ADM

1
ADM

• Active Directory Management Tool

2
What is ADM?Active Directory Management Tool

• ADM is an application that helps to automate the
  management of the Active Directory
• It is, essentially, a COTS product from Quest
  Software ActiveRoles Server version 5.2.1
• It is a proxy-based solution for setting roles
  based permissions on the Active Directory
• It has allowed customization to allow for the
  integration of NIH workflow.

3
Technical Overview
4
(No Transcript)
5
Self Help Page
6
My Account
7
My Account (cont)
8
My Account (cont)
9
Settings
10
Help
11
Directory Management
12
A Full Admin view of an ICs OU
13
A Full Admin view of Users OU
14
A Users Attributes
15
Exchange Properties
16
Management Activity
17
Details
18
Management History
19
Administrative Roles

• Full Admins
• Have Full Control for ALL properties on ALL
  objects starting at the IC OU level.
• Deny Delete rule has been set at the IC OU level
  to prevent accidental deletion of IC OU.
• Membership for the ICs Full Admins Group is
  controlled by EMIB. Modifications will be made on
  request by IC CIO.
• Account Admins
• Have Full Control over OU specific objects within
  the IC OU.
• Can NOT create OUs
• Can NOT modify the OU structure
• Helpdesk Admins
• Can list groups and user accounts, add/remove
  them into/from groups, reset user passwords, view
  and modify logon-related properties of user
  accounts.
• Can Create and Delete Computer Objects and Add
  Computers to the Domain

20
Administrative Roles

• IC Admin roles, other than the Full Admins, can
  be modified to accommodate the needs of the IT
  branches for each IC.
• If needed the IC Full Admins can create
  additional Admin Roles. (i.e. GPO Admins Script
  Admins, etc.)

21
New Email Enabled User Accounts

• Workflow is basically the same as the CES Website
• UNINAME database is checked for duplication
• AD is checked for duplication
• Account Information must be added according to
  policy
• AD account is created
• For migrated ICs 2003 mailbox is created
• For 5.5 mailboxes, a CSV file is created and set
  to account management team for manual creation.

22
New Service Account

• Account name is checked in AD for duplication
• Account Information must be added according to
  policy
• Account is created in AD
• It is suggested that all service accounts be
  placed in the Users container within the OPS OU.

23
New Group

• Group Name must adhere to policy before creation
  of the group object is allowed
• All groups will begin with the the IC name

24
New Computer

• Computer Name must adhere to policy before
  account will be allowed
• All comuter names must begin with the IC name
• Recommended that the IC prefix is followed by
  division and username.

25
New Organizational Unit

• All ICs have a basic OU structure based on
  recommendations from Microsoft Consulting
  services.
• To help insure our exchange migrations run with
  the least possible errors, we MUST have all users
  reside in the Users OU with each ICs OU.
• After ALL ICs have been migrated to Exchange
  2003, the ICs may change their OU structure to
  reflect their business model.
• New OUs may be created by Full Admins only.

26
ADM MMC

• CIT will supply a mmc to accommodate the ICs
  with an alternative method of AD management.
• This mmc should be used in case the Web Interface
  is not available or the Full Admin needs
  additional means for management.
• We recommend this mmc be reserved for upper level
  administrators.

27
ADM MMC

• The Active Roles Server MMC can be found on the
  file share
• NIHAPPS\ADMUtil
• Documentation is available on the same network
  share.