Chat now with support
Chat with Support

Active Roles 8.1.4 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Configuring Skype for Business Server User Management in a multi-forest environment

You can configure the Skype for Business Server User Management feature in a multi-forest environment by performing the following main configuration steps:

  1. Applying the Master Account Management policy: During this step, you must adjust the Forest Mode policy setting in the Built-in Policy - Skype for Business - Master Account Management Policy Object, then link that Policy Object to the Active Directory domains or containers in the user forest that contain the master accounts of the login-enabled user accounts you want to manage with Active Roles.

  2. Applying the User Management policy: During this step, you must link the Built-in Policy - Skype for Business - User Management Policy Object to the Active Directory domains or containers in the Skype for Business Server forest that contains the shadow accounts.

    In case of a central forest, you must also link the Built-in Policy - Skype for Business - User Management Policy Object to Active Directory domains or containers in the Skype for Business Server forest that hold login-enabled user accounts you want to manage with Active Roles.

Applying the Master Account Management policy

To configure Skype for Business Server User Management in a multi-forest environment, apply the Built-in Policy - Skype for Business - Master Account Management Policy Object to user accounts in Active Directory forests that are external to the Skype for Business Server forest.

To enable the Skype for Business Server User Management feature:

  1. Configure the Policy Object according to the Skype for Business Server forest mode in your organization (resource forest or central forest).

  2. Link the Policy Object to the domains or containers in the external user forest(s) holding the user accounts you want to manage with Active Roles.

To configure the Master Account Management Policy Object

  1. In the Active Roles Console, navigate to Configuration > Policies > Administration > Builtin.

  2. In the details pane, double-click the Built-in Policy - Skype for Business - Master Account Management Policy Object.

  3. In the Properties dialog that appears, go to the Policies tab, and double-click the entry in the list of policies.

  4. In the Properties dialog that appears, go to the Forest Mode tab and select the option that matches the Skype for Business Server forest mode in your Skype for Business Server deployment (see Skype for Business Server forest mode).

  5. (Optional) Review the rest of the policy settings if needed:

    • On the Shadow Account tab, view or change the container and default description for new shadow accounts.

    • On the Master Account tab, view or change the attribute to store a reference to shadow account.

    • On the Synced tab, view or change the list of synchronized properties.

    • On the Substituted tab, configure your custom list of substituted properties in addition to the default list.

    • On the Back-synced tab, view or change the list of back-synchronized properties.

For detailed description of the policy settings, see Master Account Management policy settings for Skype for Business Server User Management.

To link the Master Account Management Policy Object to an Organizational Unit or domain

  1. In the Active Roles Console, navigate to Configuration > Policies > > Builtin.

  2. In the details pane, right-click the Built-in Policy - Skype for Business - Master Account Management Policy Object, then click Policy Scope.

  3. In the dialog that appears, click Add, then select the Organizational Unit or domain.

Applying the User Management policy

You can configure the Skype for Business Server User Management feature for user accounts in the Skype for Business Server forest with the Built-in Policy - Skype for Business - User Management Policy Object. To enable the feature, link the policy to domains or containers in the Skype for Business Server forest that contains the shadow accounts of the users.

If your organization uses a central forest topology, also link the policy to Active Directory domains or containers in the Skype for Business Server forest that contains the login-enabled Skype for Business user accounts you want to manage with Active Roles.

To link the User Management Policy Object to an Organizational Unit or domain

  1. In the Active Roles Console, navigate to Configuration > Policies > Administration > Builtin.

  2. In the details pane, right-click the Built-in Policy - Skype for Business - User Management Policy Object, then click Policy Scope.

  3. In the dialog that appears, click Add, then select the Organizational Unit or domain.

By default, the Policy Object has all policy settings configured. To change the policy settings, use the Active Roles Console.

To view or change the settings of the User Management Policy Object

  1. In the Active Roles Console navigate to Configuration > Policies > Administration > Builtin.

  2. In the details pane, double-click the Built-in Policy - Skype for Business - User Management Policy Object.

  3. In the Properties dialog that appears, go to the Policies tab, and double-click the entry in the list of policies.

  4. In the Properties dialog box that appears, do any of the following:

    • On the Server tab, specify how you want Active Roles to select a computer running Skype for Business Server.

    • On the SIP User Name tab, configure a rule for generating the SIP user name in the user SIP address.

    • On the SIP Domain tab, configure a rule to restrict selection of a SIP domain for the user SIP address.

    • On the Pool tab, configure a rule to restrict selection of an Enterprise Edition Front End pool or Standard Edition server to which Skype for Business Server users can be assigned.

    • On the Telephony tab, configure a rule to restrict selection of a Telephony option for Skype for Business Server users.

For more information on the policy settings, see Skype for Business Server User Management policy settings.

Upgrading the Skype for Business Server configuration from an earlier version

If you already manage Skype for Business Server resources with Active Roles Add-on for Skype for Business Server, you can update your deployment to use the Skype for Business Server User Management feature. The procedure has the following main steps:

  1. Identify the Active Directory topology option used by the add-on. For more information on how Skype for Business User Management works with the supported forest types, see the following sections:

    If your organization uses a multi-forest environment, take note of the Distinguished Name of the container in which the add-on creates the shadow accounts.

  2. Uninstall Active Roles Add-on for Skype for Business Server from Active Roles Add-on Manager. Then, uninstall the add-on from the computer where it is installed.

  3. Upgrade to the latest version of Active Roles. For more information, see the Active Roles Quick Start Guide.

  4. Deploy the Skype for Business Server User Management feature. Depending on the Active Directory topology option used by the add-on, see the applicable section for more information:

The following instructions provide more detailed information on the procedure.

NOTE: The instructions apply to Active Roles Add-on for Skype for Business Server 2.1.

NOTE: The instructions apply to Active Roles Add-on for Skype for Business Server 2.1.

To identify the Active Directory topology option used by the Skype for Business Server Add-on

  1. In the Active Roles Console, select Applications > Active Roles Add-on for Skype for Business Server.

  2. In the Configure Add-on area of the details pane, review the add-on settings:

    • The Active Directory topology option is selected in the Active Directory topology box.

    • If a multi-forest option is selected, the Distinguished Name of the container in which the add-on creates shadow accounts is specified in the Container for shadow accounts/contacts box.

If the add-on was configured with the resource forest or central forest option, you must configure and apply the Built-in Policy - Skype for Business - Master Account Management Policy Object.

To configure and apply the Master Account Management Policy Object

  1. In the Active Roles Console, navigate to Configuration > Policies > Administration > Builtin.

  2. In the details pane, double-click the Built-in Policy - Skype for Business - Master Account Management Policy Object.

  3. In the Properties dialog that appears, go to the Policies tab, and double-click the entry in the list of policies.

  4. In the Properties dialog that appears, go to the Forest Mode tab and select the option that matches the Active Directory topology option that was used by the add-on.

    • If the add-on was configured with the option Multiple forests - Resource forest, then select the Resource forest option on the Forest Mode tab.

    • If the add-on was configured with the option Multiple forests - Central forest, then select the Central forest option on the Forest Mode tab.

  5. Go to the Shadow Account tab and configure the policy to use the container for shadow accounts that was used by the add-on. To do so, click This container > Browse, and select the container.

  6. Close the Properties dialog for the policy entry by clicking OK.

  7. In the Properties dialog box for the Policy Object, click Apply, go to the Scope tab, then click the Scope button on that tab.

  8. In the dialog that appears, add the containers that hold the master accounts you managed using the add-on, then click OK.

  9. Close the Properties dialog box for the Policy Object by clicking OK.

TIP: The Skype for Business Server User Management feature will identify the existing master accounts, enabling Active Roles to manage their shadow accounts for Skype for Business Server in the same way as when using the add-on. To speed up the identification of the existing master accounts, you can run the Master Account Management scheduled task manually:

  1. In the Active Roles Console, navigate to the following container:

    Configuration/Server Configuration/Scheduled Tasks/Builtin

  2. Right-click the Skype for Business - Master Account Management scheduled task.

  3. Select All Tasks, then click Execute.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating