Softerra Adaxes got under my skin, I admit. I love using it and I love what it can do for me, my department and a company. In part one I couldn’t hide my excitement. After being with the product for a while I have decided to write a second part focusing more on Role based delegation, Approval based Workflow and Logging.
Every department with more than one person, has a delegation based work. One person is usually in charge while the other is executing tasks based on policies and instructions. Let me give you an oversimplified example. Head of IT would have a person answering phones for end-user support, one person for servers and storage and one person for networking. When the company hires a new person, HR would send a user request form to a Service Desk email address or enter the data manually to the Servicedesk portal. And here the fun begins. One person has to open AD and email account. One person has to order a computer and one person has to create a new computer in AD account.
When you have more people doing AD administration, you will find experienced engineers and you will also see a person who just started – a junior. In ideal case HR person would create a new AD account. And why wouldn’t he/her? If you give access to Active Directory to a HR person, would you trust him/her? Are you sure that she won’t accidentally delete an important object? Same applies to a fresh men working in Help Desk department. How do you give access to Active Directory to a person you don’t trust, yet you know that her access would reduce your work?
Softerra Adaxes features to save your time
By default Adaxes has built in Roles that limit access to Active Directory, more importantly you can grant access to people you don’t trust. Because that access is needed for certain tasks you know it will save you or a person who works for you some time. You can grant a person access to add computers to Active Directory for example and know he won’t bork anything, because he does not have access.
You can grant a person access to reset a password, un-lock user and even notify them via SMS about the status. All you have to do is to assign Adaxes Help Desk role to him/her.
You can grant HR people access to create new users while on the other hand junior in HR could open new contacts in MS Exchange. My experience while using Adaxes is unique, because Active Directory does not support granular permissions. You can not limit users who are using it for such cases.
If I want to delegate permission to a person in a remote office in a different time zone to work on an account lockout and password reset features for his team – let’s say a warehouse I could assign him to a Help Desk role and assign only rights for his OU in AD.
One example, I hired Maria. She just started her work in IT department. She is 20 years old and this is her first time to do more than just assign tickets. Because we have Adaxes, I can give her access to operate delete users in Active Directory, but since I don’t trust her, I can set up an approval system, which with every request for deletion, forwards request for approval to my account. If I see that request is ok, I simply approve it and task is completed. You can have several approvers, just in case you are on an annual leave or to keep the process flowing.
You have limitless possibilities when setting up rules. There are many rules you can choose from, in fact I can’t find one that I miss. You can set up approvals for any actions that are being performed on a Computer, Contact, Group, Organization Unit or a User.
You could set up approvals for computer deletions, approvals for operations being done by juniors. Maybe you will need to confirm only deletions or perhaps renaming as well. On top you can set up a rule to send email to help desk portal for every user creation and deletion for audit trail / confirmation in Service Desk system.
One action I like is to create a rule, that once users are disabled, I have to approve activation, just in case a person who left the company, gets enabled again.
You can add a workflow to Scheduled tasks as well. If you need AD clean up automation, then, you don’t want, that accounts get deleted automatically. All actions like Inactive Computer Deleter and Inactive User Deleter can be added to a workflow approval process. All computers and accounts that should be deleted will go to your (or / and others) account and only if approved, will be deleted from the system.
When you go to Approval request you can see all Requests that need your attention. Each request can be Approved or Denied by clicking a button. You can filter requests by date so that it’s easier to go through if you have several.
Now we get to the best part. All Approvals can be approved on the web interface. When a Help Desk technician performs an action for which you set approval workflow, it has to be approved by a configured person. You will receive an email with a link to the Web interface. In example below Maria Tries to enable Josh.
When she pressed OK, request for approval goes to my account. The same can be configured for other actions like Delete User Action.
When I click on My Approvals I will see a list of all operations waiting for my approval. One feature I particularly like is that I am able to expand Approval request and see additional information. For example, Maria created a new user, since I have to approve her request, I can click on a plus sign and see additional information about new user she created. I can see which information she added to the user. If she forgot to add Department, telephone number, Organisation, etc… I can easily decline the request so that the next time, she will do better.
Logging changes in Active Directory can be tough. Especially since you need to monitor Event log. First you need access and secondly information in the event log is not easily readable and it is hard to search for certain information like who, when, what.
Adaxes has a pretty nifty logging tool which logs all events and present them in a information readable to a human being. Immediately when you click on a Logging, you will see a list of events where you can see who did what. All in a easy to understand view. You can filter events by date and even group by action. You can add your set of filters to narrow down the search.
If you click on a user, go to All Tasks, Management History, you will see a complete history for a user.
You can see what actions have been performed and you can again filter like you want by setting your own conditions.
Softerra Adexas and a Reason for life?
Contrary to some people beliefs, I think that a reason for life is productivity. Reason for life is Enterprise. Reason for life is to see what you can accomplish, to see how far you can go, what you can do for IT department, how you can improve security, how you can optimize time, how many hours you can save. IT tasks can be automated so I try to automate as much as possible. And I love doing it.
Let me introduce you to Alex. Alex is one of the best salesman we have. He used to be a bartender back in the restaurant days. Now he is working as a salesman in our Company. Like all salesman, he talks about things, about IT Department as well. He used to tell stories to his colleagues how IT was unresponsive. He called in one day. He had a problem with a password. He didn’t say that he returned from a weekend and forgot a password he set on a Friday. He couldn’t reach IT number because the line was busy for 30 minutes. He forgot to mention that at that time the line was busy because 1/3 of sales department returned from vacation and they either forgot the password or they got locked out trying to log in. Oh, and some people didn’t know how to change a password (type old password, type new password twice) and IT had to help. I know, but this kind of people are real, living among you.
The point he was making was that IT is not responsive, IT does a poor job and should get fired because he had to wait or had to try calling several times.
This situation is not limited to our company. It happens around the world. But you can put an end to this and similar stories. Adaxes can solve this kind problems easily. Stay tuned for part three.