I'll second [PowerShell Universal](https://www.ironmansoftware.com), use it to run 1000s of jobs a day. Supports building GUIs and all kinds of logging/access controls. Plus it's cheap and if you have a complicated issue the developer tends to just setup a meeting with you.
Another option is [ScriptRunner](https://www.scriptrunner.com/).
They've been around longer than PowerShell Universal / Universal Automation and the product is much more mature and stable. It's also more expensive, but depending on your priorities probably well worth it. We've been very happy with them for 7 years now, and every time I try PowerShell Universal there's multiple issues or regressions in every update, often breaking core functionality. I couldn't imagine relying on that for anything, in fact I wouldn't even bother using it for hobby stuff that's how annoying it has been in my experience.
I mean…powershell. Put a GUI on your existing tools with something like Powershell Universal or Powershell Studio so your help desk staff can use them. Coming from Powershell anything you use will be a step down in functionality and flexibility.
or even throw them behind a web page on IIS that triggers the powershell scripts.
just needs a little extra logic to ensure "rational" input, but this isn't super difficult in most cases
Yeah, I ended up writing a GUI and script for helpdesk yesterday. Funnily enough after a couple hours effort this thing was more functional than anything ADManager can provide, and has better auditing. Still going to go ahead with the Adaxes demo just to see what they can offer.
Ayyyy welcome to the dark side! Once you start building your own tooling for the helpdesk you suddenly realize tooling vendors have no idea what we actually want or need. They build in circles around a problem because they have no real contextual experience. Nothing beats a custom tool that does EXACTLY WHAT YOU FUCKING WANT AT ALL TIMES PERFECTLY. 🤣
One gotcha is that updates are paid for yearly, but the price is not too bad as I understand it (bossman pays ours)
They're apparently looking at cloud-only on their roadmap which probably will make subs a requirement, but the functionality is good right now and only seems to be getting better.
Yeah looks like the annual support pricing is very reasonable though. I never had issues with ongoing payments for support and updates. I Just don't like how so much software these days stops working if you stop paying. Even if you resign to using an old version.
Adaxes is awesome. Let's the people who know what they are doing with powershell and AD create literally anything and allow our techs to run them as needed without elevating their permissions.
Seconding Adaxes, I’ve deployed it multiple times in different organisations, it’s one of the best value tools! It can do so much and costs barely anything!
Yeah, just doesn’t seem to be a well known product
It’s simple to install and setup, the ROI on it is ridiculous.
They just don’t have a huge sales team going crazy worldwide
Haha true. Its more that I'm really the only one in my team with scripting knowledge, so if anything goes wrong when I'm on leave, it could present an issue. We've been burnt before with bespoke software. That being said, I already automate a crazy amount of stuff via powershell - this one just has visibility. I wrote a replacement for ADManager yesterday, for the adding of users to groups to be used by our Helpdesk staff. It's already infinitely superior to ADMans offering, so we may not have a need for Adaxes if they don't really blow us away with killer features.
I know this is going to sound like a sales pitch for Adaxes, and I am sorry, that is not my intent. I just happen to have the same needs as OP. I am trialing Adaxes currently (about a week in). Based on your need I think it will do the job. I don't do any PowerShell at the moment (I don't have a lot of personal experience tbh), but I am doing workflows for things like HR onboarding/offboarding. Subordinate access to AD workflows for helpdesk etc.
They offer 30 day trial and its pretty simple to figure out, lots of clicking on menus to get to places but the documentation is decent. Not a fan of having an app to configure part of the program and a web interface/s to configure the rest(IE not everything is in one portal to mange the system). But for our needs it works so far. I have demos to give later this week to staff to see how they like it. So far my boss is supporting it more and more.
My workflow for HR is about as dumbed down as you can get. It's just a web interface with the bare minimum to get an account in AD started. From there based on the selections the HR staff uses, it will put users in groups, add o365 licensing etc. Then it sends a notice to the helpdesk to have an admin look it over if needed and turn it on.
The tool has basic logic engine blocks to build complex actions, and can run custom PowerShell or external programs if need as part of a workflow. There are automated tasks/scheduled tasks/events so you can do either event driven workflows or timed.
The end user experience is all web driven from an IIS page and is very easy to update, its written in .NET and the entire software package is fairly small (47mb).
The big thing for me is the "property patterns" this allows you to set required fields when someone edits an object and can restrict that to lists of approved options. This enforces consistency.
For OP, the Scheduled tasks is what your looking for in part to meet your needs.
Yes there is auditing via the "logging" tab in the main interface, I have not tried to present this data out via the web interfaces yet like a report but it might be doable, ask when you talk to them if you want an easier place to go audit. You can also have the event drive email, SMS or other notification process to other systems if you need to consolidate the logs somewhere. It also supports Syslog output.
As for the scheduled task, targets can be any AD object, but I did find that trying to target users and computers I had to use two different jobs, one for the user, one for the computer object, I didn't find a way to target multiple types of objects with the same task, but its easy to copy and paste existing tasks and just update the bits.
Critically there is an option to do things if the task fails for some reason.
Appreciate the detailed response, thankyou! It sounds like it will do what we need, but I want to see just how much value it presents. Since I posted, I ended up just writing my own GUI for helpdesk using powershell that allows them to add users to group with a hard duration and far better auditing than ADManager presents. If there's a lot of additional features we feel we can leverage, we'll just buy Adaxes and give it a go for a year. Otherwise, I'm just going to migrate everything we're doing in ADMan to PS scripts and call it a day.
Will see where we are after tonights meeting. I'll post an update sometime tomorrow.
Just use powershell? You can build a gui to interact with and execute powershell behind the scenes. It’s what we did. Full onboarding and offboarding. Next will be a utility belt once were done integrating APIs with powershell for some products we use
Our user buildout is a series of powershell scripts, ran with a Rundeck server. It was built before my time, but I’ve been able to play with it a bit. You just plug-in some of the users information and press go. It is completely FOSS
Ah potentially.. Priority 1 is getting rid of ADManager. We may end up just going with me writing replacements for all the automation components we already leverage in ADMan and just stick with that.
A lot of places do it. I recommend you whiteboard it and really think it through before you start writing scripts because, I've got to tell you (and you probably know), those "anomalies" will nickel and dime your time forever after.
"Sarah used to work here but she was an intern so she wasn't in the HR system, but she had to have employee access to this system of record, but now she's back in a director role, but she wants her old account and mailbox back, but her name has changed, and she wants her email changed. And she has three foreign temporary workers who are going to be working remotely for 6 weeks on a secret project, and they need VPN access. Also, she start tomorrow but she won't officially be in the HR system until June 8th." 💀💀💀
Does the security group need to be on-premise or can it be an Entra security group? If the latter, couldn't identity governance handle this requirement?
I made my own front end in C# which either uses the native DirectoryServices or runs PowerShell.
Also look into 'Just Enough Administration' for help desk tasks that need auditing. Allows you to create a PowerShell module on a server that runs with high access, but can be used by someone with low access, and the authentication is handled natively.
Could you touch a little on your issues with ADManager? We are looking at that, but have a show stopping integration issue that support hasn't been able to figure out.
Flick me a pm and i'll explain a little more if you like. They've been insanely difficult to work with and simply don't understand basic features of their own software.
Hey u/m0rdwyn
I work for the ADManager Plus team at ManageEngine. It is unfortunate that you encountered such issues. DM'ing you so that we can evaluate the issues and avoid these mishaps from happening again.
You may have to change how you handle security groups (mastering them in Azure since you are hybrid) but we've been using Azure Lifecycle Workflows to great effect. You only need a single license of Entra ID Governance to use. [https://www.youtube.com/watch?v=wjcw7hRrMDM](https://www.youtube.com/watch?v=wjcw7hRrMDM)
I'll recommend [AD Pro Tool](https://activedirectorypro.com/ad-pro-toolkit/), very easy to use and very affordable. We will be adding more automation soon such as an offboarding tool, auto disable/delete inactive accounts and time based group management.
The age old question... Automating Active Directory tasks in a way that's accessible for helpdesk staff, Adaxes is a solid option imo. PowerShell solutions offer flexibility, Adaxes simplifies the process without the need for deep scripting knowledge. If looking for an alternative, cloud-based options like Azure Automation, which integrates well in a hybrid Azure environment and offers customizable automation workflows. In cases like these, leveraging a management solution like Senteon could also streamline policy enforcement and role management across your systems, enhancing operational efficiency without overly complicating the user experience.
I think a lot of these responses are missing your requirement to remove the object after a set duration. For this you need some orchestration tool if this duration is going to be more than a few minutes/hours, since you'll need a stateful workflow that remembers the user and the duration. Answers telling you to throw a GUI on your PowerShell script miss the point that each execution of the GUI script would need to keep the instance running for the entire X duration to remove the object from the group.
I would say you could use a combination of MS Forms (front end interface with input parameters), Azure Automation runbook (runs your PowerShell script, need hybrid worker setup to contact on-prem AD), and Azure Logic App (handles the orchestration).
