Chatta subito con l'assistenza

Ottieni assistenza in tempo reale
Completa la registrazione

Accedi

Richiedi prezzo

Contatta il supporto vendite

Active Roles 8.1.1 - Administration Guide

Table of Contents

About Active Roles

Active Roles main features Technical overview

Presentation components

Active Roles Console (MMC Interface) Web Interface Custom interfaces Active Roles ADSI Provider Reporting

Service components

Data processing component Configuration database Audit trail

Network data sources Security and administration elements

Access Templates for role-based administration Policy Objects to enforce corporate rules Managed Units to provide administrative views

Active Directory security management

Management of native security

Customization using ADSI Provider and script policies

Custom applications and user interfaces Custom script policies

Dynamic groups Workflows Operation in multi-forest environments

Examples of use

Distributing administration Integrating with other systems Managing multi-forest Active Directory design Simplifying Active Directory structure Handling organizational changes User account management

Getting started

Starting the Active Roles Console

Delegating control to users for accessing Active Roles Console Getting and using help

User interface overview

Console tree Details pane Advanced pane

Active Roles security and links Active Roles policy Native security Member Of and Members

Customizable Web Interface

Key features Different interfaces for different roles Role-based management of computer resources

Controlled objects

Using Managed Units Setting up filter

Steps for sorting and filtering lists in the details pane

Finding objects

Steps for searching for a user, contact, or group Steps for searching for a computer Steps for searching for an Organizational Unit Steps for using advanced search options Steps for building a custom search LDAP syntax

Search filter format Operators Wildcards Special characters

Displaying members of a Managed Unit

Steps for displaying members of a Managed Unit

Active Roles security and links Active Roles policy Native security Member Of and Members

Customizable Web Interface

Key features Different interfaces for different roles Role-based management of computer resources

Controlled objects

Using Managed Units Setting up filter

Steps for sorting and filtering lists in the details pane

Getting policy-related information Performing Batch operations

Performing bulk operation Performing bulk users password reset operation

Active Roles service account minimum permissions

Rule-based administrative views

About Managed Units

How Managed Units work

Administering Managed Units

Creating a Managed Unit

Steps for creating a Managed Unit Steps for modifying Managed Unit properties Steps for modifying permission settings on a Managed Unit Steps for modifying policy settings on a Managed Unit

Displaying members of a Managed Unit

Steps for displaying members of a Managed Unit

Adding or removing members from a Managed Unit

Steps for adding membership rules to a Managed Unit Steps for removing membership rules from a Managed Unit Steps for including a member to a Managed Unit Steps for excluding a member from a Managed Unit Steps for adding group members to a Managed Unit Steps for removing group members from a Managed Unit

Copying a Managed Unit

Steps for copying a Managed Unit

Exporting and importing a Managed Unit Renaming a Managed Unit

Steps for renaming a Managed Unit

Deleting a Managed Unit

Steps for deleting a Managed Unit

Scenario: Implementing role-based administration across multiple OUs

Step 1: Creating the Managed Unit Step 2: Adding users to the Managed Unit Step 3: Preparing the Access Template Step 4: Applying the Access Template

Deployment considerations

Managed Unit membership rules Delegation of Managed Units

Working with federated authentication

Configuring federated authentication settings Examples of configuring identity providers

Role-based administration

Access Templates as administrative roles

How Access Templates work Security synchronization

Access Template management tasks

Using predefined Access Templates Creating an Access Template

Add Permission Entries wizard Full Control access Object access Object property access Creating or deleting child object permissions Steps for creating an Access Template

Applying Access Templates

Applying an Access Template directly Applying Access Templates on a securable object Applying Access Templates on a user or group

Managing Access Template links

Steps for managing Access Template links

Synchronizing permissions to Active Directory

Steps for synchronizing permissions to Active Directory Managing Active Directory permission entries

Adding, modifying, or removing permissions

Steps for adding permissions to an Access Template Steps for modifying permissions in an Access Template Steps for removing permissions from an Access Template

Nesting Access Templates

Steps for managing nested Access Templates

Copying an Access Template

Steps for copying an Access Template

Exporting and importing Access Templates Renaming an Access Template

Steps for renaming an Access Template

Deleting an Access Template

Steps for deleting an Access Template

Examples of use

Scenario 1: Implementing a helpdesk

Step 1: Preparing a helpdesk Access Template Step 2: Creating a helpdesk group Step 3: Applying the Help Desk Access Template

Scenario 2: Implementing Self-Administration

Step 1: Preparing a self-administration Access Template Step 2: Applying the Self Administration Access Template

Deployment considerations

Delegating Organizational Unit administration duties Delegation of group administration Delegation in a functional vs. hosted environment

Delegation in a functional environment Delegation in a hosted environment

Windows claims-based access rules

Understanding access rules

Conditional Access Template links Prerequisites for using Access Rules

Configuring the Administration Service to support Kerberos authentication

Managing Windows claims

Enabling claim support

Domain controller Client computer

Claim Type management overview

Source attribute setting Claim type identifier setting Display name setting Description setting User or computer claim issuance setting Protection from accidental deletion Suggested values setting

Steps for managing Claim Types

Enabling and disabling Claim Types

Populating claim source attributes

Managing and applying Access Rules

Conditional expression editor Applying an Access Rule Steps for managing and applying Access Rules

Create or modify an Access Rule Configure a conditional expression for an Access Rule Apply an Access Rule to Access Template links

Deploying an Access Rule

Step 1: Prerequisites Step 2: Enable claim support Step 3: Create claim type Step 4: Create Access Rule Step 5: Apply Access Rule

Rule-based autoprovisioning and deprovisioning

Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks

Creating a Policy Object

Steps for creating a Policy Object

Adding, modifying, or removing policies

Steps for adding policies to Policy Objects Steps for modifying policies in a Policy Object Steps for removing policies from Policy Object

Applying Policy Objects

Adding Managed Units or containers to policy scope Adding Policy Objects to policy list for directory object Steps for applying a Policy Object

Managing policy scope

Steps for managing Policy Object links Steps for excluding an object from policy scope

Copying a Policy Object

Steps for copying a Policy Object

Renaming a Policy Object

Steps for renaming a Policy Object

Exporting and importing Policy Objects Deleting a Policy Object

Steps for deleting a Policy Object

Policy configuration tasks

Property Generation and Validation

How this policy works How to configure a Property Generation and Validation policy

Entry type: Text Entry type: <Object> Property Entry type: Parent OU Property Entry type: Parent Domain Property Entry type: Mask Configuring a Property Generation and Validation policy Steps for configuring entries Scenario 1: Using mask to control phone number format

Step 1: Creating and configuring the Policy Object Step 2: Applying the Policy Object

Scenario 2: Using regular expressions to control phone number format

Step 1: Configuring the Policy Object Step 2: Applying the Policy Object

User Logon Name Generation

How this policy works How to configure a User Logon Name Generation policy

Configuring a logon name generation rule Entry type: Uniqueness Number

Steps for configuring a User Logon Name Generation policy Scenario 1: Using uniqueness number

Step 1: Creating and configuring the Policy Object Step 2: Applying the Policy Object

Scenario 2: Using multiple rules

Step 1: Configuring the Policy Object Step 2: Applying the Policy Object

Group Membership AutoProvisioning

How the Group Membership AutoProvisioning policy works How to configure a Group Membership AutoProvisioning policy Configuring a Group Membership AutoProvisioning policy Scenario: Adding users to a specified group

Configuring the Group Membership AutoProvisioning Policy Object Step 2: Applying the Policy Object

Exchange Mailbox AutoProvisioning

How the Exchange Mailbox AutoProvisioning policy works How to configure an Exchange Mailbox AutoProvisioning policy Configuring an Exchange Mailbox AutoProvisioning policy Scenario: Mailbox store load balancing

Creating and configuring the Exchange Mailbox AutoProvisioning Policy Object Step 2: Applying the Policy Object

Default creation options for Exchange mailboxes

AutoProvisioning in SaaS products

How the AutoProvisioning in SaaS products policy works Create Provisioning policy for Starling Connect

OneDrive Provisioning

How this policy works Creating provisioning policy for OneDrive

Home Folder AutoProvisioning

How this policy works

Creating home folders and shares when creating user accounts Renaming home folders when renaming user accounts Option to prevent operation on file server

How to configure a Home Folder AutoProvisioning policy

Connect <Drive Letter> to <Network Path> Enforce this home folder setting in Active Directory Apply this home folder setting when user account is created Apply this home folder setting when user account is renamed Create or rename home folder on file server as needed Copy user permissions on home folder from parent folder Set user as home folder owner Set user permissions on home folder

Steps for configuring a Home Folder AutoProvisioning policy Using the built-in policy for home folder provisioning Configuring the Home Folder Location Restriction policy Scenario: Creating and assigning home folders

Step 1: Verifying the Home Folder Location Restriction policy Step 2: Creating and Configuring the Policy Object Step 3: Applying the Policy Object

Script Execution

How this policy works How to configure Script Execution policy

Importing a script Creating a script Editing a script Configuring a policy to execute a script

Steps for configuring a Script Execution policy Scenario: Restricting group scope

Step 1: Preparing the script module Step 2: Creating and configuring the Policy Object Step 3: Applying the Policy Object

Microsoft 365 and Azure Tenant Selection

How this policy works Configuring an O365 and Azure Tenant Selection policy Applying a new policy

E-mail Alias Generation

How the E-Mail Alias Generation policy works Configuring an E-mail Alias Generation policy

Configuring a custom generation rule

Configuring an E-mail Alias Generation policy Scenario: Generating e-mail alias based on user names

Creating and configuring the Policy Object Step 2: Applying the Policy Object

User Account Deprovisioning

How this policy works How to configure a User Account Deprovisioning policy

Configuring a property update rule Entry type: Date and Time Entry type: Initiator ID Configuring a custom rule to build the Initiator ID

Steps for configuring a User Account Deprovisioning policy Scenario 1: Disabling and renaming the user account upon deprovisioning

Step 1: Creating and configuring the Policy Object Step 2: Applying the Policy Object

Scenario 2: Managed Unit for deprovisioned user accounts

Step 1: Creating and configuring the Managed Unit Step 2: Configuring the Policy Object Step 3: Applying the Policy Object

Office 365 Licenses Retention

How this policy works How to configure Office 365 License Retention policy Steps for configuring an Office 365 License Retention policy Report on deprovisioning results

Group Membership Removal

How the Group Membership Removal policy works How to configure a Group Membership Removal policy Configuring a Group Membership Removal policy Scenario: Removing deprovisioned users from all groups

Creating and configuring the Group Membership Removal Policy Object Step 2: Applying the Policy Object

Exchange Mailbox Deprovisioning

How the Exchange Mailbox Deprovisioning policy works How to configure an Exchange Mailbox Deprovisioning policy Configuring an Exchange Mailbox Deprovisioning policy Scenario: Hide mailbox and forward email to manager

Creating and configuring the Exchange Mailbox Deprovisioning Policy Object Step 2: Applying the Policy Object

Home Folder Deprovisioning

How this policy works How to configure a Home Folder Deprovisioning policy Steps for configuring a Home Folder Deprovisioning policy Scenario: Removing access to home folder

Step 1: Creating and configuring the Policy Object Step 2: Applying the Policy Object

User Account Relocation

How this policy works How to configure a User Account Relocation policy Steps for configuring a User Account Relocation policy Scenario: Organizational Unit for deprovisioned user accounts

Step 1: Creating and configuring the Policy Object Step 2: Applying the Policy Object

User Account Permanent Deletion

How this policy works How to configure a User Account Permanent Deletion policy Steps for configuring a User Account Permanent Deletion policy Scenario: Deleting deprovisioned user accounts

Step 1: Creating and configuring the Policy Object Step 2: Applying the Policy Object

Group Object Deprovisioning

How the Group Object Deprovisioning policy works How to configure a Group Object Deprovisioning policy Configuring a Group Object Deprovisioning policy Scenario 1: Disabling and renaming the group upon deprovisioning

Configuring the Group Object Deprovisioning Policy Object Step 2: Applying the Policy Object

Scenario 2: Managed Unit for deprovisioned groups

Creating and configuring the Managed Unit for the Group Object Deprovisioning policy Configuring the Policy Object for Group Object Deprovisioning Step 3: Applying the Policy Object

Group Object Relocation

How the Group Object Relocation policy works How to configure a Group Object Relocation policy Configuring a Group Object Relocation policy Scenario: Organizational Unit for deprovisioned groups

Configuring the Group Object Relocation Policy Object Step 2: Applying the Policy Object

Group Object Permanent Deletion

How the Group Object Permanent Deletion policy works How to configure a Group Object Permanent Deletion policy Configuring a Group Object Permanent Deletion policy Scenario: Deleting deprovisioned groups

Step 1: Creating and configuring the Policy Object Step 2: Applying the Policy Object

Notification Distribution

How this policy works How to configure a Notification Distribution policy Configuring email settings Steps for configuring a Notification Distribution policy Scenario: Sending deprovisioning notification

Step 1: Creating the email configuration Step 2: Creating, configuring, and applying the Policy Object

Report Distribution

How this policy works How to configure a Report Distribution policy Steps for configuring a Report Distribution policy Scenario: Sending deprovisioning report

Step 1: Creating the email configuration Step 2: Creating, configuring, and applying the Policy Object

Deployment considerations Checking for policy compliance

Steps to check for policy compliance

Deprovisioning users or groups

Default deprovisioning options Delegating the Deprovision task Using the Deprovision command Report on deprovisioning results

Report contents

Report section: User Account Deprovisioning Report section: Group Membership Removal Report section: Exchange Mailbox Deprovisioning Report section: Home Folder Deprovisioning Report section: User Account Relocation Report section: User Account Permanent Deletion Report section: Group Object Deprovisioning Report section: Group Object Relocation Report section: Group Object Permanent Deletion Report section: Notification Distribution Report section: Report Distribution

Restoring deprovisioned users or groups

Policy options to undo user deprovisioning Delegating the task to undo deprovisioning Using the Undo Deprovisioning command Report on results of undo deprovisioning

Report contents

Report section: Undo User Account Deprovisioning Report section: Undo Group Membership Removal Report section: Undo Exchange Mailbox Deprovisioning Report section: Undo Home Folder Deprovisioning Report section: Undo User Account Relocation Report section: Undo User Account Permanent Deletion Report section: Undo Group Object Deprovisioning Report section: Undo Group Object Relocation Report section: Undo Group Object Permanent Deletion

Container Deletion Prevention policy

Protecting objects from accidental deletion

Picture management rules Policy extensions

Design elements

Policy type deployment Policy type usage Policy Type objects

Creating and managing custom policy types

Creating a Policy Type object Changing an existing Policy Type object Using Policy Type containers Exporting policy types Importing policy types Configuring a policy of a custom type Deleting a Policy Type object

Using rule-based and role-based tools for granular administration

Example: Configuring high granularity by hiding a specific Azure group

Configuring a Managed Unit to hide specific Microsoft 365 groups Configuring an Access Template to hide Microsoft 365 Groups Enabling or disabling the granular access to Microsoft 365 Groups

Example: Configuring high granularity by hiding specific Azure users

Configuring a Managed Unit to hide specific Azure users Configuring an Access Template to hide Azure users Enabling or disabling the granular access to Azure users

Example: Configuring high granularity by showing only specific Azure users

Configuring a Managed Unit for specific Azure users Configuring Access Templates to read specific Azure users Enabling or disabling the granular access to specific Azure users

Key workflow features and definitions

Workflow Workflow definition Workflow start conditions Workflow instance Workflow activity Workflow Designer Workflow engine Email notifications

About workflow processes Workflow processing overview

About workflow start conditions

Workflow activities overview

Approval activity

Approvers and escalation Request for information Customization Notification

Workflow notification recipients Notification delivery Workflow notification message Web Interface address Email server for workflow notifications

Notification activity

Workflow notification recipients Workflow notification message Web Interface address Email server for workflow notifications

Script activity

Notification – Script activity Error handling – Script activity

If-Else activity

If-Else branch conditions Error handling – If-Else activity

Stop/Break activity Add Report Section activity Search activity

Search scenario Object type Search scope Search options Search for inactive accounts Search filter Notification Error handling – Search activity "Run as" options Additional settings – Search activity Stop Search activity

CRUD activities

Create activity Update activity Add to group activity Remove from group activity Move activity Deprovision activity Undo deprovision activity Delete activity Activity target Notification Error handling – CRUD activities "Run as" options Additional settings – CRUD activities

Save Object Properties activity

Retrieving saved properties

Modify Requested Changes activity

Configuring a workflow

Creating a workflow definition for a workflow Configuring workflow start conditions

Operation conditions Initiator conditions Filtering conditions

Configuring filtering conditions Configuring script-based conditions "Run as" options Enforce approval

Configuring workflow parameters Adding activities to a workflow Configure an Approval activity

Configure approvers Configure escalation Configure request for additional information Configure request for review Customize the header of the approval task page Customize approval action buttons

Configuring a Notification activity

Events, recipients, messages Active Roles Web Interface URL in Notifications Email server settings

Configuring a Script activity Configuring an If-Else activity

Configuring error handling Configuring conditions for an If-Else branch

Configuring a script-based condition

Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity

Configuring Scope and filter settings

Configuring a search filter

Configuring a notification for a Search activity Configuring error handling for a Search activity Configuring “Run as” options for a Search activity Configuring additional settings for a Search activity

Configuring CRUD activities

Configuring a Create activity Configuring an Update activity Configuring an “Add to group” activity Configuring a Remove from group activity Configuring a Move activity Configuring a Deprovision activity Configuring an Undo deprovision activity Configuring a Delete activity Configuring a notification for a CRUD activity Configuring error handling for a CRUD activity Configuring “Run as” options for a CRUD activity Configuring additional settings for a CRUD activity

Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script

Approval workflow

Definition of terms – Approval workflow How the Approval workflow works

Approve action Reject action Multiple approvers Multiple tasks

Creating and configuring an approval workflow

Creating a workflow definition for a workflow Specifying workflow start conditions for an Approval workflow Specifying approvers for an approval workflow Configuring notifications for an approval workflow

Approval workflow notification recipients Approval workflow notification delivery Approval workflow notification message template

Email-based approval

Integration with Microsoft Outlook

Software and configuration requirements for Microsoft Outlook integration

Integration with non-Outlook email clients

Software and configuration requirements for non-Outlook integration

Email transport via Exchange Web Services

Configuration settings for email transport Configuring the use of Exchange Web Services

Automation workflow

Automation workflow options and start conditions

Run the workflow on a schedule

Server to run the workflow

Allow the workflow to be run on demand “Run as” options for an automation workflow

Enforce approval

Additional settings for an automation workflow Parameters for an automation workflow Initialization script for an automation workflow

Using automation workflows

Creating an automation workflow definition Configuring start conditions for an automation workflow Adding activities to an automation workflow Running an automation workflow on demand Viewing the run history of an automation workflow Stopping a running automation workflow Disabling an automation workflow from running Re-enabling an automation workflow to run Delegating automation workflow tasks

Allowing access to workflow containers Delegating full control of automation workflows Delegating the task of running automation workflows Delegating the task of viewing the run history of automation workflows

Sample Azure Hybrid Migration

Managing remote mailboxes

Microsoft 365 automation workflow

Creating a Microsoft 365 automation workflow Sample Office 365 workflow scripts Creating Office 365 shared mailboxes Enabling Azure Roles

Activity extensions

Design elements for activity extension

Activity type deployment Activity type usage Policy Type objects

Creating and managing custom activity types

Creating a Policy Type object Changing an existing Policy Type object Using Policy Type containers Exporting activity types Importing activity types Configuring an activity of a custom type Deleting a Policy Type object

