Active Directory Delegation of Administration
As organizations grow, certain tasks related to Active Directory, such as creating new user accounts, moving users, resetting passwords, etc., grow dramatically and consume a lot of time.
The built-in tools to delegate such tasks to non-administrative users are very limited and complicated. Moreover, many considerations should be addressed before delegation, some of which are as follows:
- IT technicians should have the required working knowledge of Active Directory management.
- Technicians should be trustworthy and their access level should be restricted to their responsibility.
- Default tools in Windows do not provide any feature to delegate privileges to users in other departments, such as HR and security department.
- To manage Active Directory, AD Users and Computers must be installed in users’ computer or they must have an access to domain controllers.
- Active Directory does not log or audit changes which makes it extremely difficult to trace security issues and unauthorized activities.
Simplified Active Directory Delegation
In Borna, the process with which Active Directory tasks are delegated to users in different departments are highly simplified and can be customized to satisfy the organization’s needs.
Flexible, Customizable Delegation
Borna allows administrators to manage several domains in a centralized fashion. Therefore, in the delegation process, in addition to specifying responsibilities, privileges can be delegated based on domains and OUs.
For instance, you can delegate necessary privileges to a user to only reset passwords in his own domain or OU, and another user to only create user accounts in another domain.
Not only are many default roles defined in Borna which can be used to delegate common, necessary responsibilities, but also customized roles can be easily defined according to your needs.
Delegate User Creation and Management Privileges to HR Staff
HR department has a direct connection with IT department particularly when a user account must be created or a user’s information needs modification which are usually requested by HR department.
Since the default tools in Windows do not provide any feature to easily delegate necessary privileges to non-administrative users, IT staff are forced to do these simple, but time-consuming tasks themselves.
Borna allows IT staff and administrators to delegate some tasks, such as creating and moving user accounts, to non-administrative users in other departments, like HR. Hence, IT staff would have more time to spend on more important and critical tasks.
Borna’s delegation subsystem has the following advantages:
- HR staff responsible for some minor IT tasks do not need to have any knowledge of Active Directory.
- Due to its web-based interface, Borna is accessible without requiring to install any additional software.
- Borna restricts users based on their permission as well as their OU and domain.
- Using delegation feature of Borna, there is no intervention needed by IT staff or administrator for routine tasks.
- Using the Change Request feature in Borna, administrator and IT staff can accept or reject changes before they are performed on Active Directory.
- All of the necessary fields, such as profile path, which requires some basic network or Active Directory knowledge can be set to default value by IT technicians, such that HR staff would not have to worry about filling them.
Approval-based Requests in Active Directory
Borna has a subsystem called Change Request. One can set this feature such that certain requests must be approved by an administrator or a manager before execution. Three main roles of this subsystem are as follows:
- Requester: Users who submit a request (e.g. creating user request or moving user request) in Active Directory. You can assign this role to technicians in HR department.
- Approver: Users who can approve or reject a request. This role can be assigned to technician in HR and IT department.
- Executor: Users who are responsible for performing operations related to a requests.
By using this subsystem, administrators could have a better control over changes in Active Directory. For more information, visit Active Directory Automation