Borna Active Directory Manager Help A BRIEF INTRODUCTION TO USE BRONA AD MANAGER IS PRESENTED IN THIS PAPER. Dana Pardaz Co. WWW.DANAPARDAZ.NET
Table of Content 1. Introduction... 3 2. Basic Configuration... 3 2-1. Connect to Domains... 4 3. Technician Management... 5 3-1. Creating a Technician... 5 3-2. Authentication Method... 6 3-3. Permissions... 7 3-4. Assigning Roles... 7 3-5. Permissions Based on Domain & OUs... 7 3-6. Role Management... 8 3-7. Managing Permissions... 9 4. User Management... 9 4-1. What is User Templates?... 9 4-2. Creating a User Template... 10 4-3. Creating a User... 11 4-4. Managing Users... 11 5. Computer Management... 13 5-1. What is Computer Templates?... 13 5-2. Creating a Computer Template... 13 5-3. Creating a Computer... 14 5-4. Managing Computers... 15 6. Group Management... 15 7. OU Management... 15 8. Reports... 16 Appendix 1. Upgrade/Extend Borne License... 188 2
1. Introduction Borna is a web-based software capable of managing Active Directory with several domains in a centralized fashion. It allows administrators to manage users and computers, make report from Active Directory and monitor Active Directory security. Most of the features available at Borna are not accessible with built-in tools in Windows. With more than 40 different and useful reports as well as bulk user management features, Borna is an ideal choice for many organizations. Some important Borna's features are as follows: Bulk user management Bulk computer management More than 40 informative and useful reports Automation of Active Directory task Centralized management of multiple domains Dashboard containing comprehensive information about users, computers and groups Non-invasive delegation of administration User/Computer templates to simplify and regularize user/computer creation process Ability to define work-flow operations Online notification of changes Simplified the process of changing passwords Quick and simple search in Active Directory Remote management of Active Directory with the web-based interface 2. Basic Configuration To start working with Borna AD manager, you should first configure some options. For instance, all domains should be introduced to Borna with a username which has necessary privileges. In this section, all you need to configure in order to be able to work with Borna AD manager is represented. 3
2-1. Connect to Domains Using Borna AD manager, you can manage multiple domains in a centralized fashion. To connect Borna to a new domain, click Edit Domains in Administration tab of Borna (Fig 1). Fig 1 Connecting to a new domain Then click Add Domain Controller and fill all the fields, as it is shown in Fig 2. Note: If the user you provided to connect to an Active Directory does not have administration privileges, you cannot perform any changes in Active Directory. However, it is still possible to see reports if the user has required permissions. After you connect Borna to a new domain, you can see basic information about than domain in Dashboard page of Borna. Fig 2 Configuration needed to connect to a domain 4
Fig 3 Borna Dashboard 3. Technician Management Borna AD manager has a capability to create technician account (which is not necessarily equivalent to user account in AD) and assign permission to different parts of Borna and AD. You can either manually create a technician or import the corresponding user account from AD into Borna. It is possible to create an account for each staff in IT department and assign required permissions based on their responsibilities. Note: Technician accounts used for AD managements are only defined in Borna and cannot be user to login to computers like AD user account. 3-1. Creating a Technician To define a new technician, click Technicians in Administration tab. Fig 4 Technicians menu in Administration tab The list of all technicians is available in this page. You can create or import new technician by clicking new. To import a user from Active Directory, click Import from AD in the Create Technicians window. 5
3-2. Authentication Method Fig 5 Create Technicians window You can indicate the authentication method of technicians in Borna. There are two possible methods: Borna Authentication: In this method, the authentication process checks the username and password defined in Borna. Active Directory Authentication: Using this method, you do not have to create separate technician accounts. This method allows an AD user to login to Borna without a technician account. When this option is selected, the authentication process itself is performed by Borna. 6
3-3. Permissions Borna enables a set of fine-grained permissions that fulfill the needs of IT managers. Most routine tasks regarding Active Directory can be performed by non-technical users, such as HR users. However, delegation of these tasks in Active Directory is very complex and will get out of control after a few delegations. Borna provides simple menu and interface to delegate various tasks and control them easily. You will learn how to configure technicians' permissions in the next sections. 3-4. Assigning Roles A technician can have several roles assigned to. Each role grants some privileges depending on its goal. You can define new roles in Roles page which is accessible in Administration tab. You can also indicate the permission associated with each role by clicking Permissions in Administration tab. Finally, one should indicate roles of each technician. To do so, click Permissions tab in Edit Technicians page. If you do not see this page, select a technician in Technicians page and click Modify. Fig 6 Assigning roles to a technician 3-5. Permissions Based on Domain & OUs In addition to specifying roles, you can also indicate domains and OUs a technician's roles apply. To understand its importance, imagine the following scenario: You have several domains distributed in several cities which has its own IT department. In this case, you can easily assign the permissions for creating users and resetting passwords to technicians in other IT departments. You want the HR staff to have permissions to create and modify users to reduce your work-load. At the same time, since some OUs contain critical users, you do not want HR staff to see or modify these OUs. 7
