Chat now with support
Chat mit Support

Active Roles 8.1.4 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Master Account Management policy actions for Skype for Business User Management

The Master Account Management policy causes Active Roles to perform the following Skype for Business Server management actions depending on the change request submitted to the Active Roles Administration Service.

Table 89: Policy actions for Skype for Business Server User Management

Request

Actions

Enable an existing Active Directory user for Skype for Business Server

Active Roles retrieves the properties of the existing user (in the external forest), then performs the following actions:

  1. Creates a shadow account in the Skype for Business forest, and populate its properties with the properties of the user from the external forest.

  2. Enables the shadow account for Skype for Business Server.

  3. Sets the msRTCSIP-OriginatorSID attribute of the shadow account to the value of the objectSID attribute of the user from the external forest.

  4. Creates a reference to the shadow account on the master account.

If the user from the external forest already has a shadow account (for example, created by Exchange Resource Forest Management), then the policy reuses the existing shadow account instead of creating a new one.

When creating the shadow account, Active Roles runs all policies that are applied to the container that holds the shadow account.

Modify Skype for Business Server user properties of a master account

If the change request includes any changes to substituted properties, Active Roles first makes the requested changes to the substituted properties of the shadow account. Next, Active Roles makes the requested changes to the properties of the master account, then updates the synchronized properties of the shadow account with the new property values found on the master account.

Deprovision a master account

Active Roles deprovisions the master account, then temporarily disables the shadow account for Skype for Business Server.

Undeprovision a deprovisioned master account

Active Roles undeprovisions the master account, and re-enables the shadow account for Skype for Business Server.

For undeprovisioning master accounts to have an effect on shadow accounts, the container that holds deprovisioned master accounts must be in the scope of the Built-in Policy - Skype for Business - Master Account Management Policy Object (or a copy of that Policy Object).

Delete a master account

Active Roles deletes the master account, and then removes the shadow account from Skype for Business Server.

The Master Account Management policy requires that shadow accounts be in the scope of the User Management policy for Skype for Business Server User Management provided by Skype for Business Server User Management. This enables Active Roles to perform the Skype for Business Server-related actions on the shadow account.

Scheduled Skype for Business Server synchronization

Skype for Business Server User Management includes an Active Roles scheduled task that complements the Master Account Management policy to enforce synchronization of master and shadow account properties, and to capture existing Skype for Business Server users whose master account happens to fall under the control of that policy.

The scheduled task object is located in the following container in the Active Roles Console:

Configuration/Server Configuration/Scheduled Tasks/Builtin/Skype for Business - Master Account Management

The task is scheduled to run on a daily basis, and normally you do not need to modify its settings. The operation of the task affects only the user accounts that are in the scope of the Built-in Policy - Skype for Business - Master Account Management Policy Object (or a copy of that Policy Object). When run, the task performs the following actions on each of those user accounts:

  • If the user account does not have a shadow account that is enabled for Skype for Business Server, it skips that user account.

  • If the user account has a shadow account that is enabled for Skype for Business Server but does not store a reference to that shadow account, it creates the reference to the shadow account on that user account.

    This action enables the Skype for Business Server User Management feature to administer existing Skype for Business Server users.

  • If the user account has a shadow account that is enabled for Skype for Business Server and stores a reference to the shadow account, then it copies the synchronized properties from the master account to the shadow account, and copies the back-synchronized properties from the shadow account to the master account.

    This action ensures that the shadow account properties are updated with the latest changes to the master account properties (and the opposite is also true).

Access Templates for Skype for Business Server

Skype for Business Server User Management provides a number of Access Templates (ATs) allowing you to delegate the tasks of managing Skype for Business Server users in Active Roles. You can find these ATs in the following container when using Active Roles Console:

Configuration/Access Templates/Skype for Business Server

Table 90: Skype for Business Server User Management Access Templates

Access Template

Description

Skype for Business Server - User Full Control

Gives permission to perform the following tasks by using Active Roles:

  • Add and enable new Skype for Business Server users.

  • View existing Skype for Business Server users.

  • View or change the SIP address.

  • View or change the telephony option and related settings.

  • View or change the user policy assignments in Skype for Business Server.

  • Temporarily disable or re-enable users for Skype for Business Server.

  • Move users to another server or pool in Skype for Business Server.

  • Remove users from Skype for Business Server.

Skype for Business Server - User Telephony

Gives permission to perform the following tasks by using Active Roles:

  • View existing Skype for Business Server users.

  • View the SIP address.

  • View or change the telephony option and related settings.

  • View the user policy assignments in Skype for Business Server.

Skype for Business Server - User Disable/Re-enable

Gives permission to perform the following tasks by using Active Roles:

  • View existing Skype for Business Server users.

  • View the SIP address.

  • View the telephony option and related settings.

  • View the user policy assignments in Skype for Business Server.

  • Temporarily disable or re-enable users for Skype for Business Server.

Skype for Business Server - User Policies

Gives permission to perform the following tasks by using Active Roles:

  • View existing Skype for Business Server users.

  • View the SIP address.

  • View the telephony option and related settings.

  • View or change the user policy assignments in Skype for Business Server.

When applying ATs for Skype for Business Server User Management, consider your Active Directory topology, and apply only the ATs applicable to your forest configuration.

Table 91: Applying Access Templates for Skype for Business Server User Management

Topology option

Where to apply Access Templates

Single forest topology for Skype for Business Server User Management

Apply ATs to Active Directory domains and containers to which the Built-in Policy - Skype for Business - User Management Policy Object (or a copy of that Policy Object) is applied, to allow access to user accounts of Skype for Business Server users managed by Active Roles.

Resource forest topology for Skype for Business Server User Management

Apply ATs to Active Directory domains and containers in external forests to which the Built-in Policy - Skype for Business - Master Account Management Policy Object (or a copy of that Policy Object) is applied, to allow access to master accounts of Skype for Business Server users managed by Active Roles.

You do not need to apply these Access Templates in the Skype for Business Server forest.

Central forest topology for Skype for Business Server User Management

Apply ATs to:

  • Active Directory domains and containers in external forests to which the Built-in Policy - Skype for Business - Master Account Management Policy Object (or a copy of that Policy Object) is applied, to allow access to master accounts of Skype for Business Server users managed by Active Roles.

  • Active Directory domains and containers in the Skype for Business Server forest to which the Built-in Policy - Skype for Business - User Management Policy Object (or a copy of that Policy Object) is applied, to allow access to login-enabled user accounts of Skype for Business Server users managed by Active Roles in the Skype for Business Server forest.

Configuring the Skype for Business Server User Management feature

This section describes the prerequisites and procedure of deploying the Skype for Business User Management feature in your environment.

This section describes the prerequisites and procedure of deploying the Skype for Business User Management feature in your environment.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen