TL;DR; I’ve teamed up with Specops to give you a no-holds-barred look into managing Active Directory user accounts and password security across many of their products. If you need an honest review and walkthrough on a suite of tools touting to keep your Active Directory user passwords secure, join me on a multi-post learning journey coming soon.
Just about every IT pro out there has probably encountered Microsoft’s Active Directory (AD) in one way or another. AD is a ubiquitous identity management product that’s been around for decades.
I’ve personally managed AD for close to 15 years in IT and can firsthand tell you its strengths and weaknesses. I can also tell you a whole lot of horror stories!
Although AD is a critical component to an organization’s identity management solution, it can get big and unwieldy quickly. How? In large organizations, an AD database can theoretically support up to 2.5 BILLION objects! One of those most common objects in AD is the user account.
We can all agree that an employee needs access to her computer, files, and applications. Likewise, service accounts need to authenticate applications and computers need to join a domain. So many activities depend on AD accounts (and secure passwords) to power an organization.
How do we manage all of these accounts and passwords? Probably by throwing together a haphazard AD password policy applying to the whole organization and maybe some random PowerShell scripts. It’s not because we’re lazy, it’s because we’ve just got a million other things to do!
AD administrators write another PowerShell script and helpdesk personnel keeps resetting user passwords. All the while no account lifecycle management gets put in place leaving thousands of unused AD accounts enabled and only increasing an organization’s attack surface.
I know firsthand those times when a worm is unleashed on a network and you’re in a mad rush to reset passwords and disable accounts before it can spread! This experience coupled with my curiosity around Specops’ tools made me want to dive into this project.
Table of Contents
Announcing the Specops Learn with Me Series
An ATA Learn with Me series starts from scratch on one or more products or services that I have no experience with. The series is meant to give you, the reader, a bird’s eye view of using a particular product or service. I get to experience the product(s) and bring you along with me as I teach you how it works and provide my feedback along the way.
For this series, I’m going to dive into the various offerings that Specops offers. Specops is a company that solely focuses on AD and has put in a ton of work around password management. I’m excited to see how their tools work!
From AD object cleanup, implementing password policies, auditing passwords and even offering a password self-service portal, Specops has a wide range of products. I have my work cut out for me!
Learning AD Password Management with Specops
Over the next few months and several blog posts, I will be taking you with me as I evaluate Specops’ various AD management tools and provide you with a real-world opinion from an IT pro of 20 years.
Starting with a lot of knowledge about AD password management but none around Specops’ tools, I intend to put each tool through its paces and learn what they can do.
Don’t worry though. This series of posts isn’t going to be boring documentation and product fluffery. I intend to give you my honest opinion on the Specops tools (both good and bad).
Full disclosure: Specops is paying me to write this series of posts but has given me full permission to not hold back my personal opinion. Talk about confidence in their product or perhaps they’re unaware of just how honest I can be.
Through this Learn with Me series, I will be focusing on:
- Prepping AD for best practices to learn how to clean up stale AD objects with Active Directory Janitor.
- Enforcing AD password best practices with AD’s fine-grained password policies and implementing Specops’ Password Policy product.
- Managing AD password resets and lockouts with the uReset tool.
- Verifying user identity when resetting passwords with Secure Service Desk.
Are you an AD admin in charge of maintaining a sane AD environment? Perhaps you’re wrangling dozens of PowerShell scripts to maintain user passwords in bulk, or maybe you’re looking for a more secure way to manage AD passwords. If so, stay tuned for this Learn with Me series!
As of now, I still have no experience with any Specops tools but by the time I’m through with this series both you and I will have a good understanding if a Specops tool may be for us.
More from Adam The Automator & Friends