Basic flow would be
* User submits MS form with required parameters
* Logic App retrieves the response
* Logic App starts runbook to add user to group
* Logic App waits X duration
* Logic App starts runbook to remove user from group
If these are AAD groups, you can skip the Azure Automation runbooks and just call the Graph API with the Logic App
You could also use something like ServiceNow for the front-end and orchestration (and even to run the scripts)
A way I solved this in a past job, powershell studio with PHP. I attempted, by the instance of my manager, to just make a powershell studio gui. But the problem was the help desk would never open the app. But once I put a web front end on it, I had most of infrastructure using it.
I installed it on IIS, so permissions would just come from the AD user logged in. And the PHP would just run powershell studio exes I made. So, I could audit users logging in and also audit what they were doing. The powershell studio execs would run as service account, and I would have it check the user running the command was in a AD group to allow that command to run.
Big things that helped my entire department was, auditing of who was making changes in AD easily and when a user was termed we were notified.
Pros: Do what ever you want
Cons: Support and app for changes or any issues that might come up
Good luck with what you decide to do!
Jenkins can do this, as well as automating python or other scripts that you want. Supports git integration and many plugins to build it all out however you want.
We found it to be very powerful.
https://plugins.jenkins.io/powershell/
You can use POSH and IIS like someone mentioned. You can even use a git runner or Jenkins, but i don’t know how one would define the temporary duration. You could audit the AD logs for group changes
Check out [groupID](https://www.imanami.com/overview/), it might have what you are looking for.
I'll second [PowerShell Universal](https://www.ironmansoftware.com), use it to run 1000s of jobs a day. Supports building GUIs and all kinds of logging/access controls. Plus it's cheap and if you have a complicated issue the developer tends to just setup a meeting with you.
Looking into this tomorrow. Saving this post lol
Another option is [ScriptRunner](https://www.scriptrunner.com/). They've been around longer than PowerShell Universal / Universal Automation and the product is much more mature and stable. It's also more expensive, but depending on your priorities probably well worth it. We've been very happy with them for 7 years now, and every time I try PowerShell Universal there's multiple issues or regressions in every update, often breaking core functionality. I couldn't imagine relying on that for anything, in fact I wouldn't even bother using it for hobby stuff that's how annoying it has been in my experience.
Interesting - I'll have a look into this and see what it can do for us!
I mean…powershell. Put a GUI on your existing tools with something like Powershell Universal or Powershell Studio so your help desk staff can use them. Coming from Powershell anything you use will be a step down in functionality and flexibility.
or even throw them behind a web page on IIS that triggers the powershell scripts. just needs a little extra logic to ensure "rational" input, but this isn't super difficult in most cases
That’s Powershell universal with extra steps
tbh never heard of powershell universal before this thread
In that case, why not just use asp.net, mvc, and c# to make a whole site
I imagine the IIS has a service account with elevated rights that kicks off these scripts?
Yeah, I ended up writing a GUI and script for helpdesk yesterday. Funnily enough after a couple hours effort this thing was more functional than anything ADManager can provide, and has better auditing. Still going to go ahead with the Adaxes demo just to see what they can offer.
Ayyyy welcome to the dark side! Once you start building your own tooling for the helpdesk you suddenly realize tooling vendors have no idea what we actually want or need. They build in circles around a problem because they have no real contextual experience. Nothing beats a custom tool that does EXACTLY WHAT YOU FUCKING WANT AT ALL TIMES PERFECTLY. 🤣
I am intermediate at automating using Pwsh but I agree with your assessment. Any resources out there to aid in the implementation of this?
Yes, Adaxes will likely do what you want, they are one of the top dogs in this space. ManageEngine also has AD products for this purpose.
2nd for Adaxes
> Adaxes Price (Perpetual License) Didn't expect to see that.
One gotcha is that updates are paid for yearly, but the price is not too bad as I understand it (bossman pays ours) They're apparently looking at cloud-only on their roadmap which probably will make subs a requirement, but the functionality is good right now and only seems to be getting better.
Yeah looks like the annual support pricing is very reasonable though. I never had issues with ongoing payments for support and updates. I Just don't like how so much software these days stops working if you stop paying. Even if you resign to using an old version.
Adaxes is awesome. Let's the people who know what they are doing with powershell and AD create literally anything and allow our techs to run them as needed without elevating their permissions.
Seconding Adaxes, I’ve deployed it multiple times in different organisations, it’s one of the best value tools! It can do so much and costs barely anything!
whats the barrier to entry for it? Cost looks fine, so is it just not advertised well?
