[MUSIC PLAYING] Welcome.
This is Quest Unscripted.
A vlog series on trending topics.
And Quest solutions related to Active Directory.
Oh, and don't forget Azure AD.
You are here because you have questions.
We're here because we have answers.
We will address questions we've received from customers.
Experiencing the same challenges as you.
All with the goal of helping you confidently move--
Your Microsoft environment.
We call the show Quest Unscripted because--
Except for this intro--
Nothing we say scripted or rehearsed.
And we're pretty sure you'll notice that right away.
Hello, today I'm joined with Dan Conrad from One Identity, and I figure it'd be a good time to discuss how some of our different products can really complement each other. So Dan, I know you're familiar with Change Auditor. How does Active Roles complement Change Auditor?
Yeah, I was a Change Auditor customer years ago, and I used it extensively along with some other Quest products like Recovery Manager. But then Active Roles is adding that to your Active Directory, you know your mix of tools that you use, gives you a-- there's a little bit of overlap, but at the same time it gives you the ability to--
Well, what kind of overlap?
Well, for one thing, you've got an auditing overlap. Active Roles, anytime you go through Active Roles to make a change to something, Active Roles audits that. So it's interesting it's stored in the database.
Change Auditor is more of a native auditing. And then with Change Auditor and Active Roles integration, you get the best of both worlds. So in Change Auditor there's a little button-- I'm sure a lot of you've seen it-- that says Active Roles integration. And all that really does is it tells Active Roles any time somebody makes a change in Active Roles to send that event data to Change Auditor as well. So it gives you a kind of a double look at that.
What is the best things that you could do to help protect your Active Directory with Active Roles?
You know I do it from perspective a privilege. I've done things with group memberships for instance. So there's a function in Active Roles is called dynamic groups. It came out in five dot something a long time ago, and it lets you build groups dynamically based on either real attributes, or virtual attributes. So virtual attributes are great because not everybody can even see those, so I can build group memberships dynamically.
So if you take something like maybe the domain admins group, I wouldn't say you make the domain admits group dynamic, but you could nested group in the domain admins group that is dynamic. Then I can build that dynamically. Then I can actually take Change Auditor, and the protection functionality, and I can lock that group membership-- lock the member's attribute of that group membership.
How often do you see your customers deploy Change Auditor to identify and help create policies that can be used by Active Roles?
Well, that's kind of an interesting thing because Change Auditor gives you the capability to see before you go build a permissions model, what are people trying to do? So instead of just assigning mass permissions, or over-permissioning, in a lot of cases you can use Change Auditor to go out and look at that. I've seen them use it-- use that way in a few different instances, both from a privilege perspective, and even from what users are attempting to do to keep an eye on that.
And how does One Identity go above and beyond just what you can do with Active Roles around lease privilege access?
Well, if you think about lease privilege, or even words like zero trust, Active Roles, you know I've seen implementations where customers were using privilege access management solution, a PAM solution, and one of their use cases was to manage Active Directory. So their proposal was to use a PAM solution, and within PAM solutions you have something called session management, and an admin, a field admin, an OU admin, what have you, would launch a session to say a jump box.
And from that jump box, they would be able to run ADUC, and manage Active Directory. Well, that's kind of a roundabout way to do it. And we would propose something like Active Roles in that PAM solution-- as part of that PAM solution, so that they don't need that jump box to do that and it's fully proxied and permissioned into AD. And then you still get all the auditing, and the Change Auditor does this well natively. So it audits all those native permissions, all those native changes, and you don't have to deploy this elaborate proxy architecture.
Not that-- and PAM plays a very significant part of that as well because I actually use my PAM solution to provision into Active Roles anytime somebody needs a group membership change. So I don't have to do things like populate the domain admins group, or populate the schema admins group.
I can have accounts that are pooled and managed by my Safeguard appliance, so when somebody goes and checks one of those out it won't have any permissions at the time of checkout. But when the checkout is actually approved, then it'll provision again to the right groups for them to use at the time. And then when it's done it'll reverse the whole process. And then all of that is audited by Change Auditor along the way.
So I've heard you talk a lot about PAM. Are both Active Roles and Safeguard part of that privileged account management portfolio?
Active Roles is a part of an AD security portfolio. So in like an AD security portfolio, you would have Active Roles doing your delegations and your administration. And then as part of that you would have PAM managing things like service accounts and controlling permissions on anything with elevated credentials.
Things like you and I as a day-to-day sysadmin would need to do our job, we would go simply check those out and use them as we needed to. That's part of the overall AD security perspective because those accounts are very critical, especially in a Windows environment where things like residual hashes can be left in the environment, we want a PAM solution to nullify that.
Great. Thanks to you, Dan. Appreciate the time today.