Chat now with support
Chat mit Support

Identity Manager 9.3 - Administration Guide for Connecting to Active Directory

Managing Active Directory environments Synchronizing an Active Directory environment
Setting up initial synchronization with an Active Directory domain Adjusting the synchronization configuration for Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Active Directory user accounts and identities
Account definitions for Active Directory user accounts and Active Directory contacts Assigning identities automatically to Active Directory user accounts Supported user account types Updating identities when Active Directory user account are modified Automatic creation of departments and locations based on user account information Specifying deferred deletion for Active Directory user accounts and Active Directory contacts
Managing memberships in Active Directory groups Login credentials for Active Directory user accounts Mapping Active Directory objects in One Identity Manager
Active Directory domains Active Directory container structures Active Directory user accounts Active Directory contacts Active Directory groups Active Directory computers Active Directory security IDs Active Directory printers Active Directory sites Reports about Active Directory objects
Handling of Active Directory objects in the Web Portal Basic data for managing an Active Directory environment Configuration parameters for managing an Active Directory environment Default project template for Active Directory Processing methods of Active Directory system objects Active Directory connector settings

General main data of Active Directory user accounts

Table 30: Configuration parameters for setting up user accounts
Configuration parameter Meaning

TargetSystem | ADS | Accounts | TransferJPegPhoto

Specifies whether changes to the identity's picture are published in existing user accounts. The picture is not part of default synchronization. It is only published when an identity's main data is changed.

Enter the following general main data.

Table 31: General main data of a user account
Property Description

Identity

Identity that uses this user account.

  • An identity is already entered if the user account was generated by an account definition.

  • If you are using automatic identity assignment, an associated identity is found and added to the user account when you save the user account.

  • If you create the user account manually, you can select an identity in the drop-down.

    The drop-down displays activated and deactivated identities by default. If you do not want to see any deactivated identities, set the QER | Person| HideDeactivatedIdentities configuration parameter.

NOTE: If you assign a deactivated identity to a user account, it might be locked or deleted depending on the configuration.

You can create a new identity for a user account with an identity of type Organizational identity, Personalized administrator identity, Sponsored identity, Shared identity, or Service identity. To do this, click next to the input field and enter the required identity main data. Which login data is required depends on the selected identity type.

No link to an identity required

Specifies whether the user account is intentionally not assigned an identity. The option is automatically set if a user account is included in the exclusion list for automatic identity assignment or a corresponding attestation is carried out. You can set the option manually. Enable the option if the user account does not need to be linked with an identity (for example, if several identities use the user account).

If attestation approves these user accounts, these user accounts will not be submitted for attestation in the future. In the Web Portal, user accounts that are not linked to an identity can be filtered according to various criteria.

Not linked to an identity

Indicates why the No link to an identity required option is enabled for this user account. Possible values:

  • By administrator: The option was set manually by the administrator.

  • By attestation: The user account was attested.

  • By exclusion criterion: The user account is not associated with an identity due to an exclusion criterion. For example, the user account is included in the exclude list for automatic identity assignment (configuration parameter PersonExcludeList).

Account definition

Account definition through which the user account was created.

Use the account definition to automatically fill user account main data and to specify a manage level for the user account. One Identity Manager finds the IT operating data of the assigned identity and enters it in the corresponding fields in the user account.

NOTE: The account definition cannot be changed once the user account has been saved.

NOTE: Use the user account's Remove account definition task to reset the user account to Linked status. This removes the account definition from both the user account and the identity. The user account remains but is not managed by the account definition anymore. The task only removes account definitions that are directly assigned (XOrigin=1).

Manage level

Manage level of the user account. Select a manage level from the drop-down. You can only specify the manage level can if you have also entered an account definition. All manage levels of the selected account definition are available in the drop-down.

First name

The user’s first name. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Middle name

User's middle name. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Last name

The user’s last name. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Initials

The user’s initials. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Title

The user’s academic title. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Name

User account identifier. The identifier is made up of the user’s first and last names.

Distinguished name

User account's distinguished name. The distinguished name is formatted from the user account's identifier and the container and cannot be changed.

Domain

Domain in which the user account is created.

Container

Container in which to create the user account. If you have assigned an account definition, the container is determined from the company IT data for the assigned identity depending on the manage level of the user account. When the container is selected, the defined name for the user is created using a formatting rule.

Primary group

User account's primary group. Synchronization with the Active Directory environment assigns the user account to the Domain Users group by default. Only groups that are assigned to the user account are available as primary groups.