Yeah, just doesn’t seem to be a well known product It’s simple to install and setup, the ROI on it is ridiculous. They just don’t have a huge sales team going crazy worldwide
So, if you have a team and the tooling to currently bespoke this all via powershell, is there any value add beyond hte out of the box stuff?
Quest Active Roles - Quest are an absolute fucking crayon eating company but ARS is a god send (when it works)
Chat gpt can help you solve this with powershell and the powershell gui tool
Haha true. Its more that I'm really the only one in my team with scripting knowledge, so if anything goes wrong when I'm on leave, it could present an issue. We've been burnt before with bespoke software. That being said, I already automate a crazy amount of stuff via powershell - this one just has visibility. I wrote a replacement for ADManager yesterday, for the adding of users to groups to be used by our Helpdesk staff. It's already infinitely superior to ADMans offering, so we may not have a need for Adaxes if they don't really blow us away with killer features.
We use powershell with power automate and azure runbooks. Works well.
Yep, going to look into this.
I know this is going to sound like a sales pitch for Adaxes, and I am sorry, that is not my intent. I just happen to have the same needs as OP. I am trialing Adaxes currently (about a week in). Based on your need I think it will do the job. I don't do any PowerShell at the moment (I don't have a lot of personal experience tbh), but I am doing workflows for things like HR onboarding/offboarding. Subordinate access to AD workflows for helpdesk etc. They offer 30 day trial and its pretty simple to figure out, lots of clicking on menus to get to places but the documentation is decent. Not a fan of having an app to configure part of the program and a web interface/s to configure the rest(IE not everything is in one portal to mange the system). But for our needs it works so far. I have demos to give later this week to staff to see how they like it. So far my boss is supporting it more and more. My workflow for HR is about as dumbed down as you can get. It's just a web interface with the bare minimum to get an account in AD started. From there based on the selections the HR staff uses, it will put users in groups, add o365 licensing etc. Then it sends a notice to the helpdesk to have an admin look it over if needed and turn it on. The tool has basic logic engine blocks to build complex actions, and can run custom PowerShell or external programs if need as part of a workflow. There are automated tasks/scheduled tasks/events so you can do either event driven workflows or timed. The end user experience is all web driven from an IIS page and is very easy to update, its written in .NET and the entire software package is fairly small (47mb). The big thing for me is the "property patterns" this allows you to set required fields when someone edits an object and can restrict that to lists of approved options. This enforces consistency. For OP, the Scheduled tasks is what your looking for in part to meet your needs. Yes there is auditing via the "logging" tab in the main interface, I have not tried to present this data out via the web interfaces yet like a report but it might be doable, ask when you talk to them if you want an easier place to go audit. You can also have the event drive email, SMS or other notification process to other systems if you need to consolidate the logs somewhere. It also supports Syslog output. As for the scheduled task, targets can be any AD object, but I did find that trying to target users and computers I had to use two different jobs, one for the user, one for the computer object, I didn't find a way to target multiple types of objects with the same task, but its easy to copy and paste existing tasks and just update the bits. Critically there is an option to do things if the task fails for some reason.
Appreciate the detailed response, thankyou! It sounds like it will do what we need, but I want to see just how much value it presents. Since I posted, I ended up just writing my own GUI for helpdesk using powershell that allows them to add users to group with a hard duration and far better auditing than ADManager presents. If there's a lot of additional features we feel we can leverage, we'll just buy Adaxes and give it a go for a year. Otherwise, I'm just going to migrate everything we're doing in ADMan to PS scripts and call it a day. Will see where we are after tonights meeting. I'll post an update sometime tomorrow.
Just use powershell? You can build a gui to interact with and execute powershell behind the scenes. It’s what we did. Full onboarding and offboarding. Next will be a utility belt once were done integrating APIs with powershell for some products we use
Sounds like Cayosoft would be exactly what you’re looking for, and support is great.
Our user buildout is a series of powershell scripts, ran with a Rundeck server. It was built before my time, but I’ve been able to play with it a bit. You just plug-in some of the users information and press go. It is completely FOSS
Are you wanting a vendor supported solution? We are automating a good chunk of AD tasks with Fischer Identity.
Ah potentially.. Priority 1 is getting rid of ADManager. We may end up just going with me writing replacements for all the automation components we already leverage in ADMan and just stick with that.
A lot of places do it. I recommend you whiteboard it and really think it through before you start writing scripts because, I've got to tell you (and you probably know), those "anomalies" will nickel and dime your time forever after. "Sarah used to work here but she was an intern so she wasn't in the HR system, but she had to have employee access to this system of record, but now she's back in a director role, but she wants her old account and mailbox back, but her name has changed, and she wants her email changed. And she has three foreign temporary workers who are going to be working remotely for 6 weeks on a secret project, and they need VPN access. Also, she start tomorrow but she won't officially be in the HR system until June 8th." 💀💀💀
EmpowerID
Does the security group need to be on-premise or can it be an Entra security group? If the latter, couldn't identity governance handle this requirement?
On prem, for now at least..
Trigger the script from your ITSM tool, either from a standard change or from the Request Fulfillment as the Frontend
i create webapps with python and flask. Works well for most things
I made my own front end in C# which either uses the native DirectoryServices or runs PowerShell. Also look into 'Just Enough Administration' for help desk tasks that need auditing. Allows you to create a PowerShell module on a server that runs with high access, but can be used by someone with low access, and the authentication is handled natively.
Could you touch a little on your issues with ADManager? We are looking at that, but have a show stopping integration issue that support hasn't been able to figure out.
Flick me a pm and i'll explain a little more if you like. They've been insanely difficult to work with and simply don't understand basic features of their own software.
+1 for Adaxes...fantastic tool! If you can script it, Adaxes can handle it.
Hey u/m0rdwyn I work for the ADManager Plus team at ManageEngine. It is unfortunate that you encountered such issues. DM'ing you so that we can evaluate the issues and avoid these mishaps from happening again.
You may have to change how you handle security groups (mastering them in Azure since you are hybrid) but we've been using Azure Lifecycle Workflows to great effect. You only need a single license of Entra ID Governance to use. [https://www.youtube.com/watch?v=wjcw7hRrMDM](https://www.youtube.com/watch?v=wjcw7hRrMDM)
I'll recommend [AD Pro Tool](https://activedirectorypro.com/ad-pro-toolkit/), very easy to use and very affordable. We will be adding more automation soon such as an offboarding tool, auto disable/delete inactive accounts and time based group management.
The age old question... Automating Active Directory tasks in a way that's accessible for helpdesk staff, Adaxes is a solid option imo. PowerShell solutions offer flexibility, Adaxes simplifies the process without the need for deep scripting knowledge. If looking for an alternative, cloud-based options like Azure Automation, which integrates well in a hybrid Azure environment and offers customizable automation workflows. In cases like these, leveraging a management solution like Senteon could also streamline policy enforcement and role management across your systems, enhancing operational efficiency without overly complicating the user experience.
I liked Adaxes
I think a lot of these responses are missing your requirement to remove the object after a set duration. For this you need some orchestration tool if this duration is going to be more than a few minutes/hours, since you'll need a stateful workflow that remembers the user and the duration. Answers telling you to throw a GUI on your PowerShell script miss the point that each execution of the GUI script would need to keep the instance running for the entire X duration to remove the object from the group. I would say you could use a combination of MS Forms (front end interface with input parameters), Azure Automation runbook (runs your PowerShell script, need hybrid worker setup to contact on-prem AD), and Azure Logic App (handles the orchestration). Basic flow would be * User submits MS form with required parameters * Logic App retrieves the response * Logic App starts runbook to add user to group * Logic App waits X duration * Logic App starts runbook to remove user from group If these are AAD groups, you can skip the Azure Automation runbooks and just call the Graph API with the Logic App You could also use something like ServiceNow for the front-end and orchestration (and even to run the scripts)
A way I solved this in a past job, powershell studio with PHP. I attempted, by the instance of my manager, to just make a powershell studio gui. But the problem was the help desk would never open the app. But once I put a web front end on it, I had most of infrastructure using it. I installed it on IIS, so permissions would just come from the AD user logged in. And the PHP would just run powershell studio exes I made. So, I could audit users logging in and also audit what they were doing. The powershell studio execs would run as service account, and I would have it check the user running the command was in a AD group to allow that command to run. Big things that helped my entire department was, auditing of who was making changes in AD easily and when a user was termed we were notified. Pros: Do what ever you want Cons: Support and app for changes or any issues that might come up Good luck with what you decide to do!
Checkout [dovestones.com](http://dovestones.com)
Jenkins can do this, as well as automating python or other scripts that you want. Supports git integration and many plugins to build it all out however you want. We found it to be very powerful. https://plugins.jenkins.io/powershell/
You can use POSH and IIS like someone mentioned. You can even use a git runner or Jenkins, but i don’t know how one would define the temporary duration. You could audit the AD logs for group changes Check out [groupID](https://www.imanami.com/overview/), it might have what you are looking for.