User Lifecycle

Active Directory Management & Automation

User Lifecycle within IT 

In today’s world, when new employees are hired, IT department plays a major role in welcoming them. It’s a lot of tedious and repetitious work, creating accounts in Active Directory, adding them to groups, creating home folders and Exchange mailboxes, assigning Office 365 licenses, etc… Doing it manually, means support staff must switch between multiple tools and interfaces and follow long and convoluted provisioning procedures that vary for different types of users. Such complexity inevitably leads to mistakes, missteps, and delays, and it can’t be solved with delegation to HR or managers without over privileging them. As a result, the IT department is trapped in time consuming routines while new users are waiting for hours or days before they can start working. We eliminate all these problems completely, with rule-based automation.

After a new employee is hired, all provisioning procedures, like creating Active Directory accounts, setting up a home folder, creating an Exchange mailbox, assigning Office 365 licenses and others, are executed instantly, and based on company policy. Things like adding new users to different groups based on job role or moving them to an OU, based on location will all be automated. Once configured, all you need to do is, fill out a form with user name, job title, and location, click create and that’s it! Everything else is done by automation rules put in place. Even users with limited technical skills, i.e. your human resource department, can initiate the process and have the proper IT accounts created after routing it through pre-determined approval process.

All that applies to user updates as well, so for example, when the user is promoted, all you need to do, is change the job title property, and the process will then adjust group membership, update Office 365 licenses, and move the user to a new OU, strictly following your company rules.

When a user is terminated, according to your policies, the process will disable the user account in AD and all connected systems, relocate home folder, set mail forwarding to the user’s manager, remove the user from all groups, revoke Office 365 licenses, reset user’s password, move the account to a secured OU and delete it after a certain time. With deprovisioning automated, all user’s access to your system is blocked at the exact moment they leave, eliminating the risk of a data leak or possible data loss from previous employees.

With our user lifecycle automation, there is no more waiting for your users, no more tons of routines for IT staff, no more human factor mistakes. Managing user lifecycle, couldn’t be easier!

01Logix, a Softerra partner, has been helping, guiding, and training organizations with complicated setup scenarios that require custom solutions to fit their IT environment’s specific needs. Our consultants specialize in the implementation of Adaxes and can help automate manual and time consuming processes such as user provisioning, deprovisioning, and reprovisioning through integration with Human Resources systems. Our system architects can help you achieve your objectives in terms of security and high availability, and our support staff can provide you with ongoing maintenance and support.

Adaxes Features

Active Directory management

Active Directory plays a major role in many critical processes within organisations. Effective and secure Active Directory management becomes increasingly important and at the same time increasingly challenging, especially in large and complex environments. Native tools for Active Directory management are inefficient as they provide only basic functionality and cannot be used for active directory automation, web-based administration, role-based security, cross-domain management, audit of changes, etc. It becomes obvious that a higher-level solution like Adaxes is needed to cope with all challenges associated with Active Directory management. Softerra Adaxes provides a number of much-needed features that make Active Directory management, maintenance and administration much more simple, secure and effective.

Active Directory Provisioning

User provisioning, deprovisioning, and reprovisioning can be extremely complex and difficult-to-manage processes that take a lot of time and effort. When a new employee starts, this employee needs an Active Directory account, Exchange mailbox, home folder, the employee’s user account must be added to certain security groups and distribution lists, etc. When an employee leaves, the AD account of this employee must be disabled and removed from all distribution lists and security groups, the user home folder must be relocated or deleted, user accounts in various applications must be deactivated, and much more.

If Active Directory provisioning involves a series of manual activities performed by a human, the user provisioning and deprovisioning can easily become extremely complex, tedious, and time-consuming tasks accompanied by various kinds of errors and faults. To eliminate the issues related to the process, all operations involved in the Active Directory provisioning must be automated. The process automation reduces administrative costs associated with the user account management and acquires especial importance when multiple persons (Help Desk, support, administrators) are involved in the Active Directory provisioning.

Active Directory Delegation
Active Directory management involves many different operations that require administrative privileges granted by default to AD administrators only. Though operations like password reset or account unlock are pretty simple, they take a lot of time of highly-skilled IT staff, not allowing them to focus on more complex and important issues. Active Directory delegation helps you optimise the productivity of the IT department by letting non-administrative users (e.g. department managers or Help Desk operators) perform certain administrative activities in Active Directory.
Active Directory Web Interface
Today, the majority of organisations worldwide use Active Directory to manage and control the identity lifecycle of users. For administrators, help-desk operators, auditors and other users it is crucial to have constant and secure access to Active Directory from any location, even without having physical access to AD servers. The only way to achieve this is to provide a controlled web-based access to the Active Directory environment.

The necessity of Active Directory Web Interface increases drastically if there is a need to delegate AD management tasks to non-administrative staff. Usually, this staff doesn’t have access to native AD management tools, and needs a more simple, easy-to-use and intuitive solution. Fortunately, there is such a solution – Softerra Adaxes. Among other AD management facilities, Softerra Adaxes enables highly granular, controlled, and secure Active Directory Web access.

Active Directory Self-Service Password Reset
Active Directory password reset is a day-to-day routine for help desk, which takes a lot of time. Statistics shows, that IT support personnel handle password reset calls for almost 40% of their working day. This procedure for each call includes greeting, authentication, execution of reset, confirmation, and goodbye. On the basis of this, multiple surveys were conducted. These surveys took into account an average help desk wages, percentage of password reset calls and time consumption. By generalizing their results one can see that an average cost per password reset call varies from $15 to $20, which is pretty expensive. So is there a way to minimize password reset expenses without loss in security? Adaxes allows decentralizing password reset/account unlock by providing secure Self-Service Password Reset to end-users.
Exchange Management & Automation

Exchange management is a headache. This statement is supported by countless articles, blog posts and forum topics in the Internet. Web searches yield a myriad of various tips and best practices on how to streamline the process and make it less expensive. With all the vast amounts of information available, the problem is still there and desperately needs a strong and effective solution.

Why is there so much talk and fuss about Exchange management? The answer is straightforward: because it is expensive as it involves a lot of manual work by skilled technicians. Consider the following. When a new employee comes in, someone needs to create and configure a new mailbox for the employee. This requires knowledge of how to pick a mailbox database, which mailbox features to enable for this particular user, which mailbox policies to assign, etc. When an employee is relocated to a different city, promoted, or transferred to another department, somebody has to move their mailbox to another database, adjust mailbox rights, change mail flow settings, etc. When an employee goes on a sick leave, somebody must set the Auto-Reply message for the user, configure email forwarding, put the mailbox on retention hold, etc. When an employee leaves or retires, their mailbox must be properly deprovisioned, which is a complex task that requires multiple steps to complete.

What does all this mean? It means that somebody has to learn and consistently follow a rigorous set of guidelines and policies for Exchange management. Not only is it ineffective and a huge waste of human resources, it also leaves too much room for human error – the root cause of downtime and out-of-compliance issues.

Office 365 Automation & Management
To be more agile, cost effective and responsive to their business needs, organisations of all sizes are steadily marching towards the phase of either being in Office 365 or getting there. However, apart from all the advantages and features it provides, Office 365 brings increased complexity and additional challenges to the business processes related to management of user identities and access. Office 365 management becomes yet another new challenge to overcome and adds even more tasks to an already full plate of things to do. One of the major problems that emerge is how to get users into the organisation’s Office 365 tenant and how to grant specific users access to the Office 365 services they need to comply with their specific duties.

The foremost essential step to achieve the much desired cost efficiency and operational agility is to automate Office 365 management tasks wherever and whenever possible. Adaxes delivers the missing layer of automation and policy enforcement needed to sustain the compliance and efficiency goals.

Scheduled Tasks
Active Directory Management involves a lot of activities that must be performed on a regular basis. Very often such activities must be carried out during off hours and require a long time to complete. Here is a list of typical routine actions that usually need to be performed periodically:

send e-mail notifications to users whose passwords are about to expire,
notify managers about soon-to-expire accounts of their subordinates,
delete inactive user and computer accounts from Active Directory,
add users to groups based on predefined rules,
move users across OUs if certain conditions are met,
synchronize Active Directory with external data sources,
update properties of Active Directory object using modification templates, etc.
With Adaxes you can quickly and easily automate such tasks, and you don’t need to be a software developer to do this!

Custom Commands
Day-to-day Active Directory Management involves many routine and recurring tasks that often require multiple steps to complete. For example, every time an employee is assigned to a new project, goes on vacation, or departs on sick leave, a number of actions must be carried out in accordance with appropriate procedures and company policies. Such actions may include updating account options, modifying group membership, changing email forwarding settings, sending e-mail notifications, etc. Not only is the manual performance of all these operations is error-prone and takes a lot of time, but also requires that the person in charge knows and follows all proper policies and procedures.
Active Directory Automation
From day to day, Active Directory administrators and other staff involved in Active Directory management have to spend tons of time performing routine tasks related to user provisioning, management, and deprovisioning, group membership maintenance, security administration, etc. The use of native tools is ineffective and time-consuming at best, as they offer no opportunities for standardization of the process and are completely inefficient when it comes to Active Directory automation.
Active Directory Role-Based Security
Successful Active Directory management requires distribution of administrative responsibilities among multiple users (like Help Desk operators or department managers) according to their operational and administrative role in the organisation.  Delegation of administration rights makes much easier and more efficient, but may pose a number of security risks if not implemented properly.  The native means for Active Directory delegation introduce a number of challenges and are often ineffective due to the following reasons:

  • The process involves modification and maintenance of multiple Access Control Lists (ACLs) across many objects in Active Directory, which is very error-prone and often results in users either not having access they need or having elevated administrative privileges they don’t need.
  • There is no central place to store and manage permissions, and, as a result, it is rather challenging to control who has what privileges and why.
  • Permissions can be applied either at the domain or OU levels only.  This significantly complicates the delegation process, because the Active Directory OU structure is often designed for effective application of Group Policy Objects, rather than for delegation of security rights.