What is Active Directory?
Active Directory, or its short acronym AD, is a directory service created by Microsoft in 1996 (yes, it doesn't make us any younger!) which stores information about Microsoft world resources in a database.
The objective of Active Directory is to centralize the identification and authentication of a network of Windows workstations. This allows connected users to find all of their resources. Active Directory acts as a technical directory for the hardware and software resources of the IT network.
Active Directory groups resources (workstation, printer, shared folders, etc.), users, and applications such as messaging, all of which have a unique identification.
AD works with GPOs or group policies, which allow you to restrict resources, access to administration tools, and network management, representing resources and associated rights. Specifically, this allows you to prohibit the use of USB sticks or force system updates, etc.
If you want to delve deeper into the subject, you can check out the documentation on identity and access management by Microsoft or on Active Directory explained very clearly in video.
Is AD essential in business?
According to the definition above, if you have all your resources running on Windows, the answer is: yes, AD is essential in a company of a certain size.
Active Directory is clearly a facilitator for managing your accounts, identities, and resources. Active Directory can be your digital identity base for the company.
You easily manage your groups, and you can find additional services by adding Microsoft packs to manage, in particular, the lifecycle of identities with Microsoft Identity Integration Server 2003 and many others.
AD is therefore a great tool in the company that will help you manage all of your users and tools.
What are the limitations of Active Directory?
With the advent of SaaS software, business applications hosted outside the company, the Active Directory often finds itself managing only part of a company's IT. Microsoft has implemented an SSO technology with Azure AD, but its implementation is relatively technical and only manages compatible applications.
When a user arrives, their accounts are created, so we can think that the management of users and their accounts is done naturally in AD. Yes, but the accounts present in the IS do not reflect your users: on the Active Directory there are accounts that can be system accounts, accounts of users present or departed.
This is where the difficulty arises: how to use Active Directory as a reference (source of truth) when it mixes system and HR identities? How do you manage existing accounts with current employees and reconcile them to manage rights, access, licenses, and account closures?
Besoin d'échanger sur vos processus ?
15 minutes pour voir si on peut vous simplifier la vie côté accès. Sans pression, sans engagement.
How to properly manage accounts and users in AD?
Keeping an AD perfectly up to date is almost mission impossible unless you devote time-consuming resources to it.
The list of users on Active Directory never truly reflects the reality of the company's employees. Accounts are generally created upon the employee's arrival because they need it to access certain resources, particularly for file or printer access, but their account will only be closed upon their departure by extremely rigorous system and network administrators and an HR department that informs the IT department of each employee departure.
As these two conditions are not always met, the Active Directory ends up becoming a dumping ground for accounts that are more or less phantom and whose actual use or usefulness is unknown. The "spring" cleaning, which consists of exporting the list of all AD accounts to Excel and checking them one by one against lists of employees, temporary staff, service providers, etc., is obviously tedious and often futile.
This is where an IAM solution, identity and access management, comes in to perfectly connect accounts (Active Directory) and users (company employees).
The principle is simple: the solution connects to your HRIS and your AD and reconciles users and accounts. Thus, you can manage all your authorizations from a dashboard. Everything is clear, you can filter, manage, suspend, create, and automate.
To give you an example, when an employee arrives, HR enters the information, which is automatically sent to the IAM solution, then the accounts are created, and all that remains is to validate the creations. When they leave, the same thing happens, the information arrives in the solution, which suspends all the accounts of the person who is leaving.
You thus have a perfectly up-to-date AD.
Besoin d'automatisez vos accès sans chantier IT ?
En 60 minutes découvrez comment Youzer fiabilise vos onboarding et offboarding pour gagner plusieurs heures par semaine côté IT.
How does an IAM tool work with Active Directory?
An agent is installed on your Active Directory servers and acts as a proxy, which allows secure exchanges between your identity and access management solution and your AD.
This agent has two main functions: listing the Active Directory accounts so that they appear in your IAM and launching the creation, modification, or suspension actions requested. Once the agent is installed, a synchronization is performed very regularly. This operation allows to support on-premise and SaaS software.
You will then have the possibility to:
- Create users: our solution detects the naming format of the user's account and automatically creates the accounts with the correct name. No more mistakes on the first or last name and harmonization of accounts.
- Activate/Deactivate user accounts: User left? Manually or automatically, you can suspend a user's account.
- Assign rights to users: you can modify the security groups for a user. These changes will be applied automatically after a few seconds to the user's AD account. In addition, depending on certain parameters, the solution may suggest security groups to add to a user.
- VPN Access: Similar to security groups, you can specify that a user is authorized to access the VPN. This change will be automatically implemented in your Active Directory.
- Login scripts: often forgotten when creating accounts, these scripts prove to be very practical in use and are manageable by your IAM tool
- Filter users: if you have created groups based on your teams, privileges, or other criteria, and you need to find them easily, this is possible with an IAM solution. This greatly facilitates the performance of audits, in particular to have a quick view of arrivals or departures.
- Modify attributes such as network drives and custom attributes (employee number, etc.) according to your usage in connected applications. For example, an email signature management tool will use the address, function, department, etc. fields that are filled in on the user accounts in your Active Directory.
To learn more about the features available in an IAM solution.
Active Directory is still an essential tool in business for managing your users and their accounts, but letting it 'live' without properly managing user accounts is no longer possible in a context of cyberattacks and sensitive data management. IT must have control over user access, especially when they leave. An IAM tool is essential because Excel is not the solution either 😉. Reconciliation and automation are the advantages of an identity and access management solution.
