I’m excited to report that Gartner has named Quest as an example vendor in multiple areas in its 2022 report, “IAM Best Practices for Active Directory”*! In fact, Quest and our company One Identity are listed as an example vendor in eleven of the categories for which the report lists vendors — more than double any other company!
No one offers nearly as many Active Directory and identity security capabilities as Quest and One Identity.
This recognition is important because IT security always requires more than a single tool or strategy. To improve your cyber resilience and effectively defend against Active Directory attacks, you need to anticipate and thwart attacks at every stage of the cyber kill chain — in other words, you need a defense-in-depth approach across many layers.
With Quest and One Identity, you get a unique focus on identity-centered security coupled with market-leading AD migration, management, security and disaster recovery. As a result, you can modernize your IT environment and secure it as tightly as your perimeter to protect your most critical and targeted assets. While other vendors provide one or a few capabilities — such as threat detection, backup or privileged access management — this new Gartner report is proof that no one even comes close to offering as many Active Directory and identity security capabilities as Quest and One Identity (see Figure 1).
Figure 1: Quest and our company One Identity are listed as an example vendor in eleven of the categories for which the report lists vendors — more than double any other company!
Here are the 11 vendor-listed categories in the Gartner report that mention Quest or One Identity as an example vendor:
- Active Directory migration
- AD monitoring, reporting and analytics
- Active Directory threat detection and response
- Active Directory backup
- Specialized AD management
- Access management
- Least privilege & separation of duty
- General-purpose PAM tools
- Active Directory bridging software to integrate non-Windows systems
- Identity governance and administration (IGA)
- Architectures for multiforest environments
Let’s see how each of those capabilities contributes to cybersecurity and cyber resilience, and what tools we offer to help.
Active Directory migration
Best practice: Streamline your logical topology.
Migrations are critical to AD security because they help you get your identity house in order and keep it that way. Indeed, many organizations have an AD infrastructure that has grown cluttered and complex over the years and is in urgent need of restructuring and general cleanup. Moreover, both business needs and the IT ecosystem continue to evolve over time. For example, merger and acquisition (M&A) activity, divestitures, internal reorganizations, and technical investments all drive significant change to the IT environment, including adding complexity to the identity infrastructure.
So it’s really no wonder that one of the first best practices that the Gartner report identifies is to streamline your logical topology. As it notes, “Simpler AD topologies improve security, reduce administrative overhead, increase efficiency and enable faster time to value for integrations with cloud services.”
To achieve this goal, organizations usually opt for migrations, rather than rebuilding all their users, groups, computers and other objects from scratch. Choosing a migration enables them to minimize both the impact on end users and the work required by the IT team. This applies whether the project is an initial housecleaning or part of the ongoing effort to maintain a solid identity structure as the IT environment grows and changes.
Still, AD migrations are lengthy and complex projects that involve significant business risk. How can you maximize your chances of success? The Garner report says:
“A successful AD migration requires management support, a clear communications plan, project management support, planning, training, testing and provisions for rollback. A key challenge often cited by Gartner clients is the necessity to properly inventory all applications and services integrated with AD, and to understand their AD integration patterns. Most organizations engage a professional services firm to carry out a migration.”
Given all the moving pieces involved in a migration, it's really no wonder that the report states unequivocally, “Gartner recommends using a commercial off-the-shelf product to support a migration.”
How Quest can help
The Gartner report names Quest as an example vendor for migrations. Our solutions empower you to deliver a ZeroIMPACT migration and consolidation for Microsoft platforms, simplifying and automating tasks so you can finish your project faster while minimizing costs, risks and business disruptions. Moreover, we cover on-premises, cloud and hybrid Active Directory environments.
Migration Manager for Active Directory is the long-standing leader in Active Directory migrations, and it is even better when coupled with our Binary Tree solutions, such as Binary Tree Migrator Pro for Active Directory. Quest solutions help you migrate your AD with no downtime, no data loss and no stress. You get streamlined project management and coexistence capabilities to ensure that users maintain secure access to workstations, resources and email throughout the entire migration process.
But Quest knows that most organizations today have a hybrid AD infrastructure, so we also offer a secure SaaS platform that helps you tackle your Microsoft 365 challenges. The Quest On Demand platform enables you to migrate, manage, report, secure and recover your hybrid AD and Office 365 workloads across all tenants from a single dashboard. In particular, the On Demand Migration component helps you consolidate and migrate tenants running workloads such as Exchange, OneDrive, SharePoint and Teams, with complete visibility and seamless coexistence.
AD monitoring, reporting and analytics
Best practice: Implement audit logging, reporting, monitoring and analytics.
Clearly, building a strong security posture is important. But it’s by no means sufficient: Your IT infrastructure is still at risk from both malicious attacks and inadvertent errors.
Accordingly, you also need to audit and record activity across your IT environment. Indeed, according to the Gartner report, implementing audit logging, reporting, monitoring and analytics can help organizations adhere to the principles of least privilege and separation of duty, as well as to identify and respond to policy violations, anomalous activity and threats.
But exactly what activity should your auditing program be on the lookout for? The Gartner report states that identity-related events in an AD environment include:
- Login activity for users, administrators and service accounts
- Changes in AD, such as account creation as well as changes to account attributes, account status, group membership, Group Policy objects (GPOs), access control lists (ACLs) and delegation rules
- Creation or modification of privileged accounts
- Activity by privileged accounts
- Suspicious activity that could indicate credential harvesting or an identity-based attack
- Configuration changes that could weaken security and access controls
- Events in applications and services that could be correlated with user and admin activities in AD itself
How Quest can help
Native logs provide a good start toward the auditing required for strong security, compliance and business continuity. But they are notoriously noisy, cryptic and incomplete. Moreover, they are disjointed — it’s difficult to get a true understanding of what’s happening across your IT ecosystem when you have to manually juggle multiple separate logs, each with its own structure, data format and so on.
In the Gartner report, Quest is named as an example vendor of specialized AD tools for AD monitoring, reporting and analytics. We offer solutions that go far beyond native audit capabilities. They not only translate system-provided logs into a simple, normalized format, but also collect additional information that native logs simply do not capture. In fact, Quest solutions can help you audit, log and analyze all the critical events identified in the Gartner report, and more.
I invite you to explore Quest’s integrated tool for AD monitoring, reporting and analytics. On Demand Audit Hybrid Suite. This innovative solution provides a single hosted view of user activity across your hybrid Microsoft environment, giving you visibility to all changes taking place, whether on-premises Active Directory (AD), Azure AD, file servers, network-attached storage, Exchange Online, SharePoint Online, OneDrive for Business and Teams. The suite is delivered as a subscription service that gives you licenses to Change Auditor and On Demand Audit. (Note that Change Auditor was also listed in the 2021 Gartner Magic Quadrant for Privileged Access Management as part of the One Identity strategy to detect hard-to-find embedded Windows services accounts!)
Active Directory threat detection and response
Best practice: Implement Active Directory threat detection and response.
IT environments are extremely busy places, with thousands or even millions of events occurring every day. It’s vital to be able to cut through that noise to quickly spot the true threats and respond effectively.
Active Directory threat detection and response (AD TDR) is identity threat detection and response (ITDR) applied to Active Directory. The Gartner report explains these related terms as follows:
“ITDR is about correct and secure operation of the identity infrastructure rather than protection of individual users and resources managed by this infrastructure. AD TDR tools fulfill this mission by applying threat intelligence, behavioral signatures, heuristics, statistical analysis, analyses of known tactics, techniques and procedures (TTPs) and machine learning algorithms to discover indicators of exposure and indicators of compromise in Active Directory. Thus, these tools perform both preventive and detective functions, although their relative weights and specific methodologies vary from tool to tool.”
With cyberattacks becoming both more frequent and more sophisticated, it’s not surprising that the report notes that adoption of AD TDR tools has increased significantly in recent years. It lists several recommendations that organizations should follow as they evaluate AD TDR solutions; in particular, it says that organizations should “Prioritize tools that support both preventive and detective controls.” And, like Quest, Gartner also emphasizes that you should:
“Include Active Directory in your organization’s vulnerability and threat management and incident response planning.”
How Quest can help
Quest is named as an example vendor for Active Directory threat detection and response tools. We offer products you can pair together for a comprehensive risk assessment and threat monitoring solution. First, SpecterOps BloodHound Enterprise is the only product available that provides attack path management for Active Directory. It analyzes the relationships between objects in Active Directory and the complex permissions applied between them to identify the sequences of steps an adversary could take from compromising an ordinary user account to gaining control over critical assets or even Active Directory itself. Then it identifies the choke points — the last segment in the chain of many attack paths — that you need to address in order to protect your critical assets.
However, organizations often cannot quickly remediate all their choke points because all the complexity and technical debt in their Active Directory means that making changes introduces the risk of breaking things, such as a critical application that relies on a particular permission. Therefore, it’s crucial to combine attack path identification with attack path monitoring — continuously watching to see if any attack paths are actually being leveraged, so you can take action promptly instead of allowing the intruder the luxury of extended dwell time to advance along the attack path toward your critical IT assets.
On Demand Audit Hybrid Suite provides comprehensive attack path monitoring. You can:
- Monitor Active Directory in real time for active attacks and indicators of compromise (IOCs), such as AD database exfiltration attempts, Golden Ticket exploits and DCSync attacks .
- Block attackers from leveraging attack vectors by preventing changes and access to critical assets like privileged groups, vital GPOs and the NTDS.dit file.
- Audit security changes across your Active Directory and Azure AD environments.
Indeed, as explained above, the suite provides a consolidated view of on-premises and cloud activity, making it easy to identify suspicious activity and speed incident investigations.
Active Directory backup and recovery
Additional function: Active Directory backup
In addition to ten best practices for IAM, the Gartner report describes several additional functions that can enhance an organization’s AD security posture. The first of those is AD backup, or “Tools that provide more complete and efficient alternatives to Microsoft’s built-in AD backup and recovery capability.”
I cover this topic more thoroughly in a companion blog post, but, briefly, the built-in AD backup and recovery capabilities are not — and were never intended to be — a comprehensive, enterprise-quality solution for backup and recovery. In particular, the AD Recycle Bin is a convenient way to quickly restore certain types of AD objects that were recently deleted. However, it does not cover all types of deleted objects, nor does it help with objects that were modified rather than deleted. Moreover, it is of no help in case of a full-on Active Directory disaster that brings down your entire forest. Indeed, the Gartner report states:
“A dedicated backup tool for AD will be of great help in case of a successful ransomware attack.”
How Quest can help
Quest is listed as an example vendor for Active Directory backup. Here’s a quick overview of the key Quest solutions that can help you ensure reliable Active Directory backup and recovery; for more details, see the companion blog post.
- Recovery Manager for Active Directory Disaster Recovery Edition enables you to back up Active Directory at the object and attribute level, and also helps you pinpoint and recover changes to your AD environment at the same granular level. You can restore any AD object, including users, attributes, organizational units (OUs), computers, subnets, sites, configurations and GPOs — without restarting your domain controllers (DCs).
Moreover, in addition to providing the granular backup and recovery you need on a regular basis, Recovery Manager also handles disaster scenarios, slashing AD forest recovery time from days or weeks to just hours, giving you peace of mind that an AD disaster will not become a business disaster. This capability is especially important today, with ransomware attacks becoming both more common and more devastating.
- On Demand Recovery helps ensure the availability and integrity of both on-premises AD and Azure AD. It provides a single recovery dashboard to differentiate hybrid and cloud-only objects, run difference reports between production and real-time backups, and restore all changes.
Specialized Active Directory management
Best practice: Clean up Active Directory security groups.
Active Directory security groups are the primary way that user, service and admin accounts are granted permissions to access IT resources, including data, applications and services. As the Garner report notes, “Effective group management is important for organizations’ risk management and compliance, administrative efficiency and business enablement.”
Unfortunately, many organizations struggle to achieve effective group management. Common challenges include deep or circular nesting, empty groups, stale groups (groups that contain only disabled users), inactive groups (those whose permissions are never used by their members), and groups with identical membership.
The Gartner report says that organizations should “Deploy third-party tools to augment native AD group management capabilities.” It notes that the capabilities provided by those tools typically include:
- Delegated administration
- Self-service management of personal attributes
- GPO management
- Management of ACLs
- Insight into expired, locked, orphaned and other high-risk accounts
- Change management
- Data access governance (DAG)
- Compliance monitoring and enforcement
How Quest can help
Quest and One Identity are listed as example vendors of specialized AD management tools that can help with cleanup of Active Directory security groups. Our Active Directory management tools include:
- GPOADmin is an award-winning solution that automates critical Group Policy management tasks to reduce costs and eliminate error-prone manual processes. You can compare versions of a GPO side by side to verify settings, quickly roll back to a known good GPO version, lock certain GPOs or GPO settings so they cannot be changed, and much more. You can even establish an approval-based workflow for GPO management, complete with email-based approval or rejection and rollout scheduling. Recovery Manager for Active Directory Disaster Recovery Edition complements GPOADmin by enabling you to easily roll back a GPO to a previous known state, so you can quickly recover from any errant modifications or unexpected effects.
- Active Roles from One Identity extends and enhances the native capabilities of Active Directory and Azure AD to accelerate account, group and directory management. You can eliminate manual processes to increase security and efficiency, enabling IT teams to focus on other tasks knowing that critical data, user permissions and privileged access are under control.
- Active Administrator enables you to manage your Active Directory efficiently from a single pane of glass. In particular, you can automate user account provisioning and deprovisioning; audit and alert on changes to AD; monitor and manage your domain controllers; and edit and test GPOs in a secure offline environment. Moreover, Active Administrator enables you to securely delegate AD administrative tasks, so you can split up the work of Active Directory management without giving all your admins privileges to do whatever they want across the domain.
Additional categories
In addition to being part of Quest’s approach to Active Directory management, One Identity was named as an example vendor in six additional categories in the Gartner report:
- Access management
- Least privilege & separation of duty
- General-purpose PAM tools
- Active Directory bridging software to integrate non-Windows systems
- General purpose IGA
- Architectures for multiforest environments
Indeed, One Identity is a recognized market leader in all of the following vital areas:
- Identity and access management (IAM) — The Gartner report identifies OneLogin from One Identity as a solution that supports account provisioning from popular human capital management tools to its user directory and from there to AD, and that also provides self‑service password reset for AD. OneLogin is a customizable, extensible, and scalable identity platform that provides SSO, MFA and certificate-based authentication. Indeed, Gartner named OneLogin a Leader in its November 2021 Magic Quadrant for Access Management, the second year in a row the solution earned that distinction.
- Privileged access management (PAM) — The Gartner report lists One Identity as an example vendor for both general-purpose PAM tools and tools that facilitate least privilege and separation of duty by supporting delegated administration capabilities beyond those natively available in AD.
- Identity governance and administration (IGA) — One Identity is also named as an example vendor for supporting architectures in multiforest environments. Specifically, the report notes that One Identity solution support both identity federation architectures it describes: point-to-point and hub-and-spoke.
Conclusion
Garner’s 2022 report, “IAM Best Practices for Active Directory,” provides a solid foundation for any Active Directory security and cyber resilience strategy. Quest is proud to be listed as an example vendor in 11 of the categories for which vendors are listed — far more than any other vendor. I invite you to learn more about our solutions and try them out for yourself as you build a defense-in-depth strategy for strong cybersecurity and cyber resilience.
*Gartner, Inc., “IAM Best Practices for Active Directory” (ID G00762644), Paul Rabinovich, 14 March 2022,
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