Login name (pre Win2000)

Login name for the previous version of Active Directory. If you assigned an account definition, the login name (pre Win2000) is made up of the identity’s central user account depending on the manage level of the user account.

User login name

User account login name. User login names that are formatted like this correspond to the User Principal Name (UPN) in Active Directory.

If you have already established the container and entered the login name (pre Win2000), the user login name is created following the formatting rule as shown:

<login name (pre Win2000)>@<AD domain name>

Email address

User account email address. If you assigned an account definition, the email address is made up of the identity’s default email address depending on the manage level of the user account.

Additional email addresses

Other email addresses for the user account.

Account expiry date

Account expiry date. Specifying an expiry data for the account has the effect that the login for this user account is locked as soon as the given date is exceeded. If you assigned an account definition, the identity’s last day of work it is automatically taken as the expiry date depending on the manage level. Any existing account expiry date is overwritten in this case.

Structural object class

Structural object class representing the object type. Possible values:

  • USER: Default object class for user accounts.

  • INETORGPERSON : Object class used by other LDAP and X.500 directory services for mapping user accounts.

  • POSIXACCOUNT: Object class for user accounts with additional POSIX (Portable Operating System Interface) properties.

Risk index (calculated)

Maximum risk index value of all assigned groups. The property is only visible if the QER | CalculateRiskIndex configuration parameter is set. For more information, see the One Identity Manager Risk Assessment Administration Guide.

Category

Categories for the inheritance of groups by the user account. Groups can be selectively inherited by user accounts. To do this, groups and user accounts or contacts are divided into categories. Select one or more categories from the drop-down.

Description

Text field for additional explanation.

Identity type

User account's identity type Permitted values are:

  • Primary identity: Identity's default user account.

  • Organizational identity: Secondary user account used for different roles in the organization, for example for subcontracts with other functional areas.

  • Personalized administrator identity: User account with administrative permissions, used by one identity.

  • Sponsored identity: User account to use for a specific purpose. Training, for example.

  • Shared identity: User account with administrative permissions, used by several identities. Assign all identities that use this user account.

  • Service identity: Service account.

Privileged user account.

Specifies whether this is a privileged user account.

Groups can be inherited

Specifies whether the user account can inherit groups through the linked identity. If the option is set, the user account inherits groups through hierarchical roles, in which the identity is a member, or through IT Shop requests.

  • If you add an identity with a user account to a department, for example, and you have assigned groups to this department, the user account inherits these groups.

  • If an identity has requested group membership in the IT Shop and the request is granted approval, the identity's user account only inherits the group if the option is set.

Preferred user account

Preferred user account when an identity has several user accounts in Active Directory.

User account is disabled

Specifies whether the user account is disabled. If a user account is not required for a period of time, you can temporarily disable the user account by using the <User account is deactivated> option.

Account locked

Specifies whether the user account is locked. Depending on the configuration, the user account in the Active Directory environment is locked after multiple incorrect password attempts. You can lock the user account again in the Manager using the Unlock user account task.

If the user account is linked to an identity, the user account is unlocked when a new central password is set for the identity. This behavior is controlled by the TargetSystem | ADS | Accounts | UnlockByCentralPassword configuration parameter. For more information about an identity’s central password, see One Identity Manager Identity Management Base Module Administration Guide.

Protected from accidental deletion

Specifies whether to protect the user account against accidental deletion. If the option is set, the permissions for deleting the user account are removed in Active Directory. The user account cannot be deleted or moved.

Related topics

Password data for Active Directory user accounts

Enter the password data for the system user ID.

NOTE: One Identity Manager password policies, global account policy settings for the Active Directory domain, and Active Directory account policies are all taken into account when verifying user passwords.

NOTE: The TargetSystem | ADS | Accounts | NotRequirePassword configuration parameter specifies whether a password is required when creating new Active Directory user accounts in One Identity Manager. If the configuration parameter is not set, entry of a password that meets the defined password guidelines is requested when a new Active Directory user account is created. If the configuration parameter is set, it is not necessary to specify a password when creating new Active Directory user accounts. In the Designer, you can edit the configuration parameter as required.

Table 32: User account password data

Property

Description

Password

Password for the user account. The identity’s central password can be mapped to the user account password. For more information about an identity’s central password, see One Identity Manager Identity Management Base Module Administration Guide.

If you use a random generated initial password for the user accounts, it is automatically entered when a user account is created.

The password is deleted from the database after publishing to the target system.

Password confirmation

Reconfirm password.

Password last changed

Date of last password change. The date is read in from the Active Directory system and cannot be changed.

Password never expires

Specifies whether the password expires. This option is usually used for service accounts. It overwrites the maximum lifetime of a password and the Change password at next logon option.

Cannot change password

Specifies whether the password can be changed. This option is normally set for user accounts that are used by several users.

Change password at next login

Specifies whether the user must change their password the next time they log in.

TIP: To enable this option every time new user accounts are created, set the TargetSystem | ADS | Accounts | UserMustChangePassword configuration parameter.

Save passwords with reversible encryption

Details for encrypting the password. By default, passwords that are saved in Active Directory are encrypted. When you use this option, passwords are saved in plain text and can be restored again.

SmartCard required to log on

Data required for logging in with a SmartCard. Set this option to save public and private keys, passwords, and other personal information for this Active Directory user account. For the user to be able to log in to the network, the user’s computer must be equipped with a smart card reader and the user must have a personal identification number (PIN).

Account trusted for delegation purposes

Data required for delegation. Set this option so that a user can delegate the responsibility for administration and management of a partial domain to another Active Directory user account or another group.

Cannot delegate account

Data required for delegation. Set this option when this user account may not be assigned for delegation purposes from another user account.

Account uses DES encryption

Data required for encryption. Set this option if you would like to enable Data Encryption Standard (DES) support.

Kerberos preauthentication not required

Specifies whether Kerberos pre-authentication is required. Set this option when the user account uses a different implementation of the Kerberos protocol.

Related topics

Active Directory user account home directory and profile directory

Enter the data for the user's home and profile directories. When you enter a profile directory, a new user profile is created through One Identity Manager Service that is loaded over the network when the user logs on.

NOTE: If the QER | Person | User | ConnectHomeDir configuration parameter is set, some of the following data for the home directory is formed automatically. In the Designer, you can set the configuration parameter as required.

Table 33: Main data for a user directory
Property Description

Home server

Home server. You can select the home server depending on the number of home directories per home server that already exist (according to the database). If you assigned an account definition, the home server is determined from the current IT operating data for the assigned identity depending on the manage level.

Home share

The share that is stored under the user’s home directory on the home server. Default is HOMES.

Home directory path

Name of the home directory for the user under the home share. By default, the login name (pre Windows 2000) is used to format the home directory path.

Home shared as

Home directory share. This share is formatted using the default home directory path.

Home drive

The drive to be connected when the user logs in. The default domain home drive is used.

Home directory

The user's home directory. The given home directory is automatically added and shared by the One Identity Manager Service.

Size home directory [MB]

Size of the home directory in MB. Find the size of the home directory by running the schedule supplied by default. In the Designer, configure and enable the Load size of home folders for user accounts schedule.

Maximum home storage space [MB]

Maximum size for the home directory on the home server in MB.

Profile server

Profile server. If you assigned an account definition, the profile server is determined from the current IT operating data for the assigned identity depending on the manage level.

Profile share

The share that is stored under the user’s profile directory on the profile server. Default is PROFILES.

Profile shared as

Profile directory share.

Profile directory path

Name of the profile directory for the user under the profile share. By default, the login name (pre Windows 2000) is used to format the profile directory path.

Login script

Name of the login script. If the script is in a subdirectory of the login script path (normally Winnt\Sysvol\domain\scripts), you need enter the subdirectory as well. The given login script is run when the user logs in.

Related topics

Login credentials for Active Directory user accounts

Enter the following login credentials.

Table 34: Credentials
Property Description

Last login

Date of last login. The date is read in from the Active Directory system and cannot be changed manually.

Login workstation

Workstation on which the user can log in. A user can log in on all workstations by default.

Select the button next to the input field to activate it and add workstations. Use the button to remove workstations from the list.

Login times

Times and days on which the user is allowed to be logged in. By default, login is permitted at all hours and every day of the week. If a user is logged in, the login is disconnected at the end of the valid login period.

The calendar shows a 7-day week, each box represents one hour. The configured login times are shown in color, respectively. If a box is filled, login is allowed. If the box is empty, login is denied.

To specify login times

  • Select a time period with the mouse or keyboard.

  • Select Assign to enable login in the selected period.

  • Select Remove to deny login in the selected period.

  • Select Reverse to invert the selected period.

  • Use the arrow keys to reset or repeat a selection.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen