Dallas ISD Uses Apps To Control Active Directory Usage

• By Leila Meyer
• 06/26/14

Dallas Independent School District (ISD) is home to 220 schools serving nearly 160,000 students and employing nearly 20,000 teachers and staff. Managing network accounts for so many people is a daunting task.

Challenge
A few years ago the district switched its network from Novell to Windows because the IT  administrators wanted better integration with the district's Windows systems.

The switchover involved the adoption of Microsoft Active Directory to authorize users and computers on the network. The district's IT administrators could use Active Directory to create and manage user accounts, but they didn't want to be burdened with everyday tasks like adding user accounts every time a new student or staff member joined the district, or resetting user passwords. And while each school has a designated campus technologist who can handle those types of tasks, the IT administrators didn't want the technologists to have full access to Active Directory.

Solution
The IT team had been using a tool called DSRAZOR for Novell from Visual Click Software for many years. It let them create specialized apps to provide specific functionality to designated users — such as adding user accounts or changing passwords — without granting them full access to all network authorization functionality. They were very happy with the product, and although they practiced due diligence by looking at alternatives, they felt strongly that they would stick with DSRAZOR for the Windows network. When they piloted the Windows network at a few sites, they tested DSRAZOR for Windows, just to confirm it was the right choice. It was, and once they went full-in with the network switchover, they converted their DSRAZOR license from Novell to Windows.

"We did look around at other tools, just to see if there was something better," said Kevin Collier, principal network services technician for the district, "but we were so happy with the Novell product and we just kept coming back to DSRAZOR for Windows."

Implementation
DSRAZOR for Windows integrates with Microsoft Active Directory and includes hundreds of built-in apps for creating, managing, deleting and reporting on users, computers and groups, as well as for reporting on files and folder permissions. The apps can be used as-is or modified as needed. Administrators can also create custom apps, but most of the time Collier finds an app that most closely meets his needs and then asks Visual Click's technical support team to customize it for him.

"If we don't have the time or can't figure out how to make an app work, I just send their tech support an e-mail and usually within 24 hours I have a working app," he said. Once the administrators have the app they want, they copy the app's executable file and one or two accompanying DLLs into a shared folder on the network, where the campus technologists can access it and copy it to their laptop. "They just run it, and as long as they have the rights to do what they need to do, they can use the tool," said Collier

The administrators gave campus technologists the ability to create user accounts and change passwords. While the district does have a password portal for user self-service, sometimes the campus techs still need the ability to change passwords themselves. Collier has implemented other apps for different departments, too, including ones for managing groups. And he uses DSRAZOR's Zero Privilege Help Desk tool to let some staff delete workstations from the directory.

Even though Collier has full access to Active Directory's functionality and user accounts, he uses some of the DSRAZOR apps himself to simplify tasks such as reporting on how many users are members of a group. "I'll get requests from managers of some of the shares and they'll want to know who has access to their share, so I can quickly go in and look at any group and pull that data and send it to them," he said.

Collier likes the tool's ease of use. "When you get into the console, you can right-click an app to bring it up in the designer tool and make any changes, or you can double-click on it, to launch the app, so you can see what it does," he said.

Results
According to Collier, DSRAZOR has taken a lot of pressure off his team so they can concentrate on other projects.

"It lets us pass issues — like deleting workstations or changing passwords — off to other users," he said. "The only time we get a request is if they couldn't change something or something didn't work in the tool. It empowers our users to handle some of this stuff faster because they don't have to wait for us to reply to an e-mail or respond to a ticket. They can just take care of it immediately."