User accounts, contacts, groups, computers, and container structures of an Active Directory domain are mapped in One Identity Manager. These objects are imported into the One Identity Manager database during synchronization. You cannot display or edit their properties in the Manager.
Detailed information about this topic
The target system for the synchronization with an Active Directory directory is the domain. Domains are added as base objects for the synchronization in One Identity Manager. They are used for to configure process provisioning, automatic assignment of identities to user accounts and contacts, and for passing down Active Directory user groups to user accounts and contacts.
NOTE: The Synchronization Editor sets up the domains in the One Identity Manager database.
To edit main data of an Active Directory domain
-
In the Manager, select the Active Directory > Domains category.
-
Select the domain in the result list.
-
Select the Change main data task.
-
Edit the domain's main data.
- Save the changes.
Related topics
Enter the following general main data.
Table 22: Domain main data
Domain |
NetBIOS domain name. This corresponds to the pre-Windows 2000 domain names. The domain name cannot be changed later. |
Parent domain |
Parent domain for mapping a hierarchical domain structure. The full name and the defined name are automatically updated through templates. |
Domain subtype |
Active Directory functional level. There are several features available in Active Directory at functional level. Refer to the documentation for the appropriate Windows to find out which functional levels are supported by the domain controller's Windows Server operating system to be implemented. Following functional levels are supported in One Identity Manager:
|
Display name |
Name used to display the domain in the user interface. This is preset with the domain NetBIOS name; however, the display name can be changed. |
Account definition (initial) |
Initial account definition for creating user accounts. This account definition is used if automatic assignment of identities to user accounts is used for this domain and if user accounts are to be created that are already managed (Linked configured). The account definition's default manage level is applied.
User accounts are only linked to the identity (Linked) if no account definition is given. This is the case on initial synchronization, for example. |
Contact definition (initial) |
Initial account definition for creating contacts. These account definitions are used if automatic assignment of identities to contacts is used for this domain, resulting in administered user accounts (Linked configured state). The account definition's default manage level is applied.
Contacts are only linked to the identity (Linked state) if no account definition is given. This is the case on initial synchronization, for example. |
Target system managers |
Application role in which target system managers are specified for the domain. Target system managers only edit the objects from domains that are assigned to them. Therefore, each domain can have a different target system manager assigned to it.
Select the One Identity Manager application role whose members are responsible for administration of this domain. Use the button to add a new application role. |
Synchronized by |
Type of synchronization through which the data is synchronized between the domain and One Identity Manager. You can no longer change the synchronization type once objects for these domains are present in One Identity Manager.
If you create a domain with the Synchronization Editor, One Identity Manager is used.
Table 23: Permitted values
One Identity Manager |
Active Directory connector |
Active Directory connector |
No synchronization |
none |
none |
NOTE: If you select No synchronization, you can define custom processes to exchange data between One Identity Manager and the target system. |
Description |
Text field for additional explanation. |
Related topics
When you set up a user account, globally defined account policies and data are applicable for issuing passwords. You can enter these setting against the domain. Account policies apply when user accounts are newly added.
For domains from the functional level Windows Server 2008 R2 and above, it is possible to define multiple policies. You can also define password policies in One Identity Manager that you can apply to the user account passwords.
NOTE: password policies, global account policy settings for the Active Directory domain, and Active Directory account policies are all taken into account when verifying user passwords.
Enter the following data for global account policies.
Table 24: Account policies for domains
Minimum password length |
Minimum length of the password. Use this option to specify that a password has to be complex.
NOTE: If, during synchronization, a more restrictive value for an Active Directory domain's global account policy is found than the one on the password policy, this value is the one that will be applied to the domain's password policy.
If this password policy is used for other domains the value also applies to these domains. |
Minimum password lifetime |
Minimum age of the password. Enter the length of time a password has to be used before the user is allowed to change it. |
Max. password age |
Maximum age of the password. Enter the length of time a password can be used before it expires. |
Max. errors |
Maximum number of errors. Set the number of invalid passwords. If the user has reached this number the user account is blocked. |
Password history |
Enter the number of passwords to be saved. For example, if you enter the value 5, the last 5 passwords for the user are saved.
NOTE: If, during synchronization, a more restrictive value for an Active Directory domain's global account policy is found than the one on the password policy, this value is the one that will be applied to the domain's password policy.
If this password policy is used for other domains the value also applies to these domains. |
Lock duration [min] |
Lock duration in minutes. Enter the time period the account should be locked for before it is automatically reset. |
Reset account [min] |
Duration in minutes of account reset. Enter the time period that can elapse between two invalid attempts to enter a password before a user account is locked. |
Related topics