Temporal Group Memberships

Using temporal group memberships

Adding temporal members Viewing temporal members Rescheduling temporal group memberships Removing temporal members

Design overview of Group Family How Group Family works

Cross-domain Group Family

Group Family policy options Creating a Group Family

Start the New Group Family Wizard Name the Group Family Grouping options Location of managed objects Selection of managed objects Group-by properties

About multi-valued group-by properties

Capture existing groups manually Group naming rule

Group-by Property entry type Separate rule for each naming property

Group type and scope Location of groups Exchange-related settings Group Family scheduling Steps for creating a Group Family

Administering Group Family

Controlled groups General tab Controlled groups tab

Group creation-related rules

Groupings tab Schedule tab Action Summary tab

Action summary log

Steps for administering a Group Family

Departmental Group Family

Cross-domain membership Dynamic groups policy options Converting a basic group to a dynamic group Displaying the members of a dynamic group Adding a membership rule to a dynamic group Removing a membership rule from a dynamic group Converting a dynamic group to a basic group Modifying, renaming, or deleting a dynamic group Automatically moving users between groups

Creating the groups Configuring the membership rules

Active Roles Reporting

Collector to prepare data for reports

Starting the Active Roles Collector wizard Collecting data from the network

Steps for collecting data from the network

Processing gathered events

Steps for processing gathered events

Importing events from an earlier database version Deploying reports to the Report Server

Working with reports

Configuring the data source Generating and viewing a report Contents of the Active Roles Report Pack

Active Directory Assessment/Domains Active Directory Assessment/Users/Account Information Active Directory Assessment/Users/Exchange Active Directory Assessment/Users/Obsolete Accounts Active Directory Assessment/Users/Miscellaneous Information Active Directory Assessment/Groups Active Directory Assessment/Group Membership Active Directory Assessment/Organizational Units Active Directory Assessment/Other Directory Objects Active Directory Assessment/Potential Issues Active Roles Tracking Log/Active Directory Management Active Roles Tracking Log/Dashboard Active Roles Tracking Log/Active Roles Events Active Roles Tracking Log/Active Roles Configuration Changes Active Roles Tracking Log/Active Roles Workflow Administrative Roles Managed Units Policy Objects Policy Compliance

Management History

Management History considerations and best practices Management History configuration

Change-tracking policy Change Tracking log configuration Replication of Management History data

Replication is not yet configured Replication is already configured Re-configuring replication of Management History data

Centralized Management History storage

Importing data to the new Management History database

Viewing change history

Workflow activity report sections

“Approval” activity report section “Script” activity report section “Stop/Break” activity report section “Add Report Section” activity report section “Create” activity report section “Update” activity report section “Add to group” activity report section “Remove from group” activity report section “Move” activity report section “Deprovision” activity report section “Undo deprovision” activity report section “Delete” activity report section

Policy report items

Policy report sections

Active Roles internal policy report items

Active Roles internal policy report sections

Examining user activity

Entitlement profile

About entitlement profile specifiers

Entitlement type Entitlement rules Resource display About entitlement profile build process

Entitlement profile configuration

Creating entitlement profile specifiers Changing entitlement profile specifiers Predefined specifiers

Viewing entitlement profile

Authorizing access to entitlement profile

Finding and listing deleted objects

Searching the Deleted Objects container Searching for objects deleted from a certain OU or MU

Restoring a deleted object Delegating operations on deleted objects Applying policy or workflow rules

AD LDS data management

Managing AD LDS objects

Adding an AD LDS user to the directory Adding an AD LDS group to the directory Adding or removing members from an AD LDS group Disabling or enabling an AD LDS user account Setting or modifying the password of an AD LDS user Adding an Organizational Unit to the directory Adding an AD LDS proxy object (user proxy)

Configuring Active Roles for AD LDS

Configuring Managed Units to include AD LDS objects Viewing or setting permissions on AD LDS objects Viewing or setting policies on AD LDS objects

One Identity Starling Join and configuration through Active Roles

Prerequisites to configure One Identity Starling Configuring Active Roles to join One Identity Starling Disconnecting One Identity Starling from Active Roles

Managing One Identity Starling Connect

Viewing Starling Connect settings in Active Roles Configuration Center Create Provisioning policy for Starling Connect Provision a new SaaS user using the Web Interface Provision an existing Active Roles user for SaaS products Update the SaaS product user properties Delete the SaaS product user Deprovision an existing Active Roles user for SaaS products Notifications for Starling operations SCIM attribute mapping with Active Directory

Configuring linked mailboxes with Exchange Resource Forest Management

Prerequisites of configuring linked mailboxes

Registering the resource and account forests in Active Roles Applying the ERFM Mailbox Management policy to an OU Configuring the ERFM Mailbox Management scheduled task Changing the location of the shadow accounts Configuring the synchronized, back synchronized or substituted properties of linked mailboxes

Creating a linked mailbox for a new user Creating a linked mailbox for an existing user with no mailbox Modifying the Exchange properties of a linked mailbox Configuring a user with a linked mailbox for managing mail-enabled groups Converting a user mailbox to a linked mailbox Converting a linked mailbox to a user mailbox Deprovisioning a user with a linked mailbox Undo deprovisioning for a user with a linked mailbox (re-provisioning) Deleting a user with a linked mailbox

Configuring remote mailboxes for on-premises users

Assigning a remote mailbox to an on-premises user Verifying that a remote mailbox is assigned to an on-premises user Viewing or modifying the Exchange Online properties of a remote mailbox

Configuring the mail flow settings of an Exchange Online mailbox Configuring the delegation settings of an Exchange Online mailbox Configuring the general email address settings of an Exchange Online mailbox Configuring the mailbox features of an Exchange Online mailbox Configuring the mailbox settings of an Exchange Online mailbox

Deleting or changing the remote mailbox of an on-premises user

Azure AD, Microsoft 365, and Exchange Online Management

Configuring Active Roles to manage Hybrid AD objects

Configuring Active Roles to manage Azure AD using the GUI

Configuring a new Azure tenant and consenting Active Roles as an Azure application Importing an Azure tenant and consenting Active Roles as an Azure application Performing Azure Tenant association Viewing or modifying the Azure tenant type Enabling OneDrive in an Azure tenant

Prerequisites of enabling OneDrive in an Azure tenant

Checking and adding the Sites.FullControl.All permission for Active Roles

Configuring OneDrive for an Azure tenant

Removing an Azure tenant Viewing the Azure Health status for Azure tenants and applications Viewing the Azure Licenses Report of an Azure tenant Viewing the Office 365 Roles Report of an Azure tenant

Adding an Azure AD tenant using Management Shell Add an Azure AD application using Management Shell Active Roles configuration steps to manage Hybrid AD objects

Configuring the Azure - Default Rules to Generate Properties policy

Active Roles configuration to synchronize existing Azure AD objects to Active Roles

Configuring Sync Workflow to back synchronize Azure AD objects to Active Roles automatically using the Active Roles Synchronization Service Console Configuring Sync Workflow to back synchronize Azure AD objects to Active Roles manually

Configuring Sync Workflow to back synchronize AD contacts

Changes to Azure M365 Policies in Active Roles after 7.4.1

Managing Hybrid AD users

Creating a new Azure AD user with the Web Interface Viewing or updating the Azure AD user properties with the Web Interface Viewing or modifying the manager of a hybrid Azure user Disabling an Azure AD user Enabling an Azure AD user Deprovisioning of an Azure AD user Undo deprovisioning of an Azure AD user Adding an Azure AD user to a group Removing an Azure AD user from a group View the change history and user activity for an Azure AD user Deleting an Azure AD user with the Web Interface Creating a new hybrid Azure user with the Active Roles Web Interface Converting an on-premises user with an Exchange mailbox to a hybrid Azure user Licensing a hybrid Azure user for an Exchange Online mailbox Viewing or modifying the Exchange Online properties of a hybrid Azure user

Configuring the mail flow settings of an Exchange Online mailbox Configuring the delegation settings of an Exchange Online mailbox Configuring the general email address settings of an Exchange Online mailbox Configuring the mailbox features of an Exchange Online mailbox Configuring the mailbox settings of an Exchange Online mailbox

Creating a new Azure AD user with Management Shell Updating the Azure AD user properties with the Management Shell Viewing the Azure AD user properties with the Management Shell Delete an Azure AD user with the Management Shell Assigning Microsoft 365 licenses to new hybrid users Assigning Microsoft 365 licenses to existing hybrid users Modifying or removing Microsoft 365 licenses assigned to hybrid users Updating Microsoft 365 licenses display names

Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning

How the M365 and Azure Tenant Selection policy works Configuring an M365 and Azure Tenant Selection policy Applying a new M365 and Azure Tenant Selection policy

Microsoft 365 roles management for hybrid environment users

Assigning Microsoft 365 roles to existing hybrid users Modifying Microsoft 365 roles assigned to hybrid users

Managing Microsoft 365 contacts

Create a new Microsoft 365 contact View or modify the Microsoft 365 contact properties View the change history of an Microsoft 365 contact Delete an Microsoft 365 contact

Managing Hybrid AD groups

Creating an Azure AD group with the Web Interface Viewing or modifying Azure AD group properties with the Web Interface Adding or removing members from an Azure AD group with Web Interface Viewing the change history for an Azure AD group with the Web Interface Deleting an Azure AD group with the Web Interface Creating a new Azure AD group with the Management Shell Updating the Azure AD group properties with the Management Shell Adding or removing members from an Azure AD group with the Management Shell Deleting an Azure AD group with the Management Shell

Managing Microsoft 365 Groups

Configuring M365 Groups with the Web Interface

Creating an M365 Group with the Web Interface Modifying an M365 Group with the Web Interface Adding or removing owners from an M365 Group with the Web Interface Adding or removing members from an M365 Group with the Web Interface Viewing the members of a dynamic M365 Group with the Web Interface Viewing the change history of an M365 Group in the Web Interface Deleting an M365 Group with the Web Interface

Microsoft 365 Group management tasks using Management Shell interface

Create a new Microsoft 365 Group Update the Microsoft 365 Group properties Delete an Microsoft 365 group Adding members to an Microsoft 365 Group with the Management Shell Get a member from Microsoft 365 Group Get group from Microsoft 365 Group Removing members from an Microsoft 365 Group with the Management Shell

Scheduling an Azure object synchronization task

Managing cloud-only distribution groups

Creating a new distribution group Viewing or modifying the properties of a distribution group Viewing or modifying the members of a distribution group Renaming a distribution group Viewing or modifying the message approval settings of a distribution group Viewing or modifying the delivery management of a distribution group Viewing or modifying delegates of a distribution group Viewing the change history of a distribution group Deleting a distribution group

Managing cloud-only dynamic distribution groups

Creating a new dynamic distribution group Viewing or modifying the properties of a dynamic distribution group Viewing or modifying the members of a dynamic distribution group Viewing or modifying the message approval settings of a dynamic distribution group Viewing or modifying the delivery management of a dynamic distribution group Viewing or modifying delegates of a dynamic distribution group Viewing or modifying the Azure membership of a dynamic distribution group Viewing the change history of a dynamic distribution group Deleting a dynamic distribution group

Managing Azure security groups

Creating an Azure security group with the Web Interface Modifying an Azure security group with the Web Interface Adding or removing owners from an Azure security group with the Web Interface Adding or removing members from an Azure security group with the Web Interface Viewing the members of a dynamic Azure security group with the Web Interface Viewing the change history of an Azure security group in the Web Interface Deleting an Azure security group with the Web Interface

Managing cloud-only Azure users

Viewing cloud-only Azure user Creating a new cloud-only Azure user Viewing or modifying the properties of a cloud-only Azure user Configuring Microsoft OneDrive for cloud-only Azure users Disabling a cloud-only Azure user Enabling a cloud-only Azure user Viewing and modifying Exchange Online properties Resetting password for a cloud-only Azure user Renaming a cloud-only Azure user Viewing Azure membership Viewing Change History and User Activity Deleting an Azure user account