Tchater maintenant avec le support

Obtenir une aide instantanée
Terminer l’enregistrement

Se connecter

Demander les tarifs

Contacter le service des ventes

Active Roles 8.2 - Administration Guide

Parcourir le contenu

Introduction Getting started with Active Roles

Starting the Active Roles Console Restricting access to the Active Roles Console Minimum required permissions for the Active Roles service account

Configuring rule-based administrative views

Administering Managed Units

Creating a Managed Unit Modifying Managed Unit properties Modifying permission settings on a Managed Unit Modifying policy settings on a Managed Unit Displaying members of a Managed Unit Adding membership rules to a Managed Unit Modifying membership rules of a Managed Unit Removing membership rules from a Managed Unit Including a member to a Managed Unit Excluding a member from a Managed Unit Adding group members to a Managed Unit Removing group members from a Managed Unit Copying a Managed Unit Exporting and importing a Managed Unit Renaming a Managed Unit Deleting a Managed Unit

Scenario: Implementing role-based administration across multiple OUs

Creating the Managed Unit Adding users to the Managed Unit Preparing the Access Template Applying the Access Template

Configuring role-based administration

Access Template management tasks

Using predefined Access Templates Creating an Access Template Applying Access Templates

Applying an Access Template directly Applying Access Templates on a securable object Applying Access Templates on a user or group

Managing Access Template links Synchronizing permissions to Active Directory Adding, modifying, or removing Access Template permissions

Adding permissions to an Access Template Modifying permissions in an Access Template Removing permissions from an Access Template

Managing nested Access Templates Copying an Access Template Exporting and importing Access Templates Renaming an Access Template Deleting an Access Template

Access Rule management tasks

Prerequisites for using Access Rules

Configuring the Administration Service to support Kerberos authentication

Enabling claim support

Domain controller requirements for claims-based authorization Client computer

Managing Windows claims

Managing claim types Enabling and disabling claim types

Managing and applying Access Rules

Creating or modifying an Access Rule Configuring a conditional expression for an Access Rule Applying an Access Rule to Access Template links

Deploying an Access Rule

Prerequisites of deploying an Access Rule Enabling claim support Creating a claim type Creating the Access Rule Applying the Access Rule

Configuring rule-based autoprovisioning and deprovisioning

Configuring Provisioning Policy Objects

User Logon Name Generation

Configuring a User Logon Name Generation policy Example: Using a uniqueness number in a User Logon Name Generation policy

Creating and configuring a User Logon Name Generation Policy Object for a Uniqueness number policy

Example: Using multiple rules with a User Logon Name Generation Policy Object

Configuring a User Logon Name Generation Policy Object with multiple rules

E-mail Alias Generation

Configuring an E-mail Alias Generation policy

Configuring a custom generation rule

Scenario: Generating e-mail alias based on user names

Creating and configuring the Policy Object Applying the Policy Object

Exchange Mailbox AutoProvisioning

Configuring an Exchange Mailbox AutoProvisioning policy Example: Load balancing a mailbox store

Creating and configuring the Exchange Mailbox AutoProvisioning Policy Object

Default creation options for Exchange mailboxes

Group Membership AutoProvisioning

Configuring a Group Membership AutoProvisioning policy Example: Adding users to a specified group

Creating and configuring a Group Membership AutoProvisioning Policy Object to add users to a specified group

Home Folder AutoProvisioning

Configuring a Home Folder AutoProvisioning policy

Connect <Drive Letter> to <Network Path> Enforce this home folder setting in Active Directory Apply this home folder setting when user account is created Apply this home folder setting when user account is renamed Create or rename home folder on file server as needed Copy user permissions on home folder from parent folder Set user as home folder owner Set user permissions on home folder

Using the built-in policy for home folder provisioning Configuring the Home Folder Location Restriction policy Scenario: Creating and assigning home folders

Verifying the Home Folder Location Restriction policy Creating and Configuring the Policy Object

Property Generation and Validation

Configuring a Property Generation and Validation policy Example: Using a Mask entry type to control phone number format

Creating and configuring a Property Generation and Validation Policy Object with a Mask entry type

Example: Using regular expressions to control telephone number format

Creating and configuring a Property Generation and Validation Policy Object with a regular expression

Script Execution

Configuring a Script Execution policy

Creating a script module Importing a script module Exporting a script module Editing a script module

Enabling debugging for a script

Example: Restricting the group scope in a Script Execution policy

Configuring the script module to restrict the group scope Creating and applying the Script Execution Policy Object to restrict the group scope

O365 and Azure Tenant Selection

Configuring an O365 and Azure Tenant Selection policy Applying a new policy

AutoProvisioning in SaaS products

Creating a provisioning policy for Starling Connect

Configuring Deprovisioning Policy Objects

User Account Deprovisioning

Configuring a User Account Deprovisioning policy

Configuring a property update rule Configuring a custom rule to build the Initiator ID

Scenario 1: Disabling and renaming the user account upon deprovisioning

Creating and configuring the Policy Object Applying the Policy Object

Scenario 2: Managed Unit for deprovisioned user accounts

Creating and configuring the Managed Unit Configuring the Policy Object Applying the Policy Object

Group Membership Removal

Configuring a Group Membership Removal policy Scenario: Removing deprovisioned users from all groups

Creating and configuring the Group Membership Removal Policy Object Applying the Policy Object

User Account Relocation

Configuring a User Account Relocation policy Scenario: Organizational Unit for deprovisioned user accounts

Creating and configuring the Policy Object Applying the Policy Object

Exchange Mailbox Deprovisioning

Configuring an Exchange Mailbox Deprovisioning policy Scenario: Hide mailbox and forward email to manager

Creating and configuring the Exchange Mailbox Deprovisioning Policy Object Applying the Policy Object

Home Folder Deprovisioning

Configuring a Home Folder Deprovisioning policy Scenario: Removing access to home folder

Creating and configuring the Policy Object Applying the Policy Object

User Account Permanent Deletion

Configuring a User Account Permanent Deletion policy Scenario: Deleting deprovisioned user accounts

Creating and configuring the Policy Object Applying the Policy Object

Office 365 Licenses Retention

Configuring a Microsoft 365 license retention policy

Group Object Deprovisioning

Configuring a Group Object Deprovisioning policy Scenario 1: Disabling and renaming the group upon deprovisioning

Configuring the Group Object Deprovisioning Policy Object Applying the Policy Object

Scenario 2: Managed Unit for deprovisioned groups

Creating and configuring the Managed Unit for the Group Object Deprovisioning policy Configuring the Policy Object for Group Object Deprovisioning

Group Object Relocation

Configuring a Group Object Relocation policy Scenario: Organizational Unit for deprovisioned groups

Configuring the Group Object Relocation Policy Object Applying the Policy Object

Group Object Permanent Deletion

Configuring a Group Object Permanent Deletion policy Scenario: Deleting deprovisioned groups

Creating and configuring the Policy Object Applying the Policy Object

Script Execution

Configuring a Script Execution policy

Creating a script module Importing a script module Exporting a script module Editing a script module

Enabling debugging for a script

Example: Restricting the group scope in a Script Execution policy

Configuring the script module to restrict the group scope Creating and applying the Script Execution Policy Object to restrict the group scope

Notification Distribution

Configuring email settings Configuring a Notification Distribution policy Scenario: Sending deprovisioning notification

Creating the email configuration Creating, configuring, and applying the Policy Object

Report Distribution

Configuring a Report Distribution policy Scenario: Sending deprovisioning report

Creating the email configuration Creating, configuring, and applying the Policy Object

Configuring entry types

Configuring a Text entry type Configuring an <Object> Property entry type Configuring a Parent OU Property entry type Configuring a Parent Domain Property entry type Configuring a Mask entry type Configuring a Uniqueness Number entry type Configuring a Date and Time entry type Configuring an Initiator ID entry type Configuring an Initiator Property entry type

Configuring a Container Deletion Prevention policy Configuring picture management rules Managing Policy Objects

Adding policies to a Policy Object Modifying policies in a Policy Object Removing policies from a Policy Object Blocking all policies in a Policy Object Managing Policy Object links

Linking Policy Objects to directory objects

Adding Policy Objects for Managed Units or containers Adding Policy Objects for individual directory objects

Removing Policy Object links Viewing or modifying Policy Object links

Viewing or modifying inheritance options for Policy Objects

Including or excluding objects in the policy scope

Managing linked Policy Objects on a directory object

Managing advanced Policy Object link settings

Copying a Policy Object Renaming a Policy Object Exporting and importing Policy Objects Removing a Policy Object

Checking for policy compliance Deprovisioning users or groups

Delegating the Deprovision task

Restoring deprovisioned users or groups

Viewing or modifying the Undo Deprovisioning policy options Delegating the task to undo deprovisioning Using the Undo Deprovisioning command

Configuring policy extensions

Creating and managing custom policy types

Creating a Policy Type object Changing an existing Policy Type object Using Policy Type containers Exporting policy types Importing policy types Configuring a policy of a custom type Deleting a Policy Type object

Using rule-based and role-based tools for granular administration

Example: Configuring high granularity by hiding a specific Azure group

Configuring a Managed Unit to hide specific Microsoft 365 groups Configuring an Access Template to hide Microsoft 365 Groups Enabling or disabling the granular access to Microsoft 365 Groups

Example: Configuring high granularity by hiding specific Azure users

Configuring a Managed Unit to hide specific Azure users Configuring an Access Template to hide Azure users Enabling or disabling the granular access to Azure users

Example: Configuring high granularity by showing only specific Azure users

Configuring a Managed Unit for specific Azure users Configuring Access Templates to read specific Azure users Enabling or disabling the granular access to specific Azure users

About workflow processes Workflow processing overview

About workflow start conditions

Workflow activities overview

Approval activity

Approvers and escalation Request for information Customization Notification

Workflow notification recipients Notification delivery Workflow notification message Web Interface address Email server for workflow notifications

Notification activity

Workflow notification recipients Workflow notification message Web Interface address Email server for workflow notifications

Script activity

Notification – Script activity Error handling – Script activity

If-Else activity

If-Else branch conditions Error handling – If-Else activity

Stop/Break activity Add Report Section activity Search activity

Search scenario Object type Search scope Search options Search for inactive accounts Search filter Notification Error handling – Search activity "Run as" options Additional settings – Search activity Stop Search activity

CRUD activities

Create activity Update activity Add to group activity Remove from group activity Move activity Deprovision activity Undo deprovision activity Delete activity Activity target Notification Error handling – CRUD activities "Run as" options Additional settings – CRUD activities

Save Object Properties activity

Retrieving saved properties

Modify Requested Changes activity

Configuring a workflow

Creating a workflow definition for a workflow Configuring workflow start conditions

Operation conditions Initiator conditions Filtering conditions

Configuring filtering conditions Configuring script-based conditions "Run as" options Enforce approval

Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity

Configuring approvers Configuring escalation Configuring request for additional information Configuring request for review Customizing the header of the approval task page Customizing approval action buttons

Configuring a Notification activity

Events, recipients, messages Active Roles Web Interface URL in Notifications Email server settings

Configuring a Script activity Configuring an If-Else activity

Configuring error handling Configuring conditions for an If-Else branch

Configuring a script-based condition

Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity

Configuring Scope and filter settings

Configuring a search filter

Configuring a notification for a Search activity Configuring error handling for a Search activity Configuring “Run as” options for a Search activity Configuring additional settings for a Search activity

Configuring CRUD activities

Configuring a Create activity Configuring an Update activity Configuring an “Add to group” activity Configuring a Remove from group activity Configuring a Move activity Configuring a Deprovision activity Configuring an Undo deprovision activity Configuring a Delete activity Configuring a notification for a CRUD activity Configuring error handling for a CRUD activity Configuring “Run as” options for a CRUD activity Configuring additional settings for a CRUD activity

Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script

Approval workflow

How the Approval workflow works

Approve action Reject action Multiple approvers Multiple tasks

Creating and configuring an approval workflow

Creating a workflow definition for a workflow Specifying workflow start conditions for an Approval workflow Specifying approvers for an approval workflow Configuring notifications for an approval workflow

Approval workflow notification recipients Approval workflow notification delivery Approval workflow notification message template

Email-based approval

Integration with Microsoft Outlook

Software and configuration requirements for Microsoft Outlook integration

Integration with non-Outlook email clients

Software and configuration requirements for non-Outlook integration

Email transport via Exchange Web Services

Configuration settings for email transport Configuring the use of Exchange Web Services

Automation workflow

Automation workflow options and start conditions

Run the workflow on a schedule

Server to run the workflow

Allow the workflow to be run on demand “Run as” options for an automation workflow

Enforce approval

Additional settings for an automation workflow Parameters for an automation workflow Initialization script for an automation workflow

Using automation workflows

Creating an automation workflow definition Configuring start conditions for an automation workflow Adding activities to an automation workflow Running an automation workflow on demand Viewing the run history of an automation workflow Stopping a running automation workflow Blocking an automation workflow from running Unblocking an automation workflow to run Delegating automation workflow tasks

Allowing access to workflow containers Delegating full control of automation workflows Delegating the task of running automation workflows Delegating the task of viewing the run history of automation workflows

Sample Azure Hybrid Migration

Managing remote mailboxes

Microsoft 365 automation workflow

Creating a Microsoft 365 automation workflow Sample Office 365 workflow scripts Creating Office 365 shared mailboxes Enabling Azure Roles

About the Azure BackSync workflow

Configuring the Azure BackSync workflow

Activity extensions

Design elements for activity extension

Activity type deployment Activity type usage Policy Type objects

Creating and managing custom activity types

Creating a Policy Type object Changing an existing Policy Type object Using Policy Type containers Exporting activity types Importing activity types Configuring an activity of a custom type Deleting a Policy Type object

Temporal Group Memberships

Using temporal group memberships

Adding temporal members Viewing temporal members Rescheduling temporal group memberships Removing temporal members

Design overview of Group Family How Group Family works

Cross-domain Group Family

Group Family policy options Creating a Group Family

Starting the New Group Family Wizard Naming the Group Family Grouping options Location of managed objects Selection of managed objects Group-by properties

About multi-valued group-by properties

Capture existing groups manually Group naming rule

Group-by Property entry type Separate rule for each naming property

Group type and scope Location of groups Exchange-related settings Group Family scheduling

Administering Group Family

Controlled groups General tab Controlled groups tab

Group creation-related rules

Groupings tab Schedule tab Action Summary tab

Action summary log

Departmental Group Family

Cross-domain membership Dynamic groups policy options Converting a basic group to a dynamic group Displaying the members of a dynamic group Adding a membership rule to a dynamic group Removing a membership rule from a dynamic group Converting a dynamic group to a basic group Modifying, renaming, or deleting a dynamic group Automatically moving users between groups

Creating the groups Configuring the membership rules

Active Roles Reporting

Collector to prepare data for reports

Starting the Active Roles Collector wizard Collecting data from the network Processing gathered events Importing events from an earlier database version Deploying reports to the Report Server

Working with reports

Configuring the data source Generating and viewing a report Contents of the Active Roles Report Pack

Active Directory Assessment/Domains Active Directory Assessment/Users/Account Information Active Directory Assessment/Users/Exchange Active Directory Assessment/Users/Obsolete Accounts Active Directory Assessment/Users/Miscellaneous Information Active Directory Assessment/Groups Active Directory Assessment/Group Membership Active Directory Assessment/Organizational Units Active Directory Assessment/Other Directory Objects Active Directory Assessment/Potential Issues Active Roles Tracking Log/Active Directory Management Active Roles Tracking Log/Dashboard Active Roles Tracking Log/Active Roles Events Active Roles Tracking Log/Active Roles Configuration Changes Active Roles Tracking Log/Active Roles Workflow Administrative Roles Managed Units Policy Objects Policy Compliance

Management History

Management History configuration

Change-tracking policy Change Tracking log configuration Replication of Management History data

Replication is not yet configured Replication is already configured Re-configuring replication of Management History data

Centralized Management History storage

Importing Management History data

Viewing change history

Workflow activity report sections

“Approval” activity report section “Script” activity report section “Stop/Break” activity report section “Add Report Section” activity report section “Create” activity report section “Update” activity report section “Add to group” activity report section “Remove from group” activity report section “Move” activity report section “Deprovision” activity report section “Undo deprovision” activity report section “Delete” activity report section

Policy report items

Policy report sections

Active Roles internal policy report items

Active Roles internal policy report sections

Examining user activity

Entitlement profile

About entitlement profile specifiers

Entitlement type Entitlement rules Resource display About entitlement profile build process

Entitlement profile configuration

Creating entitlement profile specifiers Changing entitlement profile specifiers Predefined specifiers

Viewing entitlement profile

Authorizing access to entitlement profile

Finding and listing deleted objects

Searching the Deleted Objects container Searching for objects deleted from a certain OU or MU

Restoring a deleted object Delegating operations on deleted objects Applying policy or workflow rules

AD LDS data management

Managing AD LDS objects

Adding an AD LDS user to the directory Adding an AD LDS group to the directory Adding or removing members from an AD LDS group Disabling or enabling an AD LDS user account Setting or modifying the password of an AD LDS user Adding an Organizational Unit to the directory Adding an AD LDS proxy object (user proxy)

Configuring Active Roles for AD LDS

Configuring Managed Units to include AD LDS objects Viewing or setting permissions on AD LDS objects Viewing or setting policies on AD LDS objects

One Identity Starling Join and configuration through Active Roles

Prerequisites to configure One Identity Starling Configuring Active Roles to join One Identity Starling Disconnecting One Identity Starling from Active Roles

Managing One Identity Starling Connect

Viewing Starling Connect settings in Active Roles Configuration Center Create Provisioning policy for Starling Connect Provision a new SaaS user using the Web Interface Provision an existing Active Roles user for SaaS products Update the SaaS product user properties Delete the SaaS product user Deprovision an existing Active Roles user for SaaS products Notifications for Starling operations SCIM attribute mapping with Active Directory

Configuring linked mailboxes with Exchange Resource Forest Management

Prerequisites of configuring linked mailboxes

Registering the resource and account forests in Active Roles Applying the ERFM Mailbox Management policy to an OU Configuring the ERFM Mailbox Management scheduled task Changing the location of the shadow accounts Configuring the synchronized, back synchronized or substituted properties of linked mailboxes

Creating a linked mailbox for a new user Creating a linked mailbox for an existing user with no mailbox Modifying the Exchange properties of a linked mailbox Configuring a user with a linked mailbox for managing mail-enabled groups Converting a user mailbox to a linked mailbox Converting a linked mailbox to a user mailbox Deprovisioning a user with a linked mailbox Undo deprovisioning for a user with a linked mailbox (re-provisioning) Deleting a user with a linked mailbox

Configuring remote mailboxes for on-premises users

Assigning a remote mailbox to an on-premises user Verifying that a remote mailbox is assigned to an on-premises user

Migrating Active Roles configuration with the Configuration Transfer Wizard

Configuration Transfer Wizard components

Configuration Collection wizard Configuration Deployment wizard ARSconfig command-line tool

Installing Configuration Transfer Wizard

Configuration Transfer Wizard requirements Installing Configuration Transfer Wizard

Using the Configuration Transfer Wizard

General considerations for using Configuration Transfer Wizard

Dangling links during configuration transfer

Using the Configuration Collection Wizard and the Configuration Deployment Wizard Using the ARSconfig command-line tool

ARSconfig syntax ARSconfig parameters Example: Transferring an Active Roles configuration Example: Rolling back the configuration changes

Managing Skype for Business Server with Active Roles

About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management

Single forest topology for Skype for Business Server User Management Resource forest topology for Skype for Business Server User Management Central forest topology for Skype for Business Server User Management

User Management policy for Skype for Business Server User Management

Skype for Business Server User Management policy settings

Connecting to Skype for Business Server SIP user name generation rule SIP domain restriction rule Pool restriction rule Telephony restriction rule

Master Account Management policy for Skype for Business Server User Management

Master Account Management policy settings for Skype for Business Server User Management

Skype for Business Server forest mode Container for new Skype for Business Server shadow accounts Default description for new Skype for Business Server shadow accounts Shadow account reference attribute Synchronized Skype for Business Server properties Skype for Business Server Back-synchronized Skype for Business Server properties

Master Account Management policy actions for Skype for Business User Management Scheduled Skype for Business Server synchronization

Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature

Prerequisites of deploying the Skype for Business Server User Management feature

Deployment conditions of Skype for Business Server

Deploying Skype for Business Server User Management in a single forest Deploying Skype for Business Server User Management in a multi-forest environment

Active Roles deployment prerequisites for Skype for Business Server User Management

Logging in as an Active Roles Admin Registering domains with Active Roles

Configuring Skype for Business Server User Management in a single-forest environment Configuring Skype for Business Server User Management in a multi-forest environment

Applying the Master Account Management policy Applying the User Management policy

Upgrading the Skype for Business Server configuration from an earlier version

Managing Skype for Business Server users

Enabling or disabling users for Skype for Business Server

Adding and enabling a new Skype for Business Server user Disabling or re-enabling a user account for Skype for Business Server Removing a user account from Skype for Business Server

Managing Skype for Business Server user properties

Viewing or changing Skype for Business Server user properties Moving a user to another server or pool in Skype for Business Server

Exchanging provisioning information with Active Roles SPML Provider

Key SPML Provider features SPML Provider usage scenarios Basic SPML Provider concepts and definitions How SPML Provider works Configuring Active Roles SPML Provider

Configuring SPML Provider settings in the SPML.Config file

Sample SPML Provider configuration file

Extending the SPML Provider schema

Using Active Roles SPML Provider

SPML Provider operation modes Active Roles controls supported by SPML Provider

Sending controls to the Active Roles Administration Service Specifying controls to return to the SPML Provider client Sample SPML requests

Supported SPML Provider operations SPML Provider samples of use

SPML Provider configuration settings in the sample.config file Core SPML Provider operation samples

Sample SPML Provider request to modify shared mailbox user permissions

SPML Provider capability samples

Troubleshooting SPML Provider

Cannot remove the specified item because it was not found in the specified Collection Some of the specified attributes for the object class are not defined in the schema

Monitoring Active Roles with Management Pack for SCOM

Management Pack for SCOM features

Management Pack for SCOM monitoring views

Getting started with Management Pack for SCOM Monitoring Active Roles Administration Service with Management Pack for SCOM

General response - Script General response - Alert Replication monitoring - Script Replication monitoring - Alert Monitoring connection to configuration database Monitoring of Dynamic Group-related operations Monitoring of Group Family-related operations Internal error - Alert Critical error on startup - Alert License system failure - Alert

Monitoring Active Roles Web Interface

Availability - Script Availability - Alert

Monitoring performance with Management Pack for SCOM

AD changes processed/sec Changes queue length (AD + Database) Connected clients Database changes processed/sec LDAP operations in progress LDAP operations/sec Private bytes Queued post-processing policies Requests in progress Requests/sec Script module average execution time Script modules executing

Configuring Active Roles for AWS Managed Microsoft AD

Supported AWS Managed Microsoft AD deployment configuration Deployment requirements for AWS Managed Microsoft AD support Main steps of configuring Active Roles for AWS Managed Microsoft AD

Creating the AWS Managed Microsoft AD instance Creating the EC2 instance for Active Roles Joining the EC2 instance to AWS Managed Microsoft AD Creating the RDS instance for the Active Roles SQL Server Verifying connectivity between the EC2 and RDS instances Installing and configuring Active Roles on the EC2 instance

Azure AD, Microsoft 365, and Exchange Online Management

Azure tenant types and environment types supported by Active Roles

Azure object management in non-federated Azure tenants Azure object management in Federated and Synchronized Identity Azure tenants

Using Active Roles to manage Azure AD objects

Configuring Active Roles to manage Azure AD using the Active Roles Configuration Center

Configuring a new Azure tenant and consenting Active Roles as an Azure application Importing an Azure tenant and consenting Active Roles as an Azure application Viewing or modifying the Azure tenant type Enabling OneDrive in an Azure tenant

Prerequisites of enabling OneDrive in an Azure tenant

Checking and adding the Sites.FullControl.All permission for Active Roles

Configuring OneDrive for an Azure tenant

Removing an Azure tenant

Viewing the Azure Health status for Azure tenants and applications Viewing the Azure Licenses Report of an Azure tenant Viewing the Office 365 Roles Report of an Azure tenant Active Roles configuration steps to manage hybrid AD objects

Assigning licenses to hybrid Active Directory users using a workflow Configuring the Azure - Default Rules to Generate Properties policy

Configuring Active Roles to synchronize existing Azure AD objects Changes to Azure M365 Policies in Active Roles after 7.4.1

Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning

How the M365 and Azure Tenant Selection policy works Configuring an M365 and Azure Tenant Selection policy Applying a new M365 and Azure Tenant Selection policy

Changes to Active Roles policies for cloud-only Azure objects

Managing the configuration of Active Roles

Connecting to the Administration Service

Delegating control to users for accessing Active Roles Console

Managed domains

Adding or removing a managed domain

Using unmanaged domains

Configuring an unmanaged domain

Evaluating product usage

Viewing product usage statistics

Delegating access to the managed object statistics

Scheduled task to count managed objects Managed scope to control product usage Voluntary thresholds for the managed object count Installation label

Creating and using virtual attributes

Scenario: Implementing a Birthday attribute

Examining client sessions Monitoring performance Customizing the Console

Other Properties tab in the Properties dialog Other Properties page in object creation wizard Customizing object display names

Using Configuration Center

Configuration Center design elements Configuring a local or remote Active Roles instance Running Configuration Center

Prerequisites for running the Configuration Center

Tasks you can perform in Configuration Center

Initial configuration tasks

Configuring the Administration Service Configuring the Web Interface

Administration Service management tasks Web Interface management tasks

Identify Web Interface sites Create a Web Interface site Modify a Web Interface site Delete a Web Interface site Export a Web Interface site’s configuration object to a file Configuring the Web Interface for secure communication Configuring federated authentication

Starling Join configuration task Active Roles Console access management Logging management tasks Solution Intelligence

Enabling or disabling Solution Intelligence

Configuring gMSA as an Active Roles Service account

Configuring the Active Roles Service account to use a gMSA Changing the Active Roles Service account to use a gMSA

Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer

Using Log Viewer

SQL Server replication

SQL Server replication model overview

Replication group management Data synchronization and conflict resolution

SQL Server-related permissions Configuring SQL Server Configuring replication About replication groups

Creating a replication group Adding members to a replication group Removing members from a replication group

Removing Subscribers from a replication group Removing the Publisher from a replication group

Monitoring replication Always On Availability Groups

Configuring AlwaysOn Availability Groups in Active Roles

Using database mirroring

Role switching Database mirroring setup in Active Roles

Viewing replication settings

Replication Agent schedule

Identifying replication-related problems Viewing database connection settings Modifying database connection settings Changing the service account Changing the SQL Server Agent logon account Modifying Replication Agent credentials

Windows authentication SQL Server authentication

Moving the Publisher role

Demoting the Publisher Promoting an SQL Server to Publisher

Recovering replication if the Publisher is not available

Removing Subscribers if the Publisher is not available Promoting an SQL Server to Publisher

Troubleshooting replication failures

Replication Agent malfunction Replication Agent authentication problems SQL Server identification problems

Using regular expressions

Examples of regular expressions Order of precedence

Administrative Template

Active Roles snap-in settings Administration Service auto-connect settings

'Allowed Servers for Auto-connect' setting 'Disallowed Servers for Auto-connect' setting 'Additional Servers for Auto-connect' setting

Loading the Administrative Template

Configuring federated authentication

Federated authentication settings and identity providers

Configuring Windows authentication Configuring WS-Federation authentication Configuring SAML 2.0 authentication

Examples of configuring SAML identity providers

Configuring Duo for federated authentication Configuring Google for federated authentication Configuring Microsoft Entra ID for federated authentication Configuring Okta for federated authentication Configuring OneLogin for federated authentication Configuring PingOne for federated authentication

Communication ports and URLs used by Active Roles

Ports and URLs used by Active Roles Administration Service Ports used by Active Roles client components to access the Active Roles Administration Service Access to Active Roles Web Interface

Integrating Active Roles with other products and services

Active Roles integration with other One Identity and Quest products Active Roles integration with Duo Active Roles integration with Okta

Configuring the Active Roles application in Okta Configuring Okta in the Active Roles Configuration Center

Active Roles Language Pack

Supported languages Localization limitations Modifying the language of Active Roles components in the Windows registry Modifying the language of the Web Interface

Active Roles Diagnostic Tools

Using the System Checker Using the Log Viewer tool Using the Directory Changes Monitor command-line interface

Active Roles Add-on Manager

Using the Add-on Manager command-line interface Creating an add-on

“Undo deprovision” activity report section

Management History > Viewing change history > Workflow activity report sections > “Undo deprovision” activity report section

The body of the report section identifies the object the activity restored from the deprovisioned state (activity target object), and provides the following information:

The type of the object (such as user, group or computer)
Name: <name of the object>
Operation ID: <number>
Requested: <date and time that the task was created>
Status: <indicates if the operation is complete or pending>

You can click the Operation ID number to examine in detail the operation of restoring the deprovisioned object. This displays a change history report containing information about all workflow activities and policy actions that Active Roles performed during that operation.

“Delete” activity report section

Management History > Viewing change history > Workflow activity report sections > “Delete” activity report section

The body of the report section identifies the object deleted by the activity (activity target object), and provides the following information:

The type of the object (such as user or group)
Name: <name of the object>
Operation ID: <number>
Requested: <date and time that the task was created>
Status: <indicates if the operation is complete or pending>

You can click the Operation ID number to examine in detail the operation of deleting the object. This displays a change history report containing information about all workflow activities and policy actions that Active Roles performed during that operation.

Policy report items

Management History > Viewing change history > Policy report items

This topic lists the Change History report items specific to the polices that are applied by using Policy Objects in Active Roles. When running a given policy, Active Roles adds a report section to describe the actions performed by that policy. The report section identifies the policy category and the Policy Object containing the policy, and informs about success or failure of the policy action.

The following tables list the possible report items, one table per section. The items in each section describe the results of the actions that were taken in accordance with the respective policy. Report items also inform about success or failure of the policy action. In the event of a failure, the report item includes an error description.

Not all the listed items must necessarily be present in a report. An actual report only includes the report items corresponding to the policies that Active Roles performed when processing the operation request.

Policy report sections

Management History > Viewing change history > Policy report items > Policy report sections

User Logon Name Generation policy

Table 26: User Logon Name Generation policy
Report Item (Success)	Report Item (Failure)
The user logon name (pre-Windows 2000) is set to value.	Not applicable

E-mail Alias Generation policy

Table 27: E-mail Alias Generation policy
Report Item (Success)	Report Item (Failure)
The e-mail alias is set to alias.	Not applicable
Property Alias (mailNickName) is removed from the operation request as no Exchange tasks were requested.	Not applicable

Exchange Mailbox AutoProvisioning policy

Table 28: Exchange Mailbox AutoProvisioning policy
Report Item (Success)	Report Item (Failure)
The mailbox database is set to database name.	Not applicable
The option to create the mailbox is selected by default.	Not applicable
The option to create the mailbox is not selected by default.	Not applicable
Changing the option to create the mailbox is allowed.	Not applicable
Changing the option to create the mailbox is not allowed.	Not applicable

Group Membership AutoProvisioning policy

Table 29: Group Membership AutoProvisioning policy
Report Item (Success)	Report Item (Failure)
The object is added to the following groups. List: Group names	Unable to add the object to the following groups. List: Group names and error description
The object is not added to the following groups as it is already a member of those groups. List: Group names	Not applicable
The object is removed from the following groups. List: Group names	Unable to remove the object from the following groups. List: Group names and error description
The object is not removed from the following groups as it is not a member of those groups. List: Group names	Not applicable

Home Folder AutoProvisioning policy

Table 30: Home Folder AutoProvisioning policy
Report Item (Success)	Report Item (Failure)
The home folder is mapped to letter letter and connected to path UNC path in Active Directory.	Not applicable
Home folder name is to be created on the file server.	Not applicable
Home folder name is created on the file server.	Unable to create home folder {0} on the file server. Details: Error description
User permissions on the home folder are set by copying permissions from the parent folder.	Unable to set user permissions on home folder name on the file server. Details: Error description
The home folder user is set as the owner of the home folder.	Unable to set user permissions on home folder name on the file server. Details: Error description
User permission option Grant Change Access is applied to the home folder.	Unable to set user permissions on home folder name on the file server. Details: Error description
User permission option Grant Full Access is applied to the home folder.	Unable to set user permissions on home folder name on the file server. Details: Error description
Home folder name is to be renamed to name on the file server.	Not applicable
Home folder name is renamed to name on the file server.	Unable to rename home folder name to name on the file server. Details: Error description
Home share name is to be created on the file server.	Not applicable
Home share name is created on the file server.	Unable to create home share name on the file server. Details: Error description
The user limit is set to allow no more than name users to connect to the home share at a time.	Not applicable
The user limit is set to allow the maximum number of users to connect to the home share at a time.	Not applicable

Property Generation and Validation policy

Table 31: Property Generation and Validation policy
Report Item (Success)	Report Item (Failure)
Property name is set to value.	Not applicable
Property name is removed (cleared).	Not applicable

Running policy script <name>

Table 32: Policy script <name>
Report Item (Success)	Report Item (Failure)
Policy script <name> completed successfully.	Error message returned by the policy Details: Error description The default error message reads as follows: The Script Execution policy encountered an error when running the script name. Details: Error description

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation

© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Conditions d’utilisation Confidentialité Cookie Preference Center