Active Directory Delegation of Administration

 

As organizations grow, certain tasks related to Active Directory, such as creating new user accounts, moving users, resetting passwords, etc., grow dramatically and consume a lot of time.

The built-in tools to delegate such tasks to non-administrative users are very limited and complicated. Moreover, many considerations should be addressed before implementing Active Directory delegation, some of which are as follows:

 

  •  IT technicians should have the required working knowledge of Active Directory management.
  •  Technicians should be trustworthy and their access level should be restricted to their responsibility.
  •  Default tools in Windows do not provide any feature to delegate privileges to users in other departments, such as HR or security department.
  •  To manage Active Directory, AD Users and Computers (RSAT) must be installed in users’ computer or they must have an access to domain controllers.
  •  Active Directory does not log or audit changes which makes it extremely difficult to trace security issues and unauthorized activities.

 

Simplified Active Directory Delegation

In Borna, the process with which Active Directory tasks are delegated to users in different departments are highly simplified and can be customized to satisfy the organization’s needs. 

 

Using a web-based interface, these is no longer a need to install additional software or package on technicians’ computer.

  assign active directory roles to technician in Borna ad manager

 

Assign active directory permissions on roles in Borna ad manager  

Flexible, Customizable Delegation

Borna allows administrators to manage several domains in a centralized fashion. Therefore, in the delegation process, in addition to specifying responsibilities, privileges can be delegated based on domains and OUs.

 

For instance, you can delegate necessary privileges to a helpdesk technician to only reset passwords in his own domain or OU, and another user to only create user accounts in another domain.

 

Not only are many default roles defined in Borna which can be used to delegate common, necessary responsibilities, but also customized roles can be easily defined according to your needs.

 

Delegate User Creation and Management Privileges to HR or Helpdesk Staff

HR department has a direct connection with IT department particularly when a user account must be created or a user’s information needs modification which are usually requested by HR department.

 

Since the default tools in Windows do not provide any feature to easily delegate necessary privileges to non-administrative users, IT staff are forced to do these simple, but time-consuming tasks themselves.

 

Borna allows IT staff and administrators to delegate some routine tasks, such as creating and moving user accounts, to non-administrative users in other departments, like HR. Hence, IT staff would have more time to spend on more important and critical tasks.

 

  Assign roles based on OU and domain in Borna ad manager
  • Borna’s AD delegation subsystem has the following advantages:

    •  HR staff responsible for some minor IT tasks do not need to have any knowledge of Active Directory.
    •  Due to its web-based interface, Borna is accessible without requiring to install any additional software.
    •  Borna restricts users based on their permission as well as their OU and domain.
    •  Using AD delegation feature of Borna, there is no intervention needed by IT staff or administrator for routine tasks.
    •  Using the Change Request feature in Borna (AD Workflow), administrator and IT staff can accept or reject AD requests before they are performed on Active Directory.
    •  All of the necessary fields, such as profile path, which requires some basic network or Active Directory knowledge can be set to default value by IT technicians, such that HR staff would not have to worry about filling them.
  • Cumbersome Interaction between IT and HR department.

Approval-based Requests in Active Directory (Active Directory Workflow)

Borna has a subsystem called Active Directory Workflow. One can set this feature such that certain AD requests must be approved by an administrator or a manager before execution. Three main roles of AD workflow subsystem are as follows:

 

  •  Requester: Users who submit an AD request (e.g. creating user request or moving user request) in Active Directory. For instance, you can assign this role to technicians in HR department.
  •  Approver: Users who can approve or reject an AD request. This role can be assigned to technician in HR and IT department.
  •  Executor: Users who are responsible for performing operations related to an AD requests.

 

By using AD Workflow subsystem, administrators could have a better control over AD changes in Active Directory. For more information, visit Active Directory Workflow.

 

active directory workflow setting to request changes in Borna ad manager

gaz.jpgjame.jpgkishair.jpglogo.jpglogo1.jpglogo2.jpgmarkazi.jpgniroo.jpgshahrdari.jpgtajdid.jpg