I'm looking for suggestions on tools or methods for automating Active Directory group management for new users or when existing users change roles. We have numerous AD groups tied to locations, positions, projects, and we've been facing challenges where users often end up missing vital security groups or are assigned to incorrect locations. Currently, we use templates, but they've become overly complicated because of the sheer number of locations and positions, particularly with new departments or groups frequently being added. What options are available for automating this process? Should we consider home-grown PowerShell scripts, Group Policy, or maybe third-party software?
5 Answers
Using PowerShell is definitely a common choice. I've heard good things about ManageEngine AD Manager Plus for handling complex templates efficiently.
Adaxes combined with PowerShell is another solid option, highly customizable to fit your needs.
SailPoint is also worth considering, especially if you need something tailored for complex organizational structures.
I recommend looking into Quest ARS or NetIQ DRA. Personally, I'm not a fan of ManageEngine, so I've found them to be more reliable.
You could set up shadow groups along with a scheduled PowerShell script that regularly checks for users in an OU. It's been a decent approach for us.
AD Manager Plus is what we use, and at this stage, we have over 700 templates set up!