I’m sure that for many of you Active Directory is a mainstay of your day. I know that from my PowerShell perspective, this is a very popular topic for automation. Clearly, IT pros want management tools. So today I want to take a look at a product called Adaxes from Softerra.
Softerra has been in the AD business for a long time. Years ago, I used their free LDAP browser when Windows 2000 came out. In fact, that utility is still freely available today. But I’m going to assume you need a more full-featured solution for managing and automating Active Directory. I won’t have time to cover every feature, but you can download it, and give it a test with a free 30 day trial.
You can install everything on a single server or take what I feel is a more traditional path. I installed the Adaxes Service and web components on a Windows Server 2012 R2 server. On a Windows 10 client, I installed the Service Administration Console and the PowerShell module. Everything installs from a single MSI. You select what you want to install.
Note that if you want the PowerShell module, you need to have the PowerShell 2.0 engine installed. The service installation is pretty straightforward and probably like other client-server applications you’ve installed in the past. The installation requires .NET Framework 3.5 SP 1. You may need to go into optional features and explicitly install the .NET Framework 3.5. I would then suggest running Windows Update to make sure everything is current.
One of the useful features is the inclusion of several web portals. These portals give you, the help desk, and users access to the Adaxes services and features that they need.
The service installation will open port 54782 on the server. If you are installing the web features, this will obviously require an IIS installation, which means port 80 will also be open.
If you will be installing the management tools on your desktop, set up the service first. The installation only takes a few minutes, if that. When complete, you should see some new menu items.
Start the Administration Console, and follow the installation guide to configure the service for your domain. Any installation you do must be on a domain member.
There is a lot going on in the console, but I found most of it pretty intuitive to use.
Adaxes is designed to meet the Active Directory needs of three different audiences and provides customized interfaces for each. In addition to integrating with Active Directory, you can use Adaxes with other user-centric products like Exchange and Office 365, although I didn’t try any of those features in my test environment.
Adaxes acts more like a front end to Active Directory and does not replace it. Nor does it act as a full-fledged proxy solution. I should also point out that nothing needs to be installed on any domain controller. The only requirement is that your run the product from a domain member desktop or server. You can still use Active Directory Users and Computers or the Microsoft Active Directory cmdlets if you want. But if you run your Active Directory tasks through a server running the Adaxes service, then you can take advantage of a very rich feature set.
In addition to the typical AD-related tasks, such as creating and moving user accounts or modifying group membership, you can create process workflows. For example, I’m sure many of you have built home-grown scripting solutions to create a user, add them to some groups, create their home folder and create a mailbox. Well that is exactly the type of process you can create through their graphical interface through a business rule.
When I create a new user in Sales and Marketing, as long as I do it through the Adaxes service, my rule will run. These rules can be as complex as you need them and incredible time savers. Here’s a built-in example.
Depending on your organization, expect to take some time getting these rules setup and working perfectly. But once in place, I don’t see how the additional automation is anything but beneficial.
The same is true of the Scheduled Tasks feature. Adaxes ships with a few common recurring tasks.
These are tasks you most likely would like to do on a periodic basis but either haven’t gotten around to it or you are relying again on homegrown scripts. Like business rules, you can use any number of pre-defined building blocks. And as a last resort, you can always schedule a PowerShell script. I tested out the scheduled task feature to periodically standardize a user property. Adaxes has methods for ensuring data consistency, but they only apply if Active Directory is managed through the service. For everything else, you might want to make sure as I did in my test, that a property like Company has the value you expect. You can limit your scheduled task to a business unit or OU.
All of this automation and workflow is where Adaxes really shines. At times your options can be a bit overwhelming, but the online documentation and tutorials go a long way. Oh, and everything you do through Adaxes is logged and searchable.
In addition to being able to do just about everything through a web interface as well, the web portals also offer some terrific reporting features.
I expect many of the pre-built reports are items you would love to have. I especially like the reports are interactive. For example, when I run a report showing recently created user accounts, I can click on the user account and manage that account right from the portal.
User management via the web portal (Image Credit: Jeff Hicks)
In addition to the console and web interfaces, Adaxes ships with a PowerShell module of 39 commands. The syntax of most commands is very similar to the Microsoft Active Directory cmdlets. If you’ve used Get-ADUser, you can use Get-ADMUser.
The module requires at least PowerShell 2.0, which I’m assuming most of you are beyond. However, the installation checks for the existence of the PowerShell 2.0 engine. which is now optional. So if you want to use the module, you’ll need to make sure you have enabled v2. You don’t need to use it. I ran the commands just fine in Windows 10 under PowerShell 5.0.
The only potential gotcha that I can see is that if you are using any of the cmdlets that will change something, such as moving a user, you need to make sure you specify the Adaxes service, especially if the service is running on a different box.
Because I used the Adaxes service, my business rules for new users in this business unit automatically executed. You could easily set a default parameter value.
The Adaxes module also includes a PSProvider and a default PSDrive, much like the PSDrive you get with the Microsoft cmdlets.
Adaxes is licensed in bundles per enabled and unexpired user accounts, starting at $1600 for the first 100 users, and the licenses are perpetual. You also have the option to purchase an annual maintenance and support contract. You can learn more by visiting the purchase page.
If you have any questions on licensing or cost, talk to the folks at Softerra. But I have to admit the cost to benefit ratio is pretty compelling. Let’s say you run a small shop and your time is worth $50 per hour. That would equate to 32 hours of work effort. There’s no way you could build home grown solutions for a fraction of the feature set in this product and the daily management time saved is also considerable. And I didn’t even get into the password self-service feature, which depending on your user base, may be worth the price of admission by itself.
I don’t have too many concerns about features that are lacking or don’t work. If anything, the standard console can be a bit overwhelming between tree controls, icons, and menu choices. I also expect the learning curve to fully take advantage of all features is a bit steep but not without rewards.
There’s a lot to like and recommend with this solution. For starters, your domain controllers can remain untouched. No changes are made to your AD schema and nothing is stored in AD. Thus you can safely test the product without having to worry about complex rollback schemes.
I’m also a big fan of the business rules and scheduled tasks. I think of these features as force multipliers like in the military. They add extra firepower to common tasks, such as creating a new user account. I like the reporting capabilities, as I know many of you have spent a lot of time struggling to build similar reporting mechanisms. Related to reporting is the logging feature. Now you have a central location for all logged Active Directory related events, provided they were run through the Adaxes service.
And finally, how can I not like a product that has a full set of PowerShell cmdlets. Even though the cmdlet coverage doesn’t come close to duplicating functionality in the GUI, the cmdlets are easy to use and familiar. The module is listed as version 1.0, so I have to assume cmdlet coverage will increase over time. For example, it would be nice to have reporting cmdlets so I don’t have to rely on a web browser.
If I had significant Active Directory responsibility, I would definitely be trying this product out. Even more so if I also had to manage user’s Office 365 or Exchange accounts. The ability to build workflows and automation to typical management tasks is a very compelling reason to give this a try. If you can carve out the time to get everything configured the way you need it, I think the product will make you a much more efficient and happier administrator.
You can learn much more by visiting Softerra Adaxes online. There are demo videos, tutorials and screen shots. Even better there is a live demo, where you can try the product out for free without having to download or install anything. Although allow yourself at least 45 minutes as it takes a bit of time for them to spin up a virtualized environment which is more an issue for their hosting company that Softerra.
Disclaimer: On my personal blog, Softerra is a paid advertiser, but this review is based entirely on my own testing, observation and experiences. The opinions are my own, unsolicited and uninfluenced.