To restrict a technician's permissions on specific OUs or domains, click All Domains and then select domains and OUs to which the role apply. 3-6. Role Management Fig 7 Restrict roles on specific domains and OUs In Borna AD manager, each role contains a set of permissions needed to perform specific tasks. Borna is very flexible in this case which allows definition of new roles with arbitrary permissions. To do so, click Roles in Administration tab. Then click New Role. In this page, you can specify the users to which this role assigned. You can also copy the permissions from other roles to speed up the process of role creation. Fig 8 Create roles page 8
3-7. Managing Permissions To manage permissions, click Permissions in Administration tab. In this page, you can indicate the permissions of each role as it is shown in the Fig 9. 4. User Management Fig 9 Permissions page Administrators often face several difficulties dealing with routine and tedious tasks related to user accounts, such creating users, resetting passwords, deleting user, etc. In this section, only a few features of Borna AD manager will be introduced to show the gist of what this powerful software provides. 4-1. What is User Templates? Each company has its set of rules for user creation. For instance, some companies force IT department to set phone and address attributes of users. In some companies, email address filed in AD is very important since they might have a customized software which use the email address attributes of AD users. Some companies might be highly aware of security breaches and require all users to have specific logon hours and computers. However, there is no simple and efficient way to force technicians who create users to follow the company s policy. Even if they are responsible, they may sometimes forget to fill all the required filled. Borna AD manager provides a feature that solve this big issue. In Borna, one can create user templates. Basically, a template gives a customized page which shows only the required attributes of user with certain criteria. For 9
instance, you can make some attributes mandatory or set a default value for some common attributes like logon hours. This powerful features facilitate management and delegation. User templates have the following features: User templates can be set to have only the attributes necessary based on the company's policy. It is possible to set a default value for different attributes. This facilitates and speeds up the user creation process. It is possible to define as many templates as you want for different users and technicians. For instance, you can define 2 templates, one for users who are about to be created in HR OUs and one for IT OUs. Templates accelerates the process of user creation whose time is valuable for companies. By default, Borna has two predefined templates used for creating users with basic or advanced information. 4-2. Creating a User Template To define a user template, click Add/Modify User Templates in Administration tab and click New Template. A new page will be shown as it is shown in Fig 10. In this page, you can indicate which attributes are mandatory and which one is unnecessary (invisible). Default values can also be set. Fig کاربر الگوی 10 ایجادNew template شکل. 1 صفحه page 10
4-3. Creating a User After creating a user template, you can use them to create new users very efficiently. To do so, click Create New User in Domain Management tab. In this page, you can select the template to want to use. Note that only the templates that you have an access on will be displayed here. As you can see, the default values will be set automatically and you cannot create a user if you forget to fill one of the mandatory attributes. Fig 11 Create a new user with user templates 4-4. Managing Users Borna AD manager have tremendous features that extremely simplifies user management. In fact, many routine and important tasks about users are those that deal with users that already have an account in Active Directory, such as resetting password, unlocking users, etc. Some of these tasks which are crucially important are very hard to perform with default tools available in windows. 11
Some Borna's features regarding user management are as follows: Changing user password Enabling/Disabling user accounts Deleting user accounts Unlocking user accounts Specifying logon hours Specifying logon computers Moving users Modifying user membership Modifying Contact info Modifying profile settings You can reach the above items from Domain Management tab. In all the mentioned pages, you can select a set of user accounts and click Apply to do the operation. For instance, click Change Password from Domain Management tab. You can select several users here and then change their password based on your company's policy, as it is shown in Fig 12. Fig 12 Change password page 12
5. Computer Management Computers, like user accounts, are highly important Active Directory objects. Computers can also be created, disabled, enabled, deleted and modified similar to user accounts. Borna AD manager provides several features to simplify computer management as it does to user accounts. In this section, a brief overview of Borna's feature will be introduced. 5-1. What is Computer Templates? The way with which computers are created in Active Directory highly depends on an organization's policy. In the simplest fashion, computer objects can be created simply by providing their name. However, in most organizations, the local policy forces technicians to set most computer attributes which is indeed tedious and time-consuming. Computer templates, like user templates, allows administrator to create templates with predefined values and customized settings which speeds up the process and also force technician to fill necessary fields. Computer templates' features are listed as follows: A template indicates which attributes should be set, such as computer name, manager, member of, etc. A template can have a default value for some attributes so as to speed up the computer creation process (some attributes such as member of, and manager are usually set equal for computers in an OU). Several different computer templates can be created for different purposes and assigned to different technicians. 5-2. Creating a Computer Template To define a user template, click Add/Modify User Computes in Administration tab and click New Template. A new page will be shown as it is shown in Fig 13. In this page, you can indicate which attributes are mandatory and which one is unnecessary (invisible). Default values can also be set. 13
5-3. Creating a Computer Fig 13 Computer creation template After creating a user template, you can use them to create new computers very efficiently. To do so, click Create Computers in Domain Management tab. In this page, you can select the template to want to use. Note that only the templates that you have an access on will be displayed here. As you can see, the default values will be set automatically and you cannot create a user if you forget to fill one of the mandatory attributes. Fig 14 Creating a computer with computer templates 14
5-4. Managing Computers In addition to creating computers, Borna AD manager provides several useful features facilitating computer management in Active Directory. Some of them are listed below: Setting/Modifying computers' membership Resetting computer accounts Enabling computers Disabling computers Deleting computers Moving computers You can reach the above items from Domain Management tab. In all the related pages, you can select a set of computer accounts and click Apply to do the operation, as we have done for user management. 6. Group Management Borna AD manager allows you to create, delete or move groups, like other objects. In order to manage groups, click Domain Management and then click Group Fig 15 Group management features Management. 7. OU Management Borna AD manager also enables administrators and technicians to manage OUs in Active Directory. It is possible to create, delete and modify OUs as simple as possible in Borna. In order to manage OUs click Domain Management and then click OU Management. To create, delete, rename or modifying an OU, right click the OU and select an option. 15
Fig 16 OU management 8. Reports Using default built-in tools in Windows, you cannot see the list of users whose passwords are expired. In such cases, administrators should use complicated PowerShell commands or write an script which is only possible by expert administrators. Report in Borna AD manager divides into four categories: User reports Password reports Computer reports Group reports There are more 30 reports available in Borna. Some of the most important ones are as follows: All Users Locked Out Users Disabled Users Account Expired Users Soon-to-expire User Accounts Recent Logon Failures Users with Password Never Expires OS/Service Pack Based Computer Report Last Logged on Based Computer Report 16
Groups Without Members To see all reports available in Borna, visit Active Directory Reports page. Fig 17 Soon-to-expire user account reports In all reports, you can filter the output based on domains and OUs. After specifying the domain, click Generate to see the result. In Fig 17, Soon-to-expire user account are shown which can be easily disabled for security reasons. You can also indicate which attributes are to be shown as columns in generated reports (Fig 18). Fig 18 Attributes which can be selected as column in Borna's reports 17
Appendix 1. Upgrade/Extend Borne License In order to upgrade or extend Borna license, call our sales department first. Generally, you can see your license Fig 19 Guide menu information by clicking License Information from Guide menu (Fig 19). To activate Borna AD manager, you should first copy the Activation Code from License Information page and submit a request in this page. We will send you your license file as soon as possible. You should then click Open and select the license file and finally click Apply to activate Borna (Fig 20). Fig 20 License Information page 18