Chat now with support
Chat mit Support

Active Roles 8.1.1 - Administration Guide

Introduction Getting started Rule-based administrative views Role-based administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based access rules
Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configure an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Managing Hybrid AD users
Creating a new Azure AD user with the Web Interface Viewing or updating the Azure AD user properties with the Web Interface Viewing or modifying the manager of a hybrid Azure user Disabling an Azure AD user Enabling an Azure AD user Deprovisioning of an Azure AD user Undo deprovisioning of an Azure AD user Adding an Azure AD user to a group Removing an Azure AD user from a group View the change history and user activity for an Azure AD user Deleting an Azure AD user with the Web Interface Creating a new hybrid Azure user with the Active Roles Web Interface Converting an on-premises user with an Exchange mailbox to a hybrid Azure user Licensing a hybrid Azure user for an Exchange Online mailbox Viewing or modifying the Exchange Online properties of a hybrid Azure user Creating a new Azure AD user with Management Shell Updating the Azure AD user properties with the Management Shell Viewing the Azure AD user properties with the Management Shell Delete an Azure AD user with the Management Shell Assigning Microsoft 365 licenses to new hybrid users Assigning Microsoft 365 licenses to existing hybrid users Modifying or removing Microsoft 365 licenses assigned to hybrid users Updating Microsoft 365 licenses display names
Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Microsoft 365 roles management for hybrid environment users Managing Microsoft 365 contacts Managing Hybrid AD groups Managing Microsoft 365 Groups Managing cloud-only distribution groups Managing cloud-only dynamic distribution groups Managing Azure security groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Modern Authentication Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Deployment considerations

Active Roles enforces policies by applying Policy Objects to promote data integrity throughout the directory. This is done by generating and validating the data entered into the directory. Each Policy Object is basically a container that holds one or more policy entries (also referred to as policies).

There are several types of policy entries that can be configured within a Policy Object. The two major ones are Property Generation and Validation, and Script Execution. Property Generation and Validation policy entries provide a point-and-click interface for creating basic rules for attribute population. Script Execution policy entries enable the use of scripting for a broad range of custom actions that could supplement, extend, or replace the policy types included with Active Roles out of the box.

Just as with Group Policy Objects in Active Directory, the location that Active RolesPolicy Objects are linked to is critical:

  • Any policies that are intended to affect the entire domain should be included into a Policy Object linked at the domain level. If needed, filtering can be used to exclude specific objects or containers (Organizational Units) from being processed by these policies.

  • If more than one object or containers needs to be excluded from the effect of a domain-wide policy, it is best to include those objects or containers explicitly into a Managed Unit and then apply policy filtering to that Managed Unit by using the Block Inheritance option.

From here, the best way to apply policies is at the top level of the directory tree they will affect. Usually, however policies are only needed to affect certain Organizational Units within the tree. In this case, a Managed Unit is the most effective way to apply the policies. Include the desired Organizational Units explicitly into a Managed Unit, and then link the Policy Object to that Managed Unit.

A policy consists of three major components. These are:

  • A policy entry that defines the policy

  • A Policy Object containing that policy entry

  • A Policy Object link that determines where the policy is applied in the directory

Typically, a single Policy Object includes all the entries for a specific set of policies. It is not efficient to create one entry per Policy Object since this defeats the purpose of having separation between the Policy Object and policy entries.

A policy cannot be filtered for specific sets of administrators. Once applied to a given object or container, a policy will be in effect for every administrator under every condition. This is unless a Script Execution policy is included as a policy entry that utilizes the IEDSEffectivePolicyRequest interface to override the policies determined by other policy entries. This interface is documented in Active Roles SDK.

Script Execution polices are policy entries that utilize scripts written in a scripting language such as Microsoft Windows PowerShell or VBScript. Policy scripts use event handles that are executed before or after every action that can happen in the directory. See the following table for a list of these handlers.

Table 28: Event handlers

Name

Description

onPreCreate

In a script policy applied to a container; receives control upon a request to create an object in that container. This enables a script to perform custom actions prior to creating an object.

onPostCreate

In a script policy applied to a container; receives control after a request to create an object in that container is completed. This enables a script to perform custom actions further to creating an object.

onPreDelete

Receives control upon a request to delete an object. Enables a script to perform custom actions prior to deleting an object.

onPostDelete

Receives control after a request to delete an object is completed. Enables a script to perform custom actions further to deleting an object.

onPreModify

Receives control upon a request to start changing object properties. Enables a script to perform custom actions prior to applying changes to an object.

onPostModify

Receives control after a request to change object properties is completed. Enables a script to perform custom action further to changing an object's property values.

onPreMove

In a script policy applied to a container, this function receives control upon a request to start moving an object from that container. This enables a script to perform custom actions prior to moving an object.

onPostMove

In a script policy applied to a container, this function receives control after a request to move an object to that container is completed. This enables a script to perform custom actions further to moving an object.

onPreRename

Receives control upon a request to start renaming an object. Enables a script to perform custom actions prior to renaming an object.

onPostRename

Receives control after a request to rename an object is completed. Enables a script to perform custom actions further to renaming an object.

onPreGet

Receives control upon a request to retrieve object properties. Enables a script to perform custom actions prior to starting the retrieval of an object's property values.

onPostGet

Receives control after a request to retrieve object properties is completed. Enables a script to perform custom actions following the retrieval of an object's property values.

onPreSearch

Receives control upon a request to start a search. Enables a script to perform custom actions prior to starting a search.

onPreDeprovision

Receives control upon a request to execute the Deprovision operation. Enables a script to perform custom actions prior to starting the operation.

onDeprovision

Receives control in the course of processing a request to execute the Deprovision operation. Enables the use of a script for customizing the behavior of the operation.

onPostDeprovision

Receives control after a request to execute the Deprovision operation is completed. Enables a script to perform custom actions following the operation.

onPreUnDeprovision

Receives control upon a request to execute the Undo Deprovisioning operation. Enables a script to perform custom actions prior to starting the operation.

onUnDeprovision

Receives control in the course of processing a request to execute the Undo Deprovisioning operation. Enables the use of a script for customizing the behavior of the operation.

onPostUnDeprovision

Receives control after a request to execute the Undo Deprovisioning operation is completed. Enables a script to perform custom actions following the operation.

onPreUnDelete

Receives control upon a request to execute the Undelete operation. Enables a script to perform custom actions prior to starting the operation.

onPostUnDelete

Receives control after a request to execute the Undelete operation is completed. Enables a script to perform custom actions following the operation.

onCheckPropertyValues

Receives control upon a request to verify and validate the changes that are going to be made to an object. Enables a script to perform custom actions further to normal validity checks on an object.

onGetEffectivePolicy

Receives control upon a request to retrieve the policy settings that are in effect on a particular object (such as policy constraints on property values). Enables a script to perform custom actions further to retrieval of policy settings.

onInit

Receives control when the Administration Service retrieves the definition of the script parameters, enabling the script to manifest the name and other characteristics of each parameter.

onFilter

Boolean-valued function that is evaluated during execution of the onPreSearch event handler, allowing search results to be filtered based on properties of objects returned by the search. For details, see IEDSRequestParameters Properties in the Active Roles SDK documentation.

Basically, when an action happens, Active Roles looks to see if there are any Policy Objects applied that hold Script Execution policies. If so, the policy script is checked to see if it has an event handler for the specific action being performed. The object being acted upon is passed into the event handler for further actions. These event handlers are normally run in the security context of the service account, so even if a user does not have rights to perform the actions outlined in the policy script, it will still execute correctly. If any errors occur during the execution of a policy script, the errors can be found in the Active Roles event log for post-action handlers and are displayed to the client for pre-action handlers.

Policy scripts are typically written in a scripting language such as Windows PowerShell or VBScript. Many examples of scripts based on Windows PowerShell and VBScript, along with instructions on how to use the Active Roles ADSI Provider both for policy scripts and for standalone scripts, can be found in the Active Roles SDK documentation.

It is also important to note that policy scripts can pick up and take action upon directory changes made natively, as well. To turn on this behavior, you should choose the option that directs in the policy script to handle directory changes reported by the directory synchronization function (select the Handle changes from DirSync control check box on the Script Module tab in the Properties dialog for the policy entry), and use the IEDSRequestParameters interface in a post-action event handler. More on this topic can be found in the Active Roles SDK documentation.

Checking for policy compliance

Checking for policy compliance provides information on directory data that is out of compliance with the policies, such as user or group naming conventions, defined with Active Roles. If you define some policies when data has already been entered, you can check the data, and modify it accordingly, in order to ensure that the data meets the policy requirements.

Although business rules and policies normally cannot be bypassed once they have been configured, there are situations where the actual directory data may violate some of the prescribed policies or business rules. For example, when applying a new policy, Active Roles does not automatically verify the existing directory data in order to determine whether that data conforms to the new policy. Another example is a process that automatically creates new objects, such as user or group objects, by directly accessing Active Directory without the use of Active Roles.

The Active Roles Report Pack includes a number of reports that help detect policy violations in directory data by collecting and analyzing information on the state of directory objects as against the prescribed policies. However, as retrieving such information may take much time and effort, the reports on policy compliance sometimes do not allow policy-related issues to be resolved in a timely fashion.

In order to address this problem, Active Roles makes it possible to quickly build and examine policy check results on individual objects or entire containers. The policy check results provide a list of directory objects violating policies, and describe the detected violations. From the policy check results, you can make appropriate changes to objects or policies:

  • Modify object properties in conformity with policies.

  • Prevent individual objects from being affected by particular policies.

  • Modify Policy Objects as needed.

  • Perform an administrative task—for example, disable or move user objects that violate policies.

In addition, you can save policy check results to a file, print them out, or send them to an email recipient.

To check an object for policy compliance, right-click the object and click Check Policy. For a container object, this displays the Check Policy dialog. Review the options in the Check Policy dialog and click OK.

The Policy Check Results window appears and the operation starts. The check results are displayed in the right pane of the window. The objects that violate a policy are displayed in the left pane. When you click an object in the left pane, the right pane describes the policy violation in detail.

By default, the right pane in the Policy Check Results window only displays basic options. You can display more choices by clicking the Details column heading.

By using links in the right pane, you can perform the following tasks:

  • Modify the property value violating the policy: Click the edit link next to the Property value label.

  • Remove the object from the policy scope: Click the block policy inheritance link next to the Policy Object label. If you do so, the policy no longer controls the object.

  • Modify the policy: Click the properties link next to the Policy Object label. This displays the Properties dialog for the Policy Object, described in Adding, modifying, or removing policies.

  • Administer the object violating the policy: Click Properties in the upper-right corner of the right pane.

  • Administer the object to which the Policy Object is applied: Click the properties link next to the Applied to label.

You can use the following instructions to see how checking for policy compliance works in the Active Roles Console:

  1. Create and configure a Policy Object with the property validation and generation policy for the Department property of user objects, specifying the policy rule as follows: Value must be specified and must be Sales or Production.

  2. Apply (link) that Policy Object to an Organizational Unit that already holds some user objects with no department specified.

  3. Right-click the Organizational Unit and click Check Policy. In the Check Policy dialog, click OK.

    Once you have performed these steps, the Policy Check Results window is displayed. Its left pane lists objects violating the policy.

  4. Wait while the list in the left pane is being populated. Then, select a user object from the list.

    The right pane, next to the Violation label, displays the prompt You must specify a value for the property ‘department’.

  5. In the right pane, click the edit link next to the Property value label.

  6. In the Properties dialog, select one of the acceptable values (Production or Sales) from the Department combo-box.

Steps to check for policy compliance

Checking for policy compliance provides information on directory data that is out of compliance with the policies, such as user or group naming conventions, defined with Active Roles. If you define some policies when data has already been entered, you can check the data, and modify it accordingly, in order to ensure that the data meets the policy requirements.

To check an object for policy compliance

  1. Right-click the object, and click Check Policy.

  2. If the object is a container or Managed Unit, select the appropriate combination of these check boxes to specify the scope of the operation:

    • This directory object: The scope includes the container or Managed Unit you have selected (this option does not cause the scope to include any child objects or members of the container or Managed Unit).

    • Child objects of this directory object: The scope includes all the child objects (or members, as applied to a Managed Unit) in the entire hierarchy under the container or Managed Unit you have selected.

    • Immediate child objects only: The scope includes only the child objects (or members, as applied to a Managed Unit) of which the container or Managed Unit that you have selected is the direct ancestor.

    Click OK.

    The progress and results of the policy check operation are displayed in the Policy Check Results window. The left pane of the window lists the objects for which a policy violation has been detected.

  3. Click an object in the left pane of the Policy Check Results window.

    When you click an object in the left pane, the right pane describes the policy violation in detail. By default, the right pane in the Policy Check Results window only displays basic options. You can display more choices by clicking the Details column heading.

  4. Use hypertext links in the right pane to perform the following tasks:

    • Modify the property value violating the policy: Click the edit link next to the Property value label.

    • Remove the object from the policy scope: Click the block policy inheritance link next to the Policy Object label. If you do so, the policy no longer controls the object.

    • Modify the policy: Click the properties link next to the Policy Object label. This displays the Properties dialog for the Policy Object. For instructions on how to add, modify, or remove policies in the Properties dialog, see Adding, modifying, or removing policies.

    • View or modify the properties of the object that violates the policy: Click Properties in the upper-right corner of the right pane.

    • View or modify the properties of the object to which the Policy Object is applied (linked): Click the properties link next to the Applied to label.

NOTE: The Check Policy command on a Policy Object performs a check on all the objects found in the policy scope of the Policy Object. Use the Check Policy command on a Policy Object to find all objects that are not in compliance with the policies defined by that Policy Object.

Deprovisioning users or groups

The Active Roles user interfaces, both Active Roles Console and Web Interface, provide the Deprovision command on user and group objects. This command originates a request to deprovision the selected objects. When processing the request, Active Roles performs all operations prescribed by the deprovisioning policies.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen