User Management Resource Administrator
2003 Active Directory Management and LDAP Solution

Forms & Delegation (Help Desk Delegation)

What every network administrator needs; more help at no cost!

One of the draw backs of managing large numbers of users is the daily task of unlocking user accounts, resetting passwords, creating / deleting users accounts, management global groups and much more.

With User Management Resource Administrator and the Forms & Delegation product add-on network administrators can now wash their hands of these tedious tasks. The Forms & Delegation module allows network administrators to delegate administrative tasks to none administrative users. These tasks can be a simple unlock accounts or reset passwords. They can also be complex such as global group management, deleting user accounts or creating new user accounts and all their resources.

Example: You are receiving over 20 unlock account and reset password requests a day from student user accounts. This costs you time and money, so now you want to delegate unlocking accounts and resetting passwords to teachers. This can be accomplished by creating a new Form project from the Forms & Delegation product add-on.

Steps:

Create a new Form project called Reset Passwords.
Create a table field in the new form that will only display users from the global group STUDENTS.
Delegate the new form to the global group TEACHERS.

..Watch Video ..Screen Shot

..Screen Shot ..Screen Shot

How does it work?

The delegated help desk user is working with a forms client (available as Windows application and Web interface - coming soon), and connects to the User Management Resource Administrator delegation service. While this service has administrative privileges, the helpdesk employee has not. When the forms client connects, it authenticates the user and downloads a list of all available forms for the helpdesk user. Then the helpdesk user selects the form named "Reset password", selects a user account and clicks on the submit button. The job is then approved by the delegation service and applied to the Active Directory.

Better than native Active Directory delegation?

The Active Directory in Windows 2000 and Windows Server 2003 offers object-based delegation of authority. The design of this system allows for nearly unlimited granularity, so that you can even assign the permission to change only ZIP codes. Administration and management of this system is time-consuming and does not produce a clear overview of delegated permissions. Furthermore, it doesn't work on Windows NT4 or Exchange 5.5 based environments. See the comparison details below.

Feature	Active Directory	Forms & Delegation
Support for Windows NT4	None, the Active Directory Delegation of Control Wizard supports delegated control over Active Directory objects	Yes, Forms & Delegation allows delegation of tasks rather than objects. Tasks can be performed on user objects from Active Directory or Windows NT4.
Delegate control over resources	Limited, while native Active Directory delegation can enable a helpdesk user to create a mailbox, home directory creation and setting permissions cannot be delegated	Yes, Forms & Delegation allows delegation of tasks rather than objects. Tasks can contain any combination of resources such as mailboxes, group memberships and home directories with shares and permissions
Task based delegation	The Active Directory Delegation of Control Wizard delegates authority over Active Directory objects. The administrator has to compose MMC Snap-ins to enable a helpdesk user to perform the task. Delegating a "create user" task in the Active Directory requires the delegation of authority over various objects.	Forms & Delegation lets you compose your custom task. A "create user" task can contain the actions to create a user account in a specific OU, set appropriate group memberships, create a home directory and create an Exchange mailbox.
Customizable user interface	Limited, the Active Directory allows for management through MMC Snap-ins. These small tools can be customized to the extent that a helpdesk user only sees the delegated objects. All properties and configuration settings will still be visible, however they can be disabled.	Forms & Delegation lets you assign a form to a task. A "create user" task would only require input fields for first, middle and last name, and a job type or location selection to determine OU location, home server and mailbox store automatically. The helpdesk user only sees exactly what he/she needs to do.
Security	Uses the Windows authentication model, which takes the logged on user when you start the management tools to perform tasks.	Uses the Windows authentication model which takes the logged on user by default when you operate the Windows Forms client. This client connects to the Delegation engine, downloads and executes Forms submitted by a delegated user. The Windows Web client (coming soon) will features SSL encryption.
Name and password generation	None, the Active Directory does not support automatic name and password generation	Forms & Delegation allows for complex name and password generation, such as usernames, display names, smtp e-mail addresses and random passwords based on complexity rules. Name generation features advanced formatting functions and duplicate handling.
Configuration and management overhead	Using the Active Directory Delegation of Control Wizard is relatively easy, but management afterwards causes a lot of overhead. Configuring additional users or groups to the same object privileges is not possible without running the wizard again and there is no clear view on who is delegated to do what.	Users and groups are directly assigned to forms which are connected to tasks. This provides a transparent view of which user or group is allowed to do which task.