With the Propagate Permissions to Active Directory option enabled, how and when will the permissions be synced to Active Directory?
By default, Active Roles runs in proxy mode and permissions granted in Active Roles are not synced to AD.
The Propagate Permission to Active Directory option allows Active Roles administrators to override the default behaviour for certain Active Directory objects and convert the Active Roles Access Templates linked to those objects into native Active Directory Permissions (ACLs).
The Access Template links marked with Propagate Permissions will be synced to native Active Directory permissions by the built-in scheduled task named Sync of Permissions to Active Directory. The task runs in Active Roles daily and it can be found in Active Roles MMC Console under the following path:
Configuration | Server Configuration | Scheduled Tasks | Builtin | Sync of Permissions to Active Directory
The task compares the Active Directory ACLs with the linked Access Tempate(s), and updates the ACLs in Active Directory if necessary.
The Active Directory object's ACL information is stored in a single attribute named nTSecurityDescriptor.
Therefore, the whole attribute gets updated whenever certain ACEs have to be added or deleted to the object's ACL.
The task updates ACLs only for the objects which are incompliant with the linked Access Templates.
For the compliant objects, no changes are performed.
Active Roles does not override or remove the native ACEs that existed in the object's ACL before the linked Access Template was synced to the object. Those permissions stay intact also after the sync to Active Directory is revoked for the object.
Q: How to determine whether the task has completed and how long did the task run?
A: The following Event IDs are created in the Active Roles event log:
You can filter the event log by event ID 1521, and then browse individual events to locate the task start / end events linked by the same Task ID.