Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Active Roles 8.2 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Configuring rule-based autoprovisioning and deprovisioning
Configuring Provisioning Policy Objects
User Logon Name Generation E-mail Alias Generation Exchange Mailbox AutoProvisioning Group Membership AutoProvisioning Home Folder AutoProvisioning Property Generation and Validation Script Execution O365 and Azure Tenant Selection AutoProvisioning in SaaS products
Configuring Deprovisioning Policy Objects
User Account Deprovisioning Group Membership Removal User Account Relocation Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Permanent Deletion Office 365 Licenses Retention Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Script Execution Notification Distribution Report Distribution
Configuring entry types Configuring a Container Deletion Prevention policy Configuring picture management rules Managing Policy Objects Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Configuring policy extensions
Using rule-based and role-based tools for granular administration Workflows
About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Azure tenant types and environment types supported by Active Roles Using Active Roles to manage Azure AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports and URLs used by Active Roles Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Monitoring connection to configuration database

This category includes the event-based processing rules to monitor health of the connection to the configuration database:

  • Connection to database has been lost: Administration Service has lost connection to the configuration database, and is attempting to re-establish the connection.

  • Connection to database has been restored: Administration Service restored connection to the configuration database.

The following sub-sections elaborate on each of these processing rules.

Connection to database has been lost - Alert

This rule generates an alert indicating that the Administration Service has lost a connection to the configuration database, and is making attempts to restore the connection. For details, refer to the alert description generated by this rule. Losing the connection to the database does not affect the directory management functions of the Administration Service. All operations related to Active Directory management continue to work as expected.

As long as there is no connection to the database, the following Administration Service functions will not be available:

  • Collecting data related to change history and user activity.

  • Retrieving and updating configuration data.

  • Retrieving changes to configuration data made by other Administration Service instances (both directly and via replication).

  • Retrieving and updating virtual attributes stored in the configuration database.

Connection to database has been restored - Alert

This rule generates an alert indicating that the Administration Service has restored the connection to the configuration database. For details, refer to the alert description generated by this rule. Once the connection has been restored, all Administration Service functions that require access to the database will be restored.

Monitoring of Dynamic Group-related operations

This category includes the event-based processing rules to monitor the background activities of Active Roles related to Dynamic Groups:

  • Rebuilding has been started: Administration Service has been forced to re-calculate (rebuild) the membership list of a Dynamic Group.

  • Failed to add object to Dynamic Group: Administration Service failed to add an object to a Dynamic Group.

  • Failed to remove object from Dynamic Group: Administration Service failed to remove an object from a Dynamic Group.

  • Failed to process membership rule: Administration Service failed to apply a query-based membership rule when updating the membership list of a Dynamic Group.

  • Failed to update membership list: Administration Service failed to update the membership list of a Dynamic Group in accordance with the membership rules.

  • Failed to update membership list of nested group: Administration Service failed to update the membership list of an additional (nested) group generated to accommodate extra members of a Dynamic Group.

  • Failed to update membership rule upon deletion of object: When updating a Dynamic Group, Administration Service failed to delete or update a membership rule of a Dynamic Group upon deletion of an object.

  • Failed to look up object when updating: When updating a Dynamic Group, Administration Service failed to locate an object that is referred to by a certain membership rule. The object may have been deleted.

  • Failed to retrieve information from domain: Administration Service failed to retrieve information about Dynamic Groups from a certain domain.

  • Membership rule domain unavailable: When updating a Dynamic Group, Administration Service failed to apply a membership rule because the rule applies to a domain unavailable on the network.

  • Membership rule failed: When updating a Dynamic Group, Administration Service failed to apply one of the membership rules, which prevented all rules from being applied and stopped changes to the members list of the Dynamic Group.

The following sub-sections provide more details about these processing rules.

Dynamic Group - Rebuilding has been started - Alert

This rule generates an alert indicating that an administrator has forced Active Roles to re-calculate (rebuild) the membership list of a Dynamic Group. For details, refer to the alert description generated by this rule.

You can start rebuilding the Dynamic Group from the Properties > Members tab of the Dynamic Group, in the Active Roles Console.

Failed to add object to Dynamic Group - Alert

This rule generates an alert indicating that the Administration Service failed to add an object to a Dynamic Group due to a certain problem. The object is missing from the Dynamic Group until after the problem has been resolved. For details, refer to the alert description generated by this rule.

To solve the problem, try to force rebuilding the Dynamic Group from the Properties > Members tab of the Dynamic Group, in the Active Roles Console.

Failed to remove object from Dynamic Group - Alert

This rule generates an alert indicating that the Administration Service failed to remove an object from a Dynamic Group due to a certain problem. The object remains in the Dynamic Group until after the problem has been resolved. For details, refer to the alert description generated by this rule.

To solve the problem, try to force rebuilding the Dynamic Group from the Properties > Members tab of the Dynamic Group, in the Active Roles Console.

Dynamic Group - Failed to process membership rule - Alert

This rule generates an alert indicating that the Administration Service failed to apply a query-based membership rule when updating the membership list of a Dynamic Group. The failed rule is not taken into account, so the membership list may not comply with the membership rules. For details, refer to the alert description generated by this rule.

To solve the problem, try to force rebuilding the Dynamic Group from the Properties > Members tab of the Dynamic Group, in the Active Roles Console. Check membership rules by using the Membership Rules tab in that dialog.

Dynamic Group - Failed to update membership list - Alert

This rule generates an alert indicating that the Administration Service failed to update the membership list of a Dynamic Group in accordance with the membership rules. The membership list may not be compliant with the membership rules. For details, refer to the alert description generated by this rule.

To solve the problem, try to force rebuilding the Dynamic Group from the Properties > Members tab of the Dynamic Group, in the Active Roles Console.

Dynamic Group - Failed to update membership list of nested group - Alert

This rule generates an alert indicating that the Administration Service failed to update the membership list of an additional (nested) group generated to accommodate extra members of a Dynamic Group. The membership list of the nested group may not be compliant with the membership rules. For details, refer to the alert description generated by this rule.

To solve the problem, try to force rebuilding the Dynamic Group from the Properties > Members tab of the Dynamic Group, in the Active Roles Console.

Dynamic Group - Failed to update membership rule upon deletion of object - Alert

This rule generates an alert indicating that the Administration Service failed to delete or update a membership rule of a Dynamic Group when deleting a certain object. The membership rule could be one of the following:

  • Implicit inclusion or exclusion of that object from the Dynamic Group.

  • Query with a filter referring to that object.

  • Inclusion or exclusion of the members of the group represented by that object.

For details, refer to the alert description generated by this rule.

To resolve the issue, delete or update membership rules with the Properties > Membership Rules tab of the Dynamic Group in the Active Roles Console. Then, force rebuilding of the Dynamic Group from the Members tab in that dialog.

Dynamic Group - Failed to look up object when updating - Alert

This rule generates an alert indicating that the Administration Service failed to locate an object when updating the membership list of a Dynamic Group in accordance with the membership rules. The object may have been deleted. The object could be referred to by:

  • A membership rule to explicitly include or exclude that object from the Dynamic Group.

  • A query-based membership rule (the object may represent the base of a search or be a member of the search result set).

  • A membership rule to include or exclude the members of a certain group (the object may represent the domain of that group).

  • A directory synchronization (DirSync) query (this may be one of the objects returned by that query).

For details, refer to the alert description generated by this rule.

The membership rules referring to that object are inoperative and are not taken into account when updating the Dynamic Group, so the membership list may not be compliant with the membership rules.

To prevent issues with the membership list of the Dynamic Group, check membership rules by using the Properties > Membership Rules tab of the Dynamic Group in the Active Roles Console. Then, force rebuilding of the Dynamic Group from the Members tab in that dialog.

Dynamic Group - Failed to retrieve information from domain - Alert

This rule generates an alert indicating that the Administration Service failed to retrieve information about Dynamic Groups from a certain domain. The Dynamic Groups contained in that domain are inoperative until after the problem has been resolved. For details, refer to the alert description generated by this rule.

Dynamic Group - Membership rule domain unavailable - Alert

This rule generates an alert indicating that Active Roles failed to update the members list of the Dynamic Group in accordance with one of the membership rules. The failed membership rule applies to a domain that is currently unavailable. The membership rule is disregarded, so the members list of the Dynamic Group may not be compliant with the membership rules. For details, refer to the alert description generated by this rule.

To solve the problem, ensure that the domain is available on the network, then update the Dynamic Group by clicking Properties > Members > Rebuild in the dialog of the group in the Active Roles Console. Alternatively, wait for Active Roles to update the Dynamic Group on a schedule.

Dynamic Group - Membership rule failed - Alert

This rule generates an alert indicating that Active Roles failed to update the members list of the Dynamic Group in accordance with one of the membership rules. As one of the membership rules failed, no membership rules are applied until the issue is resolved, so the members list of this Dynamic Group remains unchanged. For details, refer to the alert description generated by this rule.

To solve the problem, try to force update the Dynamic Group by clicking Properties > Members > Rebuild in the dialog of the group in the Active Roles Console. Check the membership rules on the Membership Rules tab in that dialog.

Monitoring of Group Family-related operations

This category includes the event-based processing rules to monitor the background activities of Active Roles related to Group Families:

  • Cannot find configuration storage group: Administration Service failed to run a Group Family due to the following problem:

    The Group Family configuration storage group cannot be found.

  • Failed to retrieve configuration data: Administration Service failed to run a Group Family due to the following problem:

    Group Family configuration data cannot be retrieved from the Group Family configuration storage group.

  • Incorrect configuration data: Administration Service failed to run a Group Family due to the following problem:

    Incorrect configuration data was encountered in the Group Family configuration storage group.

  • Failed to retrieve configuration data for controlled group: Administration Service encountered an error when running a Group Family, failed to retrieve configuration data for a controlled group. Changes to the controlled group may not be applied until a subsequent run of the Group Family.

  • Failed to retrieve data from container: Administration Service encountered an error when running a Group Family, failed to search a certain container within the Group Family scope. Until a subsequent run, Group Family does not consider information about objects held in that container.

  • Failed to update configuration data: Administration Service encountered an error when running a Group Family, failed to update data in the Group Family configuration storage group. Information about controlled groups may be incorrect until a subsequent run of the Group Family.

  • Failed to update configuration data for controlled group: Administration Service encountered an error when running a Group Family, failed to update configuration data for a controlled group. The controlled group is not linked with the Group Family until a subsequent run of the Group Family.

  • Cannot find controlled group: Administration Service encountered an error when running a Group Family, failed to find a controlled group. Changes to the controlled group, if any, are not applied until a subsequent run of the Group Family.

  • Failed to create controlled group: Administration Service encountered an error when running a Group Family, failed to create a controlled group. Administration Service will attempt to create that controlled group during a subsequent run of the Group Family.

  • Failed to update membership list of controlled group: Administration Service encountered an error when running a Group Family, failed to update membership data for a controlled group. The membership list of the controlled group may be incorrect until a subsequent run of the Group Family.

  • Failed to create run task: Administration Service failed to create a task to run a Group Family. The Group Family is inoperative until the task is created.

  • Failed to modify run task: Administration Service failed to update a task to run a Group Family. The Group Family runs in accordance with the earlier schedule settings of that task.

  • Failed to delete run task: Administration Service failed to delete a task to run a Group Family. The Group Family continues to run in accordance with the schedule settings of that task.

  • Run task has been started manually: A task to run a Group Family was started manually.

  • Group Family run has been completed: Administration Service has completed a run of a Group Family.

The following sub-sections provide more information about these alerts.

Group Family - Cannot find configuration storage group - Alert

This rule generates an alert indicating that the Administration Service failed to run a Group Family due to the following problem:

The Group Family configuration storage group cannot be found. The Administration Service cannot run the Group Family until the problem is resolved.

The configuration storage group may have been either inaccessible or deleted. For details, refer to the alert description generated by this rule.

Group Family - Failed to retrieve configuration data - Alert

This rule generates an alert indicating that the Administration Service encountered the following problem when running a Group Family:

Group Family configuration data cannot be retrieved from the configuration storage group. The Administration Service cannot run the Group Family until the problem is resolved.

For details, refer to the alert description generated by this rule.

Group Family - Incorrect configuration data - Alert

This rule generates an alert indicating that the Administration Service failed to run a Group Family due to the following problem:

Incorrect configuration data was encountered in the Group Family configuration storage group. The configuration storage group may have been corrupted. The run of the Group Family has been canceled.

For details, refer to the alert description generated by this rule.

Group Family - Failed to retrieve configuration data for controlled group - Alert

This rule generates an alert indicating that the Administration Service encountered the following problem when running a Group Family:

Failed to retrieve configuration data for a certain group that is under the control of the Group Family (controlled group). Changes to the controlled group may not be applied until a subsequent run of the Group Family.

For details, refer to the alert description generated by this rule.

Group Family - Failed to retrieve data from container - Alert

This rule generates an alert indicating that the Administration Service encountered the following problem when running a Group Family:

Failed to search a certain container within the Group Family scope. The groupings that were calculated during this run of the Group Family may not take into account information about some objects held in that container.

For details, refer to the alert description generated by this rule.

During a subsequent run of the Group Family, the Administration Service will attempt to search the entire Group Family scope, including the failed container to recalculate the Group Family groupings.

Group Family - Failed to update configuration data - Alert

This rule generates an alert indicating that the Administration Service encountered the following problem when running a Group Family:

Failed to update configuration data in the Group Family configuration storage group. The Active Roles Console may display incorrect information about results of the Group Family run and about groups that are under the control of the Group Family (controlled groups).

For details, refer to the alert description generated by this rule.

During a subsequent run of the Group Family, the Administration Service will attempt to update configuration data in the configuration storage group.

Group Family - Failed to update configuration data for controlled group - Alert

This rule generates an alert indicating that the Administration Service encountered the following problem when running a Group Family:

Failed to update configuration data for a certain group that is under the control of the Group Family (controlled group). The group is removed from the control of the Group Family.

For details, refer to the alert description generated by this rule.

During a subsequent run of the Group Family, the Administration Service will attempt to locate the failed group and put it under the control of the Group Family.

Group Family - Cannot find controlled group - Alert

This rule generates an alert indicating that the Administration Service encountered the following problem when running a Group Family:

Cannot find a certain group that is under the control of the Group Family (controlled group). Some changes to the controlled group may not be applied.

For details, refer to the alert description generated by this rule.

During a subsequent run of the Group Family, the Administration Service will attempt to locate the controlled group and apply the changes, if any, to that group.

Group Family - Failed to create controlled group - Alert

This rule generates an alert indicating that the Administration Service encountered the following problem when running a Group Family:

Failed to create a certain group to be put under the control of the Group Family (controlled group).

For details, refer to the alert description generated by this rule.

During a subsequent run of the Group Family, the Administration Service will attempt to create the controlled group and apply the changes, if any, to that group.

Group Family - Failed to update membership list of controlled group - Alert

This rule generates an alert indicating that the Administration Service encountered the following problem when running a Group Family:

Failed to update the membership list of a certain group that is under the control of the Group Family (controlled group). Some changes to the membership list of the controlled group may not be applied.

For details, refer to the alert description generated by this rule.

During a subsequent run of the Group Family, the Administration Service will attempt to locate the controlled group and apply the changes, if any, to the membership list of that group.

Group Family - Failed to create run task - Alert

This rule generates an alert indicating that the Administration Service failed to create a task to run a Group Family. The Group Family is inoperative until the task is created.

For details, refer to the alert description generated by this rule.

Group Family - Failed to modify run task - Alert

This rule generates an alert indicating that the Administration Service failed to update a task to run a Group Family. The Group Family continues to run in accordance with the earlier schedule settings of that task.

For details, refer to the alert description generated by this rule.

To solve the problem, try to adjust the schedule settings via the Properties > Schedule tab of the Group Family configuration storage group in the Active Roles Console.

Group Family - Failed to delete run task - Alert

This rule generates an alert indicating that the Administration Service failed to delete a task to run a Group Family while the configuration storage group of that Group Family was successfully deleted. The Group Family continues to run in accordance with the schedule settings of that task, which may cause an error situation. For details, refer to the alert description generated by this rule.

To solve the problem, delete the run task manually by switching the Active Roles Console into Raw view mode, then deleting the appropriate task from the following container:

Configuration/Server Configuration/Scheduled Tasks/Group Family

Group Family - Run task has been started manually - Alert

This rule generates an alert indicating that an administrator has forced Active Roles to run a Group Family. For details, refer to the alert description generated by this rule.

To solve the problem, start the run task for a Group Family by using the Force Run command on the configuration storage group of that Group Family in the Active Roles Console.

Group Family run has been completed - Alert

This rule generates an alert indicating that the Administration Service has completed the run task for a Group Family. For task results, refer to the alert description generated by this rule.

The alert description also includes the name of the Group Family configuration storage group, so you can use the Properties dialog box for that group to examine task results in more detail.

Internal error - Alert

This rule generates an alert when a fatal error occurs at Administration Service run time. Normally, the alert indicates that Administration Service stopped.

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation