Chat now with support
Chat with Support

Active Roles 8.1.4 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Configuring a user with a linked mailbox for managing mail-enabled groups

With Active Roles, you can specify a user for group membership management tasks by selecting the group in the Active Roles Web Interface, and clicking General Properties > Managed by. However, both the group and the user specified as the group manager must be in the same Active Directory (AD) forest.

If Exchange Resource Forest Management (ERFM) is configured for your organization, user accounts and mail-enabled groups may be located in different forests: the user accounts are stored in the account forest, while the mail-enabled groups are in the resource forest. In such cases, you can assign a user for group management by specifying the shadow account of the user as the group manager instead of their master user account.

Doing so will result in Active Roles synchronizing the group management settings of the shadow account to the master account, allowing the master account to add or remove members from the specified group, even if it is located in a different forest.

NOTE: If your environment has a large number of Microsoft Exchange mailboxes (or a complex Microsoft Exchange deployment), Active Roles may retrieve the properties of users with Exchange mailboxes slower than for users without Exchange mailboxes.

To solve this problem, enable a performance fix by creating a new registry key as described in Knowledge Base Article 4336544:

  1. On the machine(s) running the Administration Service and the Web Interface, launch the Windows Registry Editor.

  2. In the Registry Editor, navigate to the following registry path:

    HKEY_LOCAL_ MACHINE\SOFTWARE\One Identity\Active Roles\Configuration

  3. Create a new DWORD (32-bit) Value named PerformanceFlag.

  4. Double-click the new PerformanceFlag DWORD, and set its Value data to 1.

  5. To apply the fix, restart the Active Roles Administration Service and IIS. If the fix is enabled successfully, the following Active Roles event log with Event ID 2508 will appear in the Event Viewer:

    Performance flag value set to 1.

  6. (Optional) To deactivate the fix later, set the Value data of the PerformanceFlag DWORD to 0.

The PerformanceFlag registry key accepts only a value of 1 (to activate the fix) or 0 (to deactivate it).

To configure a user with a linked mailbox for group membership management

  1. In the Active Roles Web Interface, under Directory Management > Tree > Active Directory, navigate to the OU for which ERFM is configured.

    Figure 151: Active Roles Web Interface – Navigating to the OU supporting linked mailboxes

  2. In the container of your users, select the user you want to assign as a group manager.

  3. To view the general Exchange settings of the user, click Exchange Properties > Shadow Account > Properties.

  4. Open the General Properties > Account tab, and take note of the User logon name (pre-Windows 2000) value of the shadow account. You will need to specify this user logon name for the group later in this procedure.

  5. In the Active Roles Web Interface, under Directory Management > Tree > Active Directory, navigate to your resource forest containing the Exchange server and the shadow accounts.

  6. Select the group whose management settings you want to configure. Then, to open the group management settings, click General Properties > Managed by.

    Figure 152: Active Roles Web Interface – Opening the group management settings of a group via General Properties > Managed by

  7. To specify a new group manager, click Change. This opens the Select Object dialog, allowing you to specify the manager account.

  8. In the Select Object dialog, specify the User logon name of the shadow account that you have noted down earlier in the procedure, then click the search button. Once the dialog lists the user, select it and click OK.

    TIP: If your search returns no results, then double check that the specified user logon name is correct, and make sure that the Search in drop-down list is set to the resource forest where the shadow account is stored.

  9. After the user is displayed in the Manager text box, click Save. Then, to make sure that the user receives all group management permissions, select Manager can update membership list and click Save again.

NOTE: The master account of the specified user will receive the configured group administration permissions during the next run of the ERFM - Mailbox Management scheduled task. To make sure that the group management permissions of the shadow account are immediately synchronized to its master account, run the scheduled task manually. For more information, see Configuring the ERFM Mailbox Management scheduled task.

Converting a user mailbox to a linked mailbox

Once Exchange Resource Forest Management (ERFM) is set up for your organization, you can convert the existing user mailboxes of your users to linked mailboxes. This is typically required if your organization had already contained users with regular Exchange user mailboxes before configuring linked mailboxes with ERFM.

To convert a user mailbox to a linked mailbox

  1. In the Active Roles Web Interface, under Directory Management > Tree > Active Directory, navigate to your resource forest containing the Exchange server and the shadow accounts.

  2. In the container of your users, select the user whose mailbox you want to convert.

  3. To start the mailbox conversion, in the list of actions available for the selected mailbox, click Convert to Linked Mailbox.

  4. Under Linked master account, click Change and select the user in the account forest whose mailbox you are converting. To do so, specify the account forest in the Search in field, then enter the name of the user in the Search field. Once the Select Object window lists the user, select it and click OK.

