What is Active Directory?
Active Directory, or AD for short, is a directory service created by Microsoft in 1996 (and yes, it's not getting any younger!) which stores information about resources in the Microsoft world in a database.
The aim of Active Directory is to centralize identification and authentication for a network of Windows workstations. This enables connected users to find all their resources. Active Directory acts as a technical directory for hardware and software network resources.
Active Directory groups together resources (workstations, printers, shared folders, etc.), users and applications such as e-mail, all of which are uniquely identified.
AD works with GPOs or Group Policies, which enable you to restrict resources, accesses, resources and associated rights. In practical terms, this means you can prohibit the use of USB keys, force system updates, etc.
If you'd like to find out more, take a look at Microsoft' s documentation on identity and access management or Active Directory, explained very clearly in a video.
Is the AD a business essential?
According to the definition above, if you have all your resources running on Windows, the answer is: yes, AD is indispensable in a company of a certain size.
Active Directory is clearly a facilitator for managing your accounts, identities and resources. Active Directory can be the foundation ofidentity .
It's easy to manage your groups, and you can add additional services by adding Microsoft packages to manage the identity lifecycle with Microsoft Identity Integration Server 2003 and many others.
AD is therefore a formidable corporate tool that will help you manage all your users and tools.
What are the limits of Active Directory?
With the advent of SaaS software, business software hosted outside the enterprise, Active Directory often finds itself managing only part of a company's IT. Microsoft has introduced an SSO technology with Azure AD, but its implementation is relatively technical and only manages compatible applications.
When a user arrives, accounts are created for them, so you might think that managing users and their accounts is a natural part of AD. However, the accounts present in the IS do not reflect your users: on the Active Directory there are accounts which may be system accounts, or accounts of users who are present or who have left.
That's where the real difficulty comes in: how do you use Active Directory as a repository (source of truth) when it mixes system and HR identities? How do you manage existing accounts with existing employees, and reconcile them to manage rights, access, licenses and account closure?
How do I manage my accounts and users in AD?
Keeping an AD perfectly up to date is virtually mission impossible unless you devote time-consuming resources to it.
The list of users in Active Directory never really corresponds to the reality of a company's workforce. Accounts are generally created when employees arrive, because they need them to access certain resources, such as files or printers, but their accounts are only closed when they leave, by extremely rigorous system and network administrators and an HR department that informs the IT department each time an employee leaves.
Since these two conditions are not always met, the Active Directory ends up being a dumping ground for more or less phantom accounts, which we don't really know if they're used or useful. Spring-cleaning", which consists of exporting a list of all AD accounts to Excel, and cross-referencing them one by one with lists of employees, temporary staff, service providers, etc., is obviously tedious and often futile.
This is where an IAM ( Identity and Access Management) solution comes into play, to perfectly link accounts (Active Directory) and users (company employees).
The principle is simple: the solution connects to your HRIS and your AD and reconciles users and accounts. This means you can manage all your authorizations from a single dashboard. Everything is clear: you can filter, manage, suspend, create and automate.
To give you an example, an employee arrives, HR fills in the information, which is automatically sent to the IAM solution, then the accounts are created, and all that's left to do is validate the creations. When the employee leaves, the same thing happens: the information is sent to the solution, suspending all the accounts of the departing employee.
So you have a perfectly up-to-date AD.
How does an IAM tool work with Active Directory?
An agent is installed on your Active Directory servers and acts as a proxy, enabling secure exchanges between your identity and access management solution and your AD.
This agent has two main functions: to list Active Directory accounts so that they can be displayed in your IAM, and to initiate any creation, modification or suspension actions requested. Once the agent has been installed, it is synchronized on a regular basis. This is particularly useful for on-premise and SaaS software.
You can then :
- Create users: your solution detects the naming format of the user's account and automatically creates accounts with the correct name. No more first or last name mistakes, and accounts are harmonized.
- Enabling/Disabling user accounts: a user gone? You can manually or automatically suspend a user's account.
- Assign rights to users: you can modify the security groups for a user. These changes will be automatically applied to the user's AD account after a few seconds. In addition, depending on certain parameters, the solution may suggest security groups to add to a user.
- VPN access: like security groups, you can specify that the user is authorized to access the VPN. This modification will be implemented automatically in your Active Directory.
- Login scripts: often overlooked when accounts are created, these scripts come in handy when in use, and can be managed by your IAM tool.
- Filtering users: you've created groups based on your teams, privileges or other criteria, and you need to be able to find them easily, which is possible with an IAM solution. This makes it much easier to carry out audits, particularly to get a quick overview of arrivals and departures.
- Modify attributes such as network drives and custom attributes (employee number, etc.) according to their use in connected applications. For example, a mail signature management tool will use the address, job title, department, etc. fields that are stored in the user accounts of your Active Directory.
Find out more about the features available in an IAM solution.
Active Directory is still an essential corporate tool for managing your users and their accounts, but letting it 'live' without properly managing user accounts is no longer an option in a context of cyber-attacks and sensitive data management. IT must have control over user access, particularly when they leave. An IAM tool is essential, because Excel isn't the solution either 😉 Reconciliation and automation are the strengths of an identity and access management solution.
