Administration with Active Roles

At the heart of Active Roles is its security. Active Roles security is done through what are called templates. Templates give us the ability to give users or groups or whatever rights over specific things. Active Roles is what we call a zero up security model, meaning that if you are given any specific rights in Active Roles, you have no right to do anything in Active Directory. Let's walk through one of these templates very quickly. Here I have a template that I call Help Desk Level 1. This is my basic first line of defense help desk text. I can open it up, and I can see here that what I've done is I've taken other templates-- and these on the left side here are some of the built-in ones, but I could just as easily use my own or create them on the fly-- and given them specific rights to do specific things. Here they can change certain phone number properties. They can deprovision, or AKA terminate an account, reset a password, unlock an account, read and write a lot of basic information, and add and remove users from groups. All those can be done with this template. But that leads me to another problem. Well, OK, so I have my first level help desk. What about the guys who are a step above them? What about the guys that have more experience, we trust them more, he or she is able to do more things? Well, we have the help desk level 2 template. So what's great about active roles is I can just nest a template. So I can take that entire help desk level 1 template that I just made, and nest it in here, and call it level 2, and then also add the ability-- in this case, just for the sake of discussion-- the ability to undo a deprovision, meaning we terminated an employee, but we want to un-terminate them because it was a mistake. HR asked us to terminate the wrong user or whatever the situation is. We can do that. Once we create our template, we then have to link them. And the way it works in Active Roles is that we link a user or a template to a specific location or security principal and a specific user or group that will get those rights. So what we can see here is I've clicked on the Help Desk Level 2 template. And right here, it's listing every place that that template has been applied. In this case, you can see that I have a group here called Help Desk Level 2, which is just an Active Directory group. The access template is called Template Help Desk Level 2, which we just looked at. And I've linked it here over my employees OU, and I've also linked it over my groups OU. And the reason for that is, obviously, I need to be able to allow them to modify the group membership of groups in there, as you saw in that template from before. One of the biggest problems we hear from customers is when they design their Active Directory environment, they have to design their AD tree in one way. I've sat in many rooms where I've heard people say, well, gee, we want to separate out everything by location. And another group says, well, we really need to separate everything out by department or by different physical sites, or whatever it ends up being. But the bottom line is there's no way to make everybody happy-- except there is. With Active Roles, we have a concept that we call managed units. And what a managed unit is is kind of like a virtual OU. So what you can see here is over here in Active Directory, I have all of my employees in one OU called Employees. But up here, I have them cut into different virtual OUs or managed units by location. So here I have them by different offices that I have and whatnot. I even have one that I have for users who have no office at all. One of the things that's great about Active Roles is that these are actually dynamic. And what I mean by that is that I can go in, and I can set the rules for these. So in this particular case, I have one that's going to change on its own all the time. And what I've told it is if the property itself here, office location, which is what's known as physical delivery office in Active Directory, is exactly LA, then they're in this managed unit. If it's anything but that, then they won't be. And I can get very complicated and layer these things, and even do LDAP queries and whatnot, and explicitly include and exclude people and all that, but we won't get into that today. My point of showing you all this is that you can slice and dice your users however you want. And if you've already seen the section on access templates, I can apply access templates or link access templates to managed units just as if they were in OU. So if I have a help desk that manages three offices, for example, but those three offices are all in one OU, then I can create a managed unit that says, hey, if you're in one of these three offices, then this group of help desk users can maintain those users, and nobody else. So there's a lot of advantages. And I'm just giving you an idea here, but you can see the power of different things I can do with managed units and make things easier to maintain my entire environment using them. One thing that you hear almost universally from all Active Directory administrators is that they don't like to do scheme updates. The thought of messing around with all your domain controllers and changing things outweighs their desire