Active Directory: how to give access to non-technical users?

Mélanie Lebrun

|

Youzer Marketing Manager

07/2022

| Mis à jour le

Articles
>
IAM - access and identity management
Active Directory is an extremely complete and powerful tool, but many people only use it for basic administration functions. Those who manage AD on a daily basis are not necessarily technical and it quickly becomes tedious to automate and secure their accounts. I suggest you to see how to simplify your Active Directory management with an IAM tool.

Contents

Active Directory, or AD for short, is a directory of identities used to manage accounts and authorizations for access to corporate IT resources.

This name evokes either a technical tool with enormous possibilities, a mine of information in which, with a lot of experience, you can navigate to find what you're looking for, or, a nightmare, knots in the stomach just at the idea of having to get your hands on it, an austere tool where nothing is simple!

For those of you who cherish DA, it's unlikely that you'll find yourself on this article, so, I'll speak directly to the rest of you, for whom DA isn't a given.

Active Directory without taboos

Active Directory may be very useful for managing user accounts, but it's not at all intuitive. It's highly technical, austere, complex and even dangerous if you delete items, because it's very difficult to know who has carried out what action. This means that if someone deletes a folder (called an Organizational Unit) on the AD, it will be very difficult to identify the author of this deletion unless you use third-party software. You might as well say you're going expert 😎.

How is AD used in your company? Do you have any experts?

For many companies, the use of Active Directory is confined to the very basics: creating and modifying accounts, and suspending accounts. The AD is a central tool in a company, as it is the pillar of authentication for on-premise applications, but it is very often poorly exploited and badly maintained.

Few people want to get their hands dirty, but for some information, you have to, otherwise your Active Directory will quickly become mismanaged.

And even if there are experts...

IT departments also have other things to do than create accounts. If your team has an engineer or expert, that person will have better things to do than create accounts, and the company will use his or her skills for other, more relevant matters.

Low value-added IT tasks

Managing Active Directory without technical skills?

When we think of Active Directory, we often associate it with the IT department, but in many companies, account creation isn't necessarily the responsibility of IT. There are office managers, HR people or even general service staff who oversee administrative management and account creation for a new arrival, for example.

So yes, AD can be managed by people with no IT skills, but in that case, the tool becomes a nausea for those who have to deal with it (too sharp and a very abrupt user interface).

What's more, access is not given to the Active Directory but to AD functions (account creation, suspension, modification, etc.).

The idea behind it is that a specialist installs and configures Active Directory within your company, then gives you access to features, but you don't call him up when you need him.

I'm going to use a metaphor we like at Youzer: when you have your house built, you call in an electrician to install the electrical network in your home, but then you don't call him every time you need to switch on the light, of course. Why would you do that? Simply because there's a simple and effective tool: the light switch!

Envie de voir une démo instantanée de Youzer ?  
View demo

Why continue to manage 'simple' tasks directly in the AD?

I'm probably going to make some people cringe, but whether it's IT people or people with no IT skills, everyone needs to make their AD management easier. Specialists will tell me no, we're doing fine and the tool suits us. Well, yes, but...

But how much time do you spend performing actions such as modifying an organizational unit? How do you monitor privileged accounts? How do you monitor duplicates, orphan accounts and other anomalies? How long does it take you to reconcile accounts and carry out any actions that are a little out of the ordinary, and therefore require you to use PowerShell?

So why shouldn't all IT professionals be inclined to use simpler solutions to manage their DBA?

I'm sure that CIOs are very interested in this kind of solution, because they see it as a time-saver for their teams, as well as being more transparent and independent from the AD (where dependence on technical skills is strong).

IT people also like to have control over the whole tool (which AD enables), and there's a familiarity bias where users have more confidence in a product they know (even if it's complex) than going for something new.

So let's see how we can simplify this use.

How to simplify Active Directory use?

There are a number of tools available to help you manage AD via an intermediate solution. They'll allow you to perform time-consuming tasks on Active Directory with ease. Of course, you'll find documentation on Microsoft, but it's incredibly technical (and daunting for the less technical among us).

Let me tell you about IGA, what's that? IGA, or Identity Governance and Administration, is a solution for managing users, their accounts and their applications. IGA is the management of authorizations, rights and access. You could say that IGA is the administrative part of IAM.

An IGA solution can therefore perform 100% of the basic tasks you need on a daily basis. Depending on the solution, you can end up with a gas factory.

Logically, if you're there to simplify AD, it would be silly to start with an ultra-complex identity and access management solution 🙃....

Would you like to receive our white paper on identity and access management?

Nous n'avons pas pu confirmer votre demande.
Votre demande de livre blanc est bien prise en compte.

How does IAM work?

To understand the benefits of an IAM tool, you need to understand how it works. The tool connects to your Active Directory and collects information from your accounts.

You control your AD from your identity and access management platform. Thanks to the very quick installation of an agent, you can create, suspend and modify accounts, manage security groups and manage organizational units (OUs).

Note: with an IAM, you can integrate all your software and applications to manage all accounts from the platform. An IAM connects to your HRIS or HR database to reconcile users and accounts.

The IGA tool must have a user-friendly interface, ease of management, clarity of information and must report relevant information for account and user management.

A person with no technical skills will evolve in a more fluid, more modern environment, with an almost playful system for keeping accounts up to date on their IS.

The main objective is to facilitate account creation, clean up the information system and suspend accounts. All with a view to internal satisfaction (assigning access to users) and corporate security (eliminating orphan accounts).

Since I started with cognitive biases, here's another one that interests us in our case, the spark effect: a user is more likely to perform an action if the effort involved is low. A user with no technical skills will therefore be more inclined to take your accounts seriously if the management tool is practical and user-friendly!

So, at Youzer we've created a platform on which you have a dashboard that summarizes your arrivals and departures, accounts in error and automates the creation and suspension of accounts. This invites the IAM user to easily clean up accounts in error.

What's more, each time you log on, you'll be reminded of the actions you need to take to get everything in order, actions that don't take long.

You have to admit it's titillating to leave it unfinished:

The difference between AD and IAM in basic management:

🙂 the IAM tool gives you levers for action.

😣 AD lets you perform actions, but you have to do everything by hand or set up your actions with a high skill requirement.

🙂 The information has already been analyzed and is presented in an easy-to-read format.

😣 The information is raw, it's up to you to find it and analyze it.

🙂 Arrivals and departures are displayed, error accounts are notified, and you are informed of actions to be taken.

😣 Nothing pops in the Active Directory, everything's there but you'll have a hard time finding your duplicates or orphan units. For arrivals and departures, you're in for long HR/IT email exchanges.

🙂 A non-technical person can easily manage their company's accounts, and there's also a customer service department to help with any difficulties.

😣 A non-technical person will need to be trained in AD before using it, otherwise he or she may make mistakes of varying degrees of seriousness. Technical documentation is available to help in case of difficulty.

Curious to find out more? Make an appointment to see how you can manage your AD with a simpler tool!

Récap'IT the IT Newsletter

Get the best of the month's IT news.
Market developments, IT trends, cyberattacks in France... a digest of the month's IT news.

Recevoir l'actu IT

Recommended items

Discover Youzer, the first
platform for easy management of your users and their access.

Hey! you know the drill :) We use anonymous data analysis cookies. By "Accept all cookies", you help us understand (anonymous) page views. Learn more about our privacy policy.