  5. To apply your changes, click Finish.

Active Roles then performs the following actions:

  1. It changes the specified user mailbox to a linked mailbox.

  2. It specifies the user selected in the account forest as the master user account.

  3. It changes the user associated with the mailbox in the resource forest to a shadow account.

Converting a linked mailbox to a user mailbox

You can convert existing linked mailboxes configured with Exchange Resource Forest Management (ERFM) to user mailboxes. This is typically required during organizational changes or IT infrastructure migrations.

When you convert an existing linked mailbox to a user mailbox, Active Roles performs the following changes:

  1. The former master user account in the account forest becomes an external user, and can no longer access the mailbox.

  2. The former shadow account becomes the new user account associated with the mailbox in the resource forest.

To convert a linked mailbox to a user mailbox

  1. In the Active Roles Web Interface, under Directory Management > Tree > Active Directory, navigate to your resource forest containing the Exchange server and the shadow accounts.

  2. In the container of your users, select the user whose mailbox you want to convert.

  3. To start the mailbox conversion, in the list of actions available for the selected mailbox, click Convert to User Mailbox.

  4. To apply your changes, click OK.

  5. Following the mailbox conversion, the user mailbox will be in a disabled state. To enable it, in the list of actions available for the selected mailbox, click Enable Account.

  6. After the account is enabled, you must also reset the account password. To do so, in the list of actions available for the selected mailbox, click Reset Password.

  7. In the Reset Password window, configure the following settings:

    Figure 153: Active Roles Web Interface – Resetting the password of a converted user mailbox

    • Password and Confirm password: The initial password of the user and the corresponding password confirmation field. You can specify the password either manually, or Generate one with Active Roles that follows the password policy requirements of your organization.

      To clear the specified password, click Clear. To spell out each character of the password for clarification, click Spell out.

      Figure 154: Active Roles Web Interface – Spelling out the characters of the generated or specified password

    • Account options: Use these options to specify additional security settings for the user (for example, to have them change the configured password during their next login attempt, or have the configured password expire after some time).

  8. To apply your changes, click Finish.

Deprovisioning a user with a linked mailbox

You can deprovision users with linked mailboxes by using the Deprovision action of the Active Roles Web Interface. When doing so, Active Roles, by default:

  • Disables the user account, and resets the user password to a random value.

  • Removes the user from all assigned security and distribution groups.

  • Disables the linked mailbox.

  • Disables the home folder of the user.

Optionally, deprovisioning also lets you relocate deprovisioned users to a specific folder, and even schedule them for deletion after some time.

One Identity typically recommends deprovisioning users instead of deleting them and their mailboxes, if the user is affected by an organizational change, suspension, or longer periods of time off work. You can undo the effects of deprovisioning later and reinstate the user with the Undo Deprovisioning action of the Active Roles Web Interface.

When a user with a linked mailbox configured via Exchange Resource Forest Management (ERFM) is deprovisioned, Active Roles runs all deprovisioning policies applied to the Active Directory (AD) container holding the shadow account, including any mailbox deprovisioning policies in effect in your organization.

TIP: Besides deprovisioning, you can also disable users by using the Disable Account action. Disabling a user account with a linked mailbox prevents the user from logging in and accessing their resources, but it does not remove the user from their groups, and does not disable the mailbox and the user home folder. One Identity recommends disabling user accounts instead of completely deprovisioning them if the organization still needs to access the user resources (such as the home folder or the mailbox).

To disable a user account, in the Active Roles Web Interface, navigate to the OU where your user is stored in the Directory Management > Tree > Active Directory node, select the user, and in the list of actions available for the selected user, click Disable Account.

Prerequisites

To deprovision users with linked mailboxes configured via ERFM, make sure that the mailbox deprovisioning policies of your organization (for example, the built-in Exchange Mailbox Deprovisioning policy) are applied to the container that holds the shadow accounts in the resource forest, instead of the container of the master user accounts in the account forest. By default, the deprovisioning workflow runs the following built-in policies for users with linked mailboxes:

  • Built-in policy - User Default Deprovisioning

  • Built-in policy - ERFM - Mailbox Management

For more information on deprovisioning policies, see Deprovisioning Policy Objects.

To deprovision a user with a linked mailbox

  1. In the Active Roles Web Interface, under Directory Management > Tree > Active Directory, navigate to the OU for which ERFM is configured.

    Figure 155: Active Roles Web Interface – Navigating to the OU supporting linked mailboxes

  2. Select the master user account that you want to deprovision, and in the list of available actions, click Deprovision.

  3. To confirm deprovisioning, click OK.

Active Roles then performs deprovisioning of the master user account and its associated shadow account. After the process is completed, it displays the operation summary of deprovisioning.

TIP: To verify that Active Roles also deprovisioned the shadow account, in the Active Roles Web Interface, navigate to the user container of your shadow accounts in the Directory Management > Tree > Active Directory node of the resource forest, select the shadow account, and from the list of actions available for the shadow account, click Deprovisioning Results.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating