Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

ManageEngine: Preventing Identity & Privilege Mishaps with AD Change Management

Manage Engine
07/03/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


identity and privilege mishaps with an effective change management strategy. My name is Megha and I'm the product expert here at ManageEngine. Now for today's session we'll be splitting the session into two. First I will be listing different ways in which or different challenges that IT administrators experience when it comes to changes in active directory and how you can combat them using a third-party tool because native tools sometimes just don't sometimes just fall short when it comes to managing AD efficiently and why it's necessary for a third-party tool like ManageEngine AD manager plus to help you what you want to what you want to achieve. Right so you can make use of the chat window and then if you have any questions please let me know. I will take your questions at the end of the session so and also if you face any audio or video issues please do let me know. Great so let me quickly proceed to the agenda. Now as you know why we have picked up this particular topic is managing AD infrastructure is an inherently complex responsibility because there are a number of changes that are happening almost on a day-to-day basis like users being onboarded or a move to different teams or promoted teams or promoted or deprovisioned. So often these pose a major challenge for our IT teams because sometimes these changes are unexpected or unwarranted and this leaves the IT team you know a scrambling trying to figure out what is you know what is the status of this particular object what is the permission that this particular user has and how do you tackle them one by one and also not make any mistakes when we address those challenges right and to ensure that these objects the important AD objects are secure it's essential to have complete visibility into all the changes that are happening to user accounts and their related attributes right. So like I said what we will be taking each of this scenario one by one and what are the challenges that IT security teams face and what you can do to you know tackle it make it even more easier and in the second half we'll I'll give you demonstration using the tool that we have and to how to address these challenges right. So I hope we I hope there are no questions so far moving on to the first topic protecting AD from unauthorized challenges. So making changes in AD permissions without having you know a proper review mechanism in place can unintentionally expose sensitive business data to security vulnerabilities. So whether it's you know changing the permissions the user has adding them to groups giving them permissions to the shared folders within your organization it's essential to have an access control policy in place for every critical action in AD to prevent users from gaining unauthorized privileges. Now what you can do is you can introduce a review process where every user change is evaluated by say his his team manager or by you know a corresponding person that he reports to and then before it's being transferred to an IT administrator this manager can validate the request and if it looks good then he can go ahead and give a green signal and if not that particular request has to be reviewed once again and then looked into before it's being transferred to the idea. So each request such as accessing to critical shares or changing their group memberships must be reviewed with a team before you know it's being transferred to the IT team. So this way the enterprise resources are not compromised. So this is one way you where you can prevent unauthorized changes within your system. And moving on to the next one so IT administrators generally tend to delegate certain menial tasks to the technicians or other non-IT users just to make that just to ensure that the tasks are more simpler and then managing these tasks are a little easier. But sometimes what happens is when we are delegating these tasks to or when we are assigning permissions to certain technicians to do these actions like creating user or resetting passwords. Now these users may have permissions that are more than necessary because delegation can get tricky if you're using the built-in delegation control wizard and enforcing certain necessary restrictions become essential. So rather than this delegation making your task easier when it comes to managing your network whether it's create creating users or changing the properties of the users you should not come to a point where you regret giving those permissions because looks like these permissions are not used to the proper manner and they are misused. So having a proper and administrative boundary when you're giving privileges to these technicians so that can ensure that these privileges are very specific and you can also delegate tasks according to the nature of the task. So let's say you want a technician to have permission to just create users you can do that or just to reset password you can do that also if you want to delegate permissions to you technicians based on regions like if your office your organization has different locations different regions and you want technicians from your particular you know office or your region to perform actions in that particular region only then you have to you can do that. So we'll be seeing in the second part of the session how you can granularly delegate permissions to technicians. Moving on so when users join organizations based on the team that they are joining or based on the role that they have that IT admins give them a standard set of permissions to access resources that are relevant to their job function. Now over the time what happens is for different tasks or different projects users might be granted permissions to different resources. Now these access rights ideally should be revoked after the task is complete right but it's a good practice for IT admins to review all the user access rights by a role against a checklist of permissions periodically. So let's say when you're reviewing these permissions or you happen to come across that certain users might have access to top-level security groups or critical folders and files that are no longer necessary for that role right. So periodically tracking all the permissions that are assigned to users for a specific project and then revoking them after the project is complete will resolve this problem. But this task can be quite tedious because the teams has to go and check every user every individual user's list of permissions which all groups they belong to which all resources they can access within their shared folders. So this can get quite complicated. Now what is the solution to this? So when you're giving permissions to users to say a certain resources within the organization or when you know you add them to certain groups because they need to access certain critical folders within your organization. What we can do is you can do that on a temporary basis. So rather than giving them permissions to let's say access resources for you know without specifying a time period you can give them for this particular day or let's say for a week this user will belong to that group and after that particular period is done it's expired then the user will no longer be a part of that group. So this way you can be rest assured that you know you don't have to go back to that particular user and then check whether this user is you know the task is complete whether the permissions need to be revoked and and let's face it we're not doing for one particular user or you know if you're a large organization these kind of tasks are something that you deal with on a large scale or sometimes it's really difficult to keep track of every user permission request and some and that is when time bound access rights will come in handy right and accidental deletions and changes. So making changes to AD and then making an honest mistake it's completely understandable. Now but the problem here is while we are dealing with a large number of resources and a large number of let's say large number of employees the computers within your organization the other objects within your AD the problem is when you're dealing this with a with a on a large scale and then when you tend to make these mistakes quite often again because of you know you're it's completely accidental or you know you know some insider attack then you need to be worried about because as you can see from the report that I have mentioned here around 51 percent of the time organizations are worried organizations are worried that you know in the the security of the organization is compromised because of accidental or unintentional insider and 55 percent of the time privileged users or IT admins are the biggest security risk to the organization and like you can see that most of the time confidential business data is at risk. So how do you avoid that now even you know like when you are a business trying to recover from malicious threat or an honest mistakes depending on the nature of the business the downtime that is caused by let's say a ransomware attack or a vengeful employee can cost you quite a lot. So I have this stats from the Forrester market study. It's pretty shocking that it's estimated that around one one hundred. So this downtime can cost the organization for around a hundred thousand dollars to three point five million dollars per hour depending on the nature of the organization depending on the nature of the business. So you know when you come when you take into this when you take this into account you can see that you know sometimes you need to have some sort of backup and a recovery solution in place because this can break businesses if you're not careful in the first in the first place and and you as an IT administrator manually finding and then fixing these accidentally deleted user accounts or modify these user privileges that are modified by error and can be quite consuming time consuming and then when you're doing it there could be you know chance that there are other errors that could rise as well. So having a proper backup and a recovery strategy can help you prevent that. And it's more like something that you bring in like a preventive mechanism like a proactive step that you involve so that you know if let's say if any of this particular incident like an insider threat or a cyber attack can leave your systems in a state of disarray then you have this backup and recovery strategy to fall back into. So I will show you how you can do that using the tool and moving on to the last one here. So when roles or responsibilities of employees change like like I said moving to a different team or a different location IT administrators have to constantly you know have to modify the properties of their accounts add them to relevant groups move them to another OU they have to address the group memberships and file server permissions immediately because this will determine an employee's access to relevant resources and apart from that administrators are also constantly bombarded with help desk tickets like password resets account unlocks so any delay in processing these kind of modification requests will basically hamper the productivity of the employees and then in the team. So what you can do is you can have a template ready in place right so if you're using you know complex PowerShell scripts to do that that could be a little more confusing that you need to be you know be an expert at scripting so that because scripting itself comes with a lot of difficulty if there are any errors in the script that you have mentioned then that script won't execute and then you'll have to troubleshoot it so it can get complicated so a simple a template which will basically have like everything is arranged in its place so you so when you have a request for some particular let's say a user is being moved from team A to team B then a template basically will have all the necessary attributes that are that are relevant to the team A and then team B so when is he when the user is being moved all you do is just apply the template to that particular user now what happens is all his attribute values that are you know relevant to team A will automatically be changed to team B so this is like a one-step procedure so you create a template and and when you're when you have a request like this so all you have to do is just apply the template now this will make more sense when I actually show you the template and how you can use that when it comes to user modification requests so let's not spend more time on this and let's quickly go to the tool and I've been talking a lot about the tool can help you do that a tool can help you do this so what exactly is this tool about so ad manager plus is manage engines active directory management and reporting tool now using this tool it's a web-based tool and with just one tool you can provision accounts in ad office 365 provision mailbox and exchange skype for business and g suite so rather than using different tools like individual platforms using this tool it's like a one-shot procedure all you have to do is just enter the relevant details and just select these platforms I will show you how you can do that and then instantly the account the user account will be created in all these platforms and also scripting is completely not necessary you can completely avoid scripting when it comes to ad manager plus so we have around 180 plus predefined reports so based on users based on passwords based on office 365 file server permissions so it's all categorized and you can just click and access any of those reports that you want and the tool will automatically fetch the most up-to-date information from ad and then it will be displayed and not only that you can also export the report in any of any format we have four to five formats that we support so one is pdf html csv and so on so and you can also let's say you do not want to generate report every single time instead you want the report to be sent to your inbox right so you can also do that and we have a report scheduler facility for that as well now and let's say user deprovisioning you want to clean up your stale accounts and you want to make it a routine thing but you do not want to go and individually manage those you know stale accounts like removing them from groups removing their licenses moving them to a different container so these are individual actions so rather than you know doing this individually for each user object you can select a bunch of users and then define an automation policy which can encompass all of these actions that i just listed which is a part of the deprovisioning policy and then just choose your schedule date and time and the tool will take care of that and the last tool which is delegation so we spoke at length in the beginning about delegation and then the last one is the workflow so how you can streamline and monitor ad tasks using the workflow which is the review approval mechanism that we have so let's quickly move on to the first one so how can you protect ad from unauthorized changes so the answer is workflow now with workflow what you can do is you can specify who is going to review let's say you as a or the hr instead wants to create a user so 10 users are being onboarded into the organization and the hr is just giving a csv file or he just has a csv file containing all those users now this hr can raise a request so you can just enter the important unique attribute values of the new employees and then raise a request now that request will be sent to the let's say his manager the hr executives manager and he can review it approve it and then it can be sent to the it team for execution so let's say there is something wrong and you know there you feel that there is something off with the way the details are given and you need to review it you can go ahead and also reject it place comments and you can ensure that whatever changes so what i gave is a very basic example which is user creation so any change be it group modification be it modifying users licenses all of that you can put that through a workflow mechanism so every action will go through this review approved process and then once it looks completely fine once it's validated by the reviewers and the approvers then it will be executed by the it team so let me quickly show you the tool that will give you an idea right so this is the ad manager plus tool so i have logged in and right here we have the workflow on top right so this is what i was talking about so you can an hr can place a request and up to five reviewers and up to five approvers can be added here so the reviewers can review the request as is it like it says here and then if it looks fine it can be moved to the reviewed and then we move to the next stage which is the approve and once it's approved it'll be moved to the execution so there is completely no way in which uh you know an unauthorized change will happen because one thing you're enforcing you know checkpoints in every step so this step is completely uh let's say it's not opt it's not mandatory it's optional but i would recommend at least having one step between a requester and an executor so there is somebody who's you know kind of validating whatever request that has been raised and the number of reviewers depending on the the severity of the task you can increase the number of reviewers and then the number of approvers as well all right so you can so we have some default workflow that is mentioned here so which is like there is a default business workflow which has one requester one executor and then there is a user onboarding workflow so these are this some inbuilt workflow that comes with the tool so there is no restriction you can create a new workflow just enter the workflow name the description and choose the requesters reviewers approvers and then the executor right so if you have any questions uh we will take it at the end of the session so we once the session is end once the session ends i will be able to address your questions so moving on uh now the question is who can be requesters who can be reviewers approvers or executors uh so right here on the lhs we have the requesters reviewers approvers and executors so you can click that requester and you can add who or like let's say an hr executor he can be a requester so uh he can uh be added so if you click on add new requester you can choose the user in our case an hr executive and then that person will be treated as a requester similarly for reviewers approvers you can add any any technicians that you want right and also you want to be notified every time a requester places a request or when a request is being approved and it has you know come to you for approval or review well then you can also uh set up assigning rules to ensure that you know you get an email or an sms alert for that let me quickly show you that so this is how this is where we define the logic so you want certain tasks to be automatically assigned to certain technicians right so this is where you set the logic for it so let's say if the action is reset password then you automatically assign it to technician a and so like in this particular case the business workflow has one requester two reviewers two approvers and an executor so if let's say this is the business workflow that you selected has for example just a requester and an executor so this is how it look so you can enable notification for that so and you can also set the priority and who you wanted to be assigned to all of that so this is where you define the logic so if this is the request or if the subject is this or if the person is the requester is you know nhr executive it has to be automatically assigned to this technician so that can be taken care of as well because then you don't have to go and individually take a stock take a stock of all the requests that you have received and then you know assign it to technicians so this will take care of that right so an hr executor so if you if you've been using this tool and the hr can raise a request from within the tool so he will be a technician and if you've integrated with a helpdesk tool then whatever request that hr is raising from an s helpdesk tool like for example stp or service test plus then that will be raised as a request from stp but it'll get it'll be transferred to this workflow within ad manager plus and the action will be carried out in ad manager plus and then the change will be made in ad so that's how it functions if you're if you're already familiar with the tool and you know with the integrations that we offer then this should help moving on right so how to avoid privilege creep all right so i just missed one so quickly going back so how to configure tight access control so what we saw was the workflow mechanism now you are making tasks easier for you so you are assigning it to technicians now when you're giving permissions to technicians you need to be a little wary of the fact that all right i have given this permission to a technician what if there you know there is a possibility of this technician misusing those privileges and what can you do about it so in ad manager plus what we have is we have a very granular way of delegation so when you see when you so on the top let me quickly take you through what all options we have so we have the home which is the dashboard and the ad management which has all the management actions in the tool which is categorized under ad management ad reports has all the reports office 365 the reporting as well as the management management aspect of office 365 is listed in under the office 365 tab and then coming to any delegation where we are right now so when you're giving a user privilege to be a technician so here using ad manager plus you can just click on add new technician and you can select a user or a group and then give them roles now roles is where i would like to focus on in today's session because let me quickly show you how you can define roles for a technician so when you click on help desk roles we have create new role now this is where you define what all permissions that this particular technician has so let's say i want this user to have permission to just create users and just reset password so when i select those options you can see that there are some more options that there are more options that are available so let me quickly show you that now you do not want this technician to enter any important attribute values like let's say exchange properties or their group memberships but you want the technician to just enter some basic you know like the name or the first name last name the email address the employee id let's say the technician is the hr in this case so he has to enter just the basic details and the rest of the details will be taken care of by the it administrator and you want to ensure that you know that the hr technician does not have permission to edit all those other or enter all those other attribute values now how do you do that so right here we have something called as the user attribute properties so when you click on that right now everything is selected so i'm just going to unselect all and then just the general attributes i want these attributes alone to be uh you know made editable or you know made available for the technician to enter and the rest of the attribute values be it office 365 or its contact attributes or exchange all of that i'm going to you know just leave it unselected so i click okay and when it comes to reset password also i can again once again specify what all permission like what all ways in which or what all options are available for that particular technician so i can just maybe give a random password option like uh so i just i love the technician to just you know give access to this just this and you know probably maybe not these properties as well so just this i can select that and i can save role so this is just i'm going to save this as a test role right so i hit save role so this is what i meant by granularly giving permissions so once again let me quickly uh show you that particular role that we created now what we saw was just user creation right so similarly when it comes to managing other objects as well you can select the category right here on the lhs and you can choose which a management attribute which management action has to be made available when it comes to report which all reports can this particular technician access whether it's all users or whether it's password related any of that you can just select that so this is how you can uh make sure that when you're giving permissions to the technician you are very specific and you are not giving anything that is more than necessary right right so moving on to the next one so how to avoid privilege creep now like i said when you're granting permissions to users uh like over the time so this kind of cumulatively adds up and then there are a lot of uh permissions that are not revoked and the you know they even after the project or the task is over these users have permissions to top-level security groups or you know they have access to sensitive folders having financial information of the company and you do not want that you do not want that kind of permissions lying around so what we can do is you can just give them access to privileged uh groups and you know giving them permissions just for a limited time so giving time bound and another thing what you can do is uh you let me quickly go to the tool and show you how you can do that right so coming back to workflow coming back to workflow so what you can do is you can raise a request for these time bound access rights so you can let's say under create request you can click on user modification and here is where you can select the task so in this case let me give add to group and here when i click on this plus icon basically lists all the groups in my domain and you can just choose any groups important groups and then just hit okay and this is where you can set the time so here the duration is forever one day two minutes specific day you can do that so i'm two minutes specific day you can do that so i'm going to just say let's say one day and so you can set the subject your description the domain the user right which user you want to give permissions to which user should be added to the group so you can choose that as well so you can choose multiple users as well and then hit okay now when you create request so this request again follows a workflow mechanism so let's say you have specific you have a specific modification request workflow mechanism that's created then it will go to that particular mechanism request and then that particular reviewer or approver whoever it is will validate it and then once the administrator executes that request then that particular user will be added to that group so this request this will be valid only after the user sorry the administrator executes the request so once that is done the user will be added to one that particular group that is that we have specified and for that period of time let's say for one day he will belong he'll be a part of that group and after that day he'll automatically be remote now not just group memberships we also have folder permissions so you can specify the subject what is action set folder permissions you can choose the domain here we can select the folders right just click on this and select the folders that you want name of the user you can choose the name of the user again you can just enter the name or you can just select them and what is the permission that you want to give whether it's full control or it's just read permissions or just write or you know any of these advanced permissions you can just select that and then hit done right and this is where again you can specify the duration whether it's forever or 30 minutes or one day or a specific day right so again this request will go through a mechanism and then you can you know the the reviewer or approver validate it and then that particular task will be executed and then for this particular date right for the 26th of September this particular user will have permissions to access the folder that you have selected and then after that he will not have permissions so that's how you can ensure that you know when you're giving permissions also it's not necessary that you have to keep track of every permission that you have given and then revoke it but this will just take a whole lot of work from away from your hands and you can just focus on your other tasks now accidental changes and deletions right you create you deleted an important security object or a group right so this can be quite difficult because you'll have to like configure that again and then add all the permissions assign all the permissions like how it was before and you do not want your organization your team productivity to be uh you know put on hold or put at risk because of a small mistake that you made now you can have a backup and a recovery solution to completely avoid that like moving on let me quickly show you the tool right so now backup and recovery is a pretty new feature it just came out a few months back so you can see that we have a tab called backup so here you can see that we have uh you know it just gives a complete overview of what is the status so you can configure your settings backup settings here right so what are the OU's that you want to backup let's say you have some important OU's which contains important security uh related objects like you know important administrator accounts and uh your uh important groups then you can just backup that particular OU alone or if you want to backup every OU just you can go ahead and choose that and what are objects that you want to backup whether it's just users or whether it's computers contacts or even if you're specifying a user what all attributes you want to backup right so let's say whether it's managed objects or member of or whether it's direct reports your manager all of that you can select here and when you want the full backup to happen so full backup if you want to have you know like schedule it on a non-business day you can do that right you can just set the day and the time and uh you want to take the backup on a week weekend you can do that as well now let's say that it's unrealistic to expect a change changes to not happen like let's say until the full backup happens so for a month there are no changes no that's not possible but you also want to make sure that every change that you make within that period of time is documented and it's been recorded so that is where an incremental backup helps so let's say you want to have an incremental backup schedule going every single day or every week you can do that so this will so if there are any changes to objects that are happening on day-to-day basis or every week or let's say once in a week it has happened then only those changes will be taken into account so it will not take a full backup of all the objects but it'll just take record the change alone and that changed attribute value will be stored right and you can specify how much how many backups you want to retain because storage space is you don't want to like uh take up all your storage space i just want last 12 backups or last 15 backups you can do that right so this is how you can configure your backup and similarly you can do uh the recovery settings as well now when you go for uh recovering an object so we have two options so let's say you want to simply restore an object with all its attribute values you know intact then you can do that now let's say you want to restore version let's say not the last version but the version before that you can do that as well so that comes under granularly restore now you can choose the object and uh what let's say so in this particular case i've just initiated one backup and that is why it just says one backup so if there are multiple backups running it will show the number of backups and then when you click on that it will show you what are the changes and uh you know it'll show you which backup what has been changed and you can granularly go and pick so for this particular object i want the value to be restored from version number say three and uh this particular attribute value has to be restored so that's how you can change so let's say you're making multiple changes to a particular object and you made a change which is not correct instead you want to revert it back to the previous version that's how that's where a granular restore will help you so rather than just blindly restoring everything from the last backup you can specifically go down and check hey so this is the attribute value this is the version from which i want it to be backed up because the latest one is not what i want then granular restore will help you so this is where uh you know it'll make your uh restoring and your backing up even more helpful so it's just going to make your task easy so you can select the object you can what is the change that has been made you can see that and then pick the one that you want to so having a backup and a recovery strategy is not like a luxury but it's more like a necessity right so moving on now user modification we spoke at length about user modification so users being moved to one teams to move to different teams being promoted and having all these changes uh can be kind of you know overwhelming and then dealing with these changes one at a time can be difficult so let's say a user is being moved from one particular team to another but another team and a lot of attribute values has to be changed right so his reporting too has has to be changed his maybe his contact attributes maybe his location like his office address if he's being moved to a different location and also his group memberships his folder permissions his home folder so many things has to be changed you have to address that for multiple users now i said in the beginning that a template will help you do that so let me show you what exactly a template is and this will give you a better understanding of what i was telling the beginning of the session so when you click on AD management we have these templates so this template is not just restricted to user creation but other objects as well and not just for creation but for modification right so let me quickly show you what a user modification template is and how it's going to help you now i'm going to click on create new template and show you what a layout looks like so this is basically how the user creation or user any other object creation layout looks like it's very similar to that the change what we have here is you will be specifying certain values in these attribute fields right now let's say i have a template for a marketing department for the u.s office right so this is a template that i'm just creating and i will just enter these attribute values which are you know like relevant to the marketing department in the u.s and i'll just enter that alone here right so i'll leave out the first name the last name and all those unique attribute values i will not touch that but i will just enter these values and let's say the description the office the extension the contact attributes all of that i will enter the reporting to right and and when a user is being modified or when a user is being moved so i will just save this template and i will apply that template or i will modify that user using a template so i will show you how that is done now before moving to that i will show you what is a modification rule so right here we have an option called modification rule so i'm going to create a new rule now it's quite easy so a user is being modified from department a to department b let's say he's being moved from finance to it right just an example here so i have just listed here this is the condition so the tool will check if the department if the department is being moved from a to it now what are the values that are going to be changed so let's say his member of is going to be changed so i will add some groups here and similarly his manager will be changed so i will choose the manager object right here just picking a random object right here and i add that and the description is also going to be changed now he's the marketing department right so this just uh i'm sorry he's just a part of the it department so this is just an example i'm just showing what you can do so you can similarly you can specify any number of conditions right here so whether the office is changed or whether the the manager is this particular person so you can add similarly many conditions so we have the or or and option you can add that here and here you can specify if this is being met if this is a yes then what are the changes if this is satisfied then what are the attribute value changes so the idea of creating every template for every single scenario let's say marketing department for us or marketing department for uk and marketing department for for the middle east so that can be that is fine that is all right you can do that but rather than doing multiple templates so if you're doing this for all the departments all regions it's going to be a lot of templates but we do not have any restrictions to the number of templates that you can create you can create any number of templates that you want now if you're going to do so so rather than doing what i would recommend is rather than creating multiple templates you can just have one template so for marketing department or for let's say a region for u.s office and then you can just set if the department is this if the department is b if the department is c or if the you know office is this similarly you can go at permutations and combinations and you can create roles so when you're modifying a user and then you're picking the template it will check okay what is the change has the department being made is the department changed yes then the tool will check what are the values that are assigned here and it will immediately rewrite the or overwrite the existing values with the values you've specified here so let me quickly show you how you can do that so we have modify single user option right here now you can choose a modify user so let's say i'm just going to pick one user object right here and this will basically load the user attribute value so this looks like a test user so we'll just go ahead and this is where you're going to choose the template so if i click on change you can see that there are these are the number of these are the modification templates that are created now if we have created anything we can go ahead and select that so i'm just going to pick a template right here and i click okay right so and then once you expand you can also click preview so what so the template that i have chosen basically does not have any value so let me quickly uh see if i can pick a template with some you know values that are already populated so let me quickly click on preview well let's try another one and then if not we'll i'll just explain how it looks right so all right too bad anyway so let me show you how it is done so let me give you a demo so let's say we have chosen a selected template now we'll see uh when you click on preview what happens is it will show what are the old values and what are the existing values now let's say the department as of now is it right and when you're moving the department value to be marketing or finance or hr then that particular attribute value will be changed right so that will be displayed and then the other attribute values let's say your description or your office your telephone number all of that will be it will show a list of the current values and what it will be when you click on update user right so it will show the previous values and the values that you're uh you know that you currently wanted to have so that is what a preview option this is just to give an idea of like before you make the change you can just review all those changes and then if it looks good then you click on update user if not you go and edit those attribute values and then again click on update user so these kind of simple tricks to manage your changes within your ad these tricks are not available in native tools and that's why ad manager plus tries to be that one single point of tool where it industries administrators and it security teams would reach out for when it comes for when it comes to ad management and reporting now what i have covered today is extremely uh like i have just scraped the top of the surface the tool has a lot more features so we have just seen like just a few tabs right here and i have not even covered the entire section of each topic that we covered today so this is just for the topics that we had that we were discussing today that is how to have a change management strategy and how it's going to help you prevent having any sort of mishaps with your user identities and privileges so that's uh that brings us to the end of the session just one more uh action and then we'll be uh concluding the session so what i have will be i'll be sharing two poll questions just two so i will be initiating a poll right here so i will just launch and then i'll give 30 seconds and i'll let you answer those questions and then i'll launch the second question so i hope that's uh we've understood that let me quickly launch the first question you'll be able to see the first question on your screen right now great so i will be launching the second question now right i hope you can see the second question on your screen so all right closing now great uh so thank you so much so that's that brings us to the end of the session so i hope that gave you a good understanding of uh what our tool is and you know how you can address all these challenges with our tool now if you have any questions i will be available and then you can make use of the chat window and i'll i'll address your questions and uh also we we have so many product specific workshops that are uh you know available so if you want to like try our product we also have if you've not tried before so we have a demo setup online so i'll be sharing the link right here in the chat window you can try that uh that will be available all the time and you can uh just you know try out the actions just get an understanding of what the product is using our demo tool right here and uh if you have any other questions you can also reach out to our support team so i have uh given the contact address right here and i will also uh send you my email address so if you have any questions i'll be glad to help you with that as well so just entering my email address in the chat window please go ahead and uh if you want to have if you have any questions regarding the webinar or the our product or anything just do reach out to me so i hope the session was beneficial and uh i'm i'm i'm just glad that we have a really good turnout today and uh every session we hope to make it better and informative for our attendees so thank you so much for taking time off your schedule and then joining us so have a great day thank you all

TL;DR

  • Workflow mechanisms with multi-stage review and approval prevent unauthorized AD changes by creating validation checkpoints between requesters and executors before modifications are executed.
  • Time-bound access rights automatically revoke group memberships and folder permissions after specified durations, eliminating privilege creep without manual tracking of temporary permissions.
  • Granular delegation controls restrict technician permissions to specific tasks, regions, and attribute fields, preventing over-privileged access while enabling efficient task distribution.
  • Backup and recovery solutions with incremental scheduling and granular restore capabilities protect against accidental deletions and insider threats that can cost up to $3.5 million per hour in downtime.
  • User modification templates with conditional rules automate bulk attribute changes when users transfer teams, eliminating PowerShell scripting complexity and accelerating lifecycle management across hybrid environments.

Active Directory Change Management Challenges

Managing Active Directory infrastructure presents inherent complexity as organizations handle constant changes — user onboarding, team transfers, promotions, and deprovisioning. These changes, whether expected or unexpected, create significant challenges for IT teams who must maintain visibility into all modifications while ensuring critical AD objects remain secure. Without proper change management strategies, organizations risk unauthorized access, privilege creep, and security vulnerabilities. The session addresses how third-party tools can overcome native AD management limitations by providing comprehensive visibility, granular delegation controls, and automated workflows that prevent identity and privilege mishaps.

Workflow-Based Access Control and Time-Bound Permissions

Implementing review and approval workflows ensures every critical AD change undergoes validation before execution. The workflow mechanism supports up to five reviewers and five approvers, creating checkpoints between requesters and executors to prevent unauthorized modifications. Time-bound access rights address privilege creep by automatically revoking group memberships and folder permissions after specified durations — whether one day, specific dates, or custom periods. This approach eliminates the manual burden of tracking temporary permissions and ensures users don't retain unnecessary access to top-level security groups or sensitive resources after project completion.

Granular Delegation and Backup Recovery Strategies

Delegation controls allow administrators to assign specific permissions to technicians based on task type, region, or organizational unit — preventing over-privileged access. Attribute-level restrictions ensure technicians can only modify designated fields, such as basic user information, while critical properties remain protected. The backup and recovery solution provides both full and incremental backup scheduling, with granular restore capabilities that allow administrators to recover specific attribute values from previous versions rather than blindly restoring entire objects. This proactive strategy protects against accidental deletions, insider threats, and ransomware attacks that could cost organizations between $100,000 and $3.5 million per hour in downtime.

Automation Through Templates and Modification Rules

User modification templates streamline bulk changes by pre-configuring attribute values for specific departments, locations, or roles. When users transfer between teams, administrators apply templates that automatically update group memberships, manager assignments, contact attributes, and folder permissions in a single action. Modification rules add conditional logic — if a user moves from Finance to IT, the system automatically applies predefined attribute changes without manual intervention. This template-based approach eliminates repetitive PowerShell scripting, reduces human error, and accelerates user lifecycle management across hybrid environments including Active Directory, Office 365, Exchange, Skype for Business, and G Suite.

Chapters

0:00 - Introduction and Agenda
1:24 - AD Change Management Challenges
3:03 - Protecting AD from Unauthorized Changes
4:50 - Delegation and Administrative Boundaries
6:55 - Privilege Creep and Time-Bound Access
9:50 - Accidental Deletions and Insider Threats
13:09 - User Modification Challenges
15:42 - AD Manager Plus Overview
18:35 - Workflow Mechanism Demo
25:35 - Granular Delegation Controls
31:31 - Time-Bound Access Rights Demo
35:14 - Backup and Recovery Solution
41:36 - Modification Templates and Rules
50:11 - Closing and Q&A

Key Quotes

2:00 "... making changes in AD permissions without having you know a proper review mechanism in place can unintentionally expose sensitive business data to security vulnerabilities ..."
11:04 "... around 51 percent of the time organizations are worried that you know in the the security of the organization is compromised because of accidental or unintentional insider and 55 percent of the time privileged users or IT admins are the biggest security risk to the organization ..."
11:37 "... it's estimated that around one one hundred. So this downtime can cost the organization for around a hundred thousand dollars to three point five million dollars per hour depending on the nature of the organization ..."
16:28 "... scripting is completely not necessary you can completely avoid scripting when it comes to ad manager plus so we have around 180 plus predefined reports ..."
21:03 "... there is completely no way in which uh you know an unauthorized change will happen because one thing you're enforcing you know checkpoints in every step ..."
50:04 "... that's uh that brings us to the end of the session so that's how to have a change management strategy and how it's going to help you prevent having any sort of mishaps with your user identities and privileges ..."

FAQ

How does the workflow mechanism prevent unauthorized Active Directory changes?

The workflow creates mandatory checkpoints between requesters and executors, supporting up to five reviewers and five approvers who validate each change before execution. Requests can be approved, rejected with comments, or sent back for revision, ensuring no unauthorized modifications bypass validation. Assignment rules automatically route specific task types to designated technicians based on action, requester, or priority level.

What is the difference between full backup and incremental backup in the recovery strategy?

Full backup captures complete snapshots of all selected OUs and objects on scheduled intervals (typically weekly or monthly on non-business days). Incremental backup records only the changes made since the last backup, running more frequently (daily or weekly) to capture day-to-day modifications without consuming excessive storage. Administrators can configure retention policies to maintain a specific number of recent backups.

How do modification templates differ from modification rules?

Modification templates are pre-configured attribute sets for specific departments, locations, or roles that administrators manually apply to users during transfers. Modification rules add conditional logic that automatically triggers attribute changes when specific conditions are met — for example, if a user's department changes from Finance to IT, the system automatically applies predefined group memberships, manager assignments, and contact attributes without manual template selection.


Categories:
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Identity & Access
  • Security Operations
  • Compliance & Governance
  • Technical Deep Dive
  • Demo
  • Best Practices
  • Active Directory Change Management
  • Identity and Access Management
  • Privilege Management
  • Workflow Automation
  • Backup and Recovery
  • Delegation Controls
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: ManageEngine: Preventing Identity & Privilege Mishaps with AD Change Management

              Upcoming Webinar Calendar

              • 07/09/2026
                01:00 PM
                07/09/2026
                The HUMAN Experience: Empowering Agentic Trust in Practice
                https://www.truthinit.com/index.php/channel/2026/the-human-experience-empowering-agentic-trust-in-practice/
              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting an Elite Security Team to Achieve Championship-Level Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-an-elite-security-team-to-achieve-championship-level-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in AI Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-ai-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/21/2026
                01:00 PM
                07/21/2026
                HUMAN Dialogue: Insights from Attackers During the FIFA World Cup
                https://www.truthinit.com/index.php/channel/2029/human-dialogue-insights-from-attackers-during-the-fifa-world-cup/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies for Mastering the DPDP Framework
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-mastering-the-dpdp-framework/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 07/29/2026
                12:00 PM
                07/29/2026
                Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                09

                The HUMAN Experience: Empowering Agentic Trust in Practice

                07/09/202601:00 PM ET
                • Jul
                  14

                  Crafting an Elite Security Team to Achieve Championship-Level Defense

                  07/14/202601:00 PM ET
                  • Jul
                    14

                    Understanding the Crucial Role of Context in AI Data

                    07/14/202602:00 PM ET
                    • Jul
                      21

                      Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                      07/21/202604:00 AM ET
                      • Jul
                        21

                        HUMAN Dialogue: Insights from Attackers During the FIFA World Cup

                        07/21/202601:00 PM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version