and migrated to the tenant by synchronization software such as “Microsoft Azure AD Sync”, users must be manually assigned the appropriate licenses.

ADOne Agent automates this process by systematically checking the licenses of new users in Office 365, configuring the appropriate license based on the value of the attributes chosen by the administrator. All license assignments are logged in the Windows event log for traceability of operations.

ADOne Agent – Office 365 mailbox

For users in Office 365, the mailbox may not work if the user sets some options such as language, date or time format, or time zone in the wrong way. ADOne Agent checks the mailbox configuration in Office 365 at regular intervals and automatically corrects any incorrect settings.