User accounts, contacts, groups, computers, and container structures of an Active Directory domain are mapped in One Identity Manager. These objects are imported into the One Identity Manager database during synchronization. You cannot display or edit their properties in the Manager.
Managing Active Directory environments
Architecture overview
One Identity Manager users for managing Active Directory
Configuration parameters for managing Active Directory environments
Synchronizing an Active Directory environment
Setting up initial synchronization with an Active Directory domain
Managing Active Directory user accounts and identities
Users and permissions for synchronizing with Active Directory
Communications ports and firewall configuration
Setting up the Active Directory synchronization server
Adjusting the synchronization configuration for Active Directory environments
System requirements for the Active Directory synchronization server
Installing One Identity Manager Service with an Active Directory connector
Creating a synchronization project for initial synchronization of an Active Directory domain
Information required to set up a synchronization project
Creating an initial synchronization project for Active Directory domains
Configuring the synchronization log
Configuring synchronization in Active Directory domains
Configuring synchronization of several Active Directory domains
Supporting POSIX extensions
Changing system connection settings of Active Directory domains
Updating schemas
Speeding up synchronization with revision filtering
Configuring the provisioning of memberships
Configuring single object synchronization
Accelerating provisioning and single object synchronization
Running synchronization
Starting synchronization
Deactivating synchronization
Displaying synchronization results
Synchronizing single objects
Tasks following synchronization
Post-processing outstanding objects
Adding custom tables to the target system synchronization
Managing Active Directory user accounts and Active Directory contacts through account definitions
Troubleshooting
Ignoring data error in synchronization
Pausing handling of target system specific processes (Offline mode)
Account definitions for Active Directory user accounts and Active Directory contacts
Managing memberships in Active Directory groups
Creating account definitions
Editing account definitions
Main data for account definitions
Editing manage levels
Creating manage levels
Assigning manage levels to account definitions
Main data for manage levels
Creating mapping rules for IT operating data
Entering IT operating data
Modify IT operating data
Assigning account definitions to identities
Assigning identities automatically to Active Directory user accounts
Assigning account definitions to departments, cost centers, and locations
Assigning account definitions to business roles
Assigning account definitions to all identities
Assigning account definitions directly to identities
Assigning account definitions to system roles
Adding account definitions in the IT Shop
Assigning account definitions to Active Directory domains
Deleting account definitions
Editing search criteria for automatic identity assignment
Finding identities and directly assigning them to user accounts
Changing manage levels for Active Directory user accounts
Changing manage levels for Active Directory contacts
Supported user account types
Default user accounts
Administrative user accounts
Updating identities when Active Directory user account are modified
Automatic creation of departments and locations based on user account information
Specifying deferred deletion for Active Directory user accounts and Active Directory contacts
Providing an administrative user account for one identity
Providing an administrative user account for multiple identities
Privileged user accounts
Assigning Active Directory groups to Active Directory user accounts, Active Directory contacts, and Active Directory computers
Login credentials for Active Directory user accounts
Prerequisites for indirect assignment of Active Directory groups
Assigning Active Directory groups to departments, cost centers and locations
Assigning Active Directory groups to business roles
Adding Active Directory groups to system roles
Adding Active Directory groups to the IT Shop
Adding Active Directory groups automatically to the IT Shop
Assigning Active Directory user accounts directly to Active Directory groups
Assigning Active Directory groups directly to Active Directory user accounts
Assigning Active Directory contacts directly to Active Directory groups
Active Directory Assign groups directly to Active Directory Contacts
Assigning Active Directory computers directly to Active Directory groups
Assigning Active Directory groups directly to Active Directory computers
Effectiveness of membership in Active Directory user groups
Active Directory group inheritance based on categories
Overview of all assignments
Password policies for Active Directory user accounts
Mapping Active Directory objects in One Identity Manager
Predefined password policies
Using password policies
Creating password policies
Using password policies
General main data of password policies
Policy settings
Character classes for passwords
Custom scripts for password requirements
Editing the excluded list for passwords
Verifying passwords
Testing password generation
Initial password for new Active Directory user accounts
Email notifications about login data
Active Directory domains
Handling of Active Directory objects in the Web Portal
Basic data for managing an Active Directory environment
General main data for Active Directory domains
Global account policies for Active Directory domains
Active Directory specific main data for Active Directory domains
Defining categories for the inheritance of Active Directory groups
Displaying information about the Active Directory forest
Entering and testing trusted Active Directory domains
Active Directory account policies for Active Directory domains
Active Directory container structures
Creating and editing Active Directory account policies
General main data for an Active Directory account policy
Guidelines for Active Directory account guidelines
Assigning Active Directory account policies to Active Directory user account and Active Directory groups
Editing the synchronization project for an Active Directory domain
Monitoring the number of memberships in Active Directory groups and Active Directory containers
Creating and editing Active Directory containers
Main data for Active Directory containers
Deleting Active Directory containers
Moving an Active Directory container
Displaying the Active Directory container overview
Active Directory user accounts
Creating and editing Active Directory user accounts
General main data of Active Directory user accounts
Password data for Active Directory user accounts
Active Directory user account home directory and profile directory
Login credentials for Active Directory user accounts
Dial-in access using Remote Access Service (RAS) for Active Directory user accounts
Terminal server connection data for Active Directory user accounts
Extension data for Active Directory user accounts
Further data for identifying Active Directory user accounts
Contact information for Active Directory user accounts
POSIX properties for Active Directory user accounts
Assigning Active Directory account policies to Active Directory user accounts
Assigning secretaries to Active Directory user accounts
Assigning extended properties to Active Directory user accounts
Disabling Active Directory user accounts
Deleting and restoring Active Directory user accounts
Active Directory contacts
Procedure for deleting Active Directory user account in One Identity Manager
Handling of user directories when deleting Active Directory user accounts
Unlocking Active Directory user accounts
Moving Active Directory user accounts
Displaying the Active Directory user account overview
Displaying Azure Active Directory user accounts for Active Directory user accounts
Creating and editing Active Directory contacts
General main data for Active Directory contacts
Contact data for Active Directory contacts
Further data for identifying Active Directory contact
Extension data for Active Directory contacts
POSIX properties for Active Directory contacts
Assigning secretaries to Active Directory contacts
Assigning extended properties to Active Directory contacts
Deleting and restoring Active Directory contacts
Moving Active Directory contacts
Displaying the Active Directory contact overview
Active Directory groups
Creating and editing Active Directory groups
General main data of Active Directory groups
Extension data for Active Directory groups
POSIX properties for Active Directory groups
Validity of group memberships
Adding Active Directory groups to Active Directory groups
Assigning Active Directory account policies to Active Directory groups
Assigning secretaries to Active Directory groups
Assigning extended properties to Active Directory groups
Deleting Active Directory groups
Moving Active Directory groups
Displaying the Active Directory group overview
Displaying Azure Active Directory groups for Active Directory groups
Active Directory computers
Main data for Active Directory computers
Performing computer diagnostics
Moving an Active Directory computer
Displaying the Active Directory computer overview
Active Directory security IDs
Active Directory printers
Active Directory sites
Reports about Active Directory objects
User account names
Target system managers for Active Directory
Job server for Active Directory-specific process handling
Configuration parameters for managing an Active Directory environment
Default project template for Active Directory
Processing methods of Active Directory system objects
Active Directory connector settings
Mapping Active Directory objects in One Identity Manager
Active Directory domains
The target system for the synchronization with an Active Directory directory is the domain. Domains are added as base objects for the synchronization in One Identity Manager. They are used for to configure process provisioning, automatic assignment of identities to user accounts and contacts, and for passing down Active Directory user groups to user accounts and contacts.
NOTE: The Synchronization Editor sets up the domains in the One Identity Manager database.
To edit main data of an Active Directory domain
-
In the Manager, select the Active Directory > Domains category.
-
Select the domain in the result list.
-
Select the Change main data task.
-
Edit the domain's main data.
- Save the changes.
Related topics
- General main data for Active Directory domains
- Global account policies for Active Directory domains
- Active Directory specific main data for Active Directory domains
- Defining categories for the inheritance of Active Directory groups
- Displaying information about the Active Directory forest
- Entering and testing trusted Active Directory domains
- Active Directory account policies for Active Directory domains
- Editing the synchronization project for an Active Directory domain
- Monitoring the number of memberships in Active Directory groups and Active Directory containers
- Synchronizing single objects
General main data for Active Directory domains
Enter the following general main data.
|
Property |
Description | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
Domain |
NetBIOS domain name. This corresponds to the pre-Windows 2000 domain names. The domain name cannot be changed later. | |||||||||
|
Parent domain |
Parent domain for mapping a hierarchical domain structure. The full name and the defined name are automatically updated through templates. | |||||||||
|
Domain subtype |
Active Directory functional level. There are several features available in Active Directory at functional level. Refer to the documentation for the appropriate Windows to find out which functional levels are supported by the domain controller's Windows Server operating system to be implemented. Following functional levels are supported in One Identity Manager:
| |||||||||
|
Display name |
Name used to display the domain in the user interface. This is preset with the domain NetBIOS name; however, the display name can be changed. | |||||||||
|
Account definition (initial) |
Initial account definition for creating user accounts. This account definition is used if automatic assignment of identities to user accounts is used for this User accounts are only linked to the identity (Linked) if no account definition is given. This is the case on initial synchronization, for example. | |||||||||
| Contact definition (initial) |
Initial account definition for creating contacts. These account definitions are used if automatic assignment of identities to contacts is used for this domain, resulting in administered user accounts (Linked configured state). The account definition's default manage level is applied. Contacts are only linked to the identity (Linked state) if no account definition is given. This is the case on initial synchronization, for example. | |||||||||
|
Target system managers |
Application role in which target system managers are specified for the domain. Target system managers only edit the objects from domains that are assigned to them. Therefore, each domain can have a different target system manager assigned to it. Select the One Identity Manager application role whose members are responsible for administration of this domain. Use the | |||||||||
|
Synchronized by |
Type of synchronization through which the data is synchronized between the domain and One Identity Manager. You can no longer change the synchronization type once objects for these domains are present in One Identity Manager. If you create a domain with the Synchronization Editor, One Identity Manager is used.
NOTE: If you select No synchronization, you can define custom processes to exchange data between One Identity Manager and the target system. | |||||||||
|
Description |
Text field for additional explanation. |
button to add a new application role.Related topics
Global account policies for Active Directory domains
When you set up a user account, globally defined account policies and data are applicable for issuing passwords. You can enter these setting against the domain. Account policies apply when user accounts are newly added.
For domains from the functional level Windows Server 2008 R2 and above, it is possible to define multiple policies. You can also define password policies in One Identity Manager that you can apply to the user account passwords.
NOTE: password policies, global account policy settings for the Active Directory domain, and Active Directory account policies are all taken into account when verifying user passwords.
Enter the following data for global account policies.
| Property | Description |
|---|---|
|
Minimum password length |
Minimum length of the password. Use this option to specify that a password has to be complex. NOTE: If, during synchronization, a more restrictive value for an Active Directory domain's global account policy is found than the one on the password policy, this value is the one that will be applied to the domain's password policy. If this password policy is used for other domains the value also applies to these domains. |
|
Minimum password lifetime |
Minimum age of the password. Enter the length of time a password has to be used before the user is allowed to change it. |
|
Max. password age |
Maximum age of the password. Enter the length of time a password can be used before it expires. |
|
Max. errors |
Maximum number of errors. Set the number of invalid passwords. If the user has reached this number the user account is blocked. |
|
Password history |
Enter the number of passwords to be saved. For example, if you enter the value 5, the last 5 passwords for the user are saved. NOTE: If, during synchronization, a more restrictive value for an Active Directory domain's global account policy is found than the one on the password policy, this value is the one that will be applied to the domain's password policy. If this password policy is used for other domains the value also applies to these domains. |
|
Lock duration [min] |
Lock duration in minutes. Enter the time period the account should be locked for before it is automatically reset. |
|
Reset account [min] |
Duration in minutes of account reset. Enter the time period that can elapse between two invalid attempts to enter a password before a user account is locked. |