ManageEngine’s Active Directory Self Service – Experience So Far
I thought I’d briefly go over my experience with ManageEngine’s Active Directory Self Service (ADSS).
As the name implies, it’s an on-premises service that allows staff to unlock/reset their domain accounts from a workstation after passing a security check. No need for helpdesk to assist!
Beyond that, it does have some other features, such as the ability for users to update their own Active Directory attributes (phone number, department, manager etc.), password policy enforcement and password expiry notification, but our primary goal was simply to provide an unlock/reset self service.
ADSS is very straightforward to install, a single service running on any server with a very light footprint, and configuration done via an admin web portal. Unfortunately, one negative I found was the layout of the admin UI; it’s horrendous! There’s very little logic or thought to the layout, with links and menus frustratingly hidden all over the place. You won’t find the initial AD setup options anywhere under Configuration, or under Admin, or under any of the sub-menus on the left…what you want is that innocuous, easily missed little blue text link, randomly placed top-right away from all other links…
The UI is pretty ugly throughout, including the various graphs and pie-charts, which look straight out of Word 98. The user-facing UI during unlock/reset isn’t much better either, but it’s functional.
Each machine that is to offer ADSS requires a client to be installed, which then appears as a small icon on the Windows login screen. I struggled to get the client deployed via GPO, even with the help of ManageEngine support, and in the end opted to use the inbuilt deployment feature in the admin GUI (I believe this is only available with the Professional Edition. It’s a simple process of pulling computer objects from AD, filtering as needed and clicking Install. It works very well thankfully, although you do lose the advantage of the “always on” install that GPOs give you. The deployment within the GUI required multiple pushes over the course of a few days to catch powered off machines.
The registration process is very simple for the end-user, and thankfully so, as this kind of service really lives or dies by how willing staff are to bother using it. Given a link, a user logs in with their standard domain account, and are presented with their registration options; in our case, we chose security questions, Google Authenticator, and DUO. All are very straightforward to set up, with the 2FA options being both the most secure and easiest to initially set up, not to mention avoiding the prospect of forgetting the answers to your own security questions…
Once enrolled, a user can click on the “Unlock/Reset” link at Windows login, provide their domain username and authentication method, and be presented with the ability to unlock/reset their account.
There is an option to “force enrolment”, but like much of ManageEngine’s ADSS, it’s very rough around the edges. It consists of a horrible popup being presented to the user at login, not allowing them to do anything else on their machine until they complete registration. Not an option for us in a medical environment where a member of nursing staff may need quick and uninterrupted access to a workstation.
ADSS is quite customisable if you’re handy with basic HTML, and it’s easy to modify the login pages to include your company logo and help text, or imbed the login form into existing pages. Less customisable are the reports you can generate and schedule, which don’t provide much in the way of granularity and are very basic.
So far, after a few months of deployment, we’ve found the service to be reliable and easy to use. It has directly resulted in fewer account unlock tickets, and has had the huge benefit of reducing on-call tickets for simple account unlocks. User uptake has been slow, although regular reminders to staff of the service sees a surge in registrations, with the intention in the near future of linking our helpdesk ticket portal with ADSS; logging an unlock ticket but already registered in ADSS? Off to the ADSS portal with ya! We’re also keen to explore the possibility of using the ADSS app for remote unlocks.
I’d recommend giving the trial a go if you’re in the market for an Active Directory self service product. ManageEngine offer a 30-day fully functional trial, and have a very responsive support service if you get stuck finding your way around the GUI…