Chat now with support
Chat mit Support

Active Roles 8.2.1 - Feature Guide

Introduction About Active Roles
Main Active Roles features Technical overview of Active Roles
About presentation components Overview of service components About network data sources About security and administration elements About Active Directory security management Customization using ADSI Provider and script policies About dynamic groups About workflows Operation in multi-forest environments
Examples of use
Administrative rules and roles
About Managed Units About Access Templates About Access Rules About rule-based autoprovisioning and deprovisioning
Configuring and administering Active Roles Overview of Active Roles Synchronization Service Support for AWS Managed Microsoft AD FIPS compliance LSA protection support STIG compliance

About Group Object Permanent Deletion

Group Object Permanent Deletion policies automate the deletion of deprovisioned groups, with deprovisioned group objects retained for a specified amount of time before they are permanently deleted by Active Roles. Alternatively, you can also configure this policy not to delete, but to deprovision group objects instead.

When processing a request to deprovision a group, Active Roles uses this policy to determine whether to schedule the deprovisioned group object for deletion. When scheduled for deletion, a group object is permanently deleted after a certain time period, referred to as a retention period.

A policy configured to delete groups specifies the number of days to retain deprovisioned group objects. With such a policy, Active Roles permanently deletes a group after the specified number of days has passed since the group was deprovisioned.

A policy can be configured not to delete groups. When applied at a certain level of the directory hierarchy, such a policy overrides any other policy of this category applied at a higher level of the directory hierarchy.

One more option of this policy is intended for domains where Active Directory Recycle Bin is enabled. The policy can be configured so that once a group is deprovisioned, the group object is moved to the Recycle Bin (which effectively means that the group will be deleted immediately, without any retention period). Moving deprovisioned group objects to the Recycle Bin may be required for security reasons, as an extra security precaution. The Active Directory Recycle Bin ensures that the group object can be restored, if necessary, without any loss of data. Active Roles provides the ability to un-delete and then un-deprovision groups that were deprovisioned to the Recycle Bin.

For more information on configuring this Policy Object, see Configuring a Group Object Permanent Deletion policy in the Active Roles Administration Guide.

About Notification Distribution

Notification Distribution policies automatically generate and send email notifications about deprovisioning requests. As such, these policies are meant to notify designated persons about object deprovisioning requests, so that they can take additional deprovisioning-related actions on that object, if necessary.

When configuring a Notification Distribution policy, you can:

  • Specify the list of notification recipients.

  • Customize the subject and body of the notification message.

When processing a deprovisioning request, Active Roles uses this policy to determine whether anyone must be notified of the deprovisioning operation that is requested. Then, it generates a notification message and sends it to the recipients, if any specified in the policy configuration.

When a deprovisioning operation is requested, Active Roles issues a notification message regardless of operation results. Hence, a notification message cannot be considered as an indication of success or failure of the operation. Rather, it only indicates that deprovisioning has been requested. If you need to inform anybody of deprovisioning results, use a Report Distribution policy.

Notification performs on a per-object basis: Each notification message contains information about a request to deprovision one object. When deprovisioning multiple objects, Active Roles sends multiple notification messages, one message per object.

Active Roles sends notification messages via an SMTP server. The policy configuration specifies the outbound SMTP server by using Active Roles email settings that include the name of the SMTP server and information required to connect to the SMTP server.

For more information on configuring this Policy Object, see Configuring a Report Distribution policy in the Active Roles Administration Guide.

About Report Distribution

Report Distribution policies automatically send a report on deprovisioning results after completing a deprovisioning operation. As such, this policy is meant to inform designated persons about any problems that might occur when performing deprovisioning requests.

Reports are delivered via email. When configuring a Report Distribution policy, you can set up a list of report recipients, customize the subject of report messages, and specify whether to send a report if no errors occurred.

Upon completion of a deprovisioning operation, Active Roles uses this policy to determine if the report on deprovisioning results must be sent. Then, Active Roles generates the report message and sends it to the recipients specified in the policy configuration. The report includes a list of actions taken during the deprovisioning operation. For each action, the report informs of whether the action is completed successfully, and provides information about the action results.

With the Report Distribution policy configured not to send reports if no errors occurred, Active Roles examines the deprovisioning results for errors. If there are no errors, the report is not sent.

Active Roles generates deprovisioning reports on a per-object basis: Each report message contains information on the deprovisioning of one object. When deprovisioning multiple objects, Active Roles sends multiple report messages, one message per deprovisioned object.

Active Roles sends report messages via an SMTP server. The policy configuration specifies the outbound SMTP server by using Active Roles email settings that include the name of the SMTP server and information required to connect to the SMTP server.

For more information on configuring this Policy Object, see Configuring a Report Distribution policy in the Active Roles Administration Guide.

About the Undo Deprovisioning operation

Active Roles provides the ability to restore deprovisioned objects, such as deprovisioned users or groups. The purpose of this operation, referred to as the Undo Deprovisioning operation, is to roll back the changes that were made to an object by the Deprovision operation. When a deprovisioned object needs to be restored (for example, if a user account has been deprovisioned by mistake), the Undo Deprovisioning operation allows the object to be quickly returned to the state it was in before the changes were made.

The Undo Deprovisioning operation rolls back the changes that were made to the object in accord with the standard Deprovisioning policies. For example, assume a User Account Deprovisioning policy is configured so that a deprovisioned user account:

  • Is disabled.

  • Is renamed.

  • Has the Description changed.

  • Has a number of properties cleared out.

  • Has the password set to a random value.

In this case, the Undo Deprovisioning operation:

  • Enables the user account.

  • Sets the Description, Name, and other properties to the original values on the user account.

  • Can provide the option to reset the password so as to enable the user to log on.

Similar behavior is in effect for the other policies of the Deprovisioning category:

  • If the Deprovision operation revokes user access to resources such as the home folder or Exchange mailbox, then the Undo Deprovisioning operation attempts to restore user access to the resources.

  • If the Deprovision operation removes a user account from certain groups, the Undo Deprovisioning operation can add the user account to those groups, restoring the original group memberships of the user account.

To offer another example, suppose the deprovisioning policy is configured so that Deprovision operation on a group:

  • Removes all members from the group

  • Renames the group

  • Moves the group to a certain container

In this case, the Undo Deprovisioning operation:

  • Restores the original membership list of the group, as it was at the time of deprovisioning

  • Renames the group, restoring the original name of the group

  • Moves the group to the container that held the group at the time of deprovisioning

Similar behavior is in effect for the other group deprovisioning policy options:

  • If the Deprovision operation hides the group from the Global Address List (GAL), Undo Deprovisioning restores the visibility of the group in the GAL.

  • If the Deprovision operation changes the group type from Security to Distribution, Undo Deprovisioning sets the group type back to Security.

  • If the Deprovision operation changes any other properties of the group, Undo Deprovisioning restores the original property values.

Both the Active RolesConsole and Web Interface provide the Undo Deprovisioning command on deprovisioned users or groups. When selected on a deprovisioned object, this command originates a request to restore the object. Upon receipt of the request, Active Roles performs all necessary actions to undo the results of deprovisioning on the object, and provides a detailed report of the actions that were taken along with information about success or failure of each action.

For more information on the procedure of restoring deprovisioned objects, see Restoring deprovisioned users or groups in the Active Roles Administration Guide.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen