I work with an MSP and we would like to implement something to the effect that every user within our organization can easily be added across multiple different domains that aren't nessasarily in the same forest.
Let me give you an example
Say a new user, John Doe joins our company, Obviously we don't want everyone knowing the domain administrator password so we create him a username, say, adminjd, with a company he is to work with, XYZ, however, we manage MANY customers, so not only must he have an account with XYZ, but also ABC, 123, ACME, so on and so forth - so adding him service accounts could consume a technician for several days. No good. The issue is compounded even further if, say we have a not-so-amicable break with Mr. Doe and we want to remove his accounts. We can do this easily and quickly with Solarwinds NCM for Cisco/Juniper/Etc. devices, but we don't have a great solution for Active Directories/LDAP, paid or otherwise.
It would also be nice to monitor events and other relevent Active Directory info, but the primary function is stated above.
Does anyone have any experience with such software? Can someone make a recommendation?
We have been using Novell Identity Manager in our environment for many years and are extremely pleased with the results. It provisions an arbitrary number of Active Directory domains as well as eDirectory, various e-mail solutions, databases, etc. and is very flexible in how it is deployed. Because of the scope of the product, it can be quite complex but it will essentially handle any and all user and resource provisioning tasks you throw at it (and you can limit its scope for simple out-of-the-box deployments). The stability and scalability after initial setup are excellent.
http://www.novell.com/products/identitymanager/
I recommend a scripting solution. (It's my best hammer, so everything looks like a nail...) In this case of Active Directory Scripting, Perl makes this much easier than it is in VBScript (my two strongest languages), because you have to explicitly bind to each domain in Perl (where in VBScript it uses the account context of that the script is run as). I typically use the
NET::LDAPmodule.I would either set the script to accept command line arguments, or present a question-and-answer list (full name, username, password, domain admin?, etc). You'll also ask for your own username and password for the domains as well. (This is easier if you use the (insecure) practice of having all passwords match across domains, but you can set it to ask for each run.)
Then define an array of your client's domains. In a
forloop, bind to each domain, create the account in each (setting groups and passwords) and then move on to the next domain. Rinse. Repeat.Try ManageEngine ADManager Plus to provision user accounts in Active Directory across multiple domains. To monitor the user actions deploy ManageEngine ADAudit Plus.
AuthAnvil, does what you want. I don't use it but I've heard great things about it. You don't need to even create accounts on each system.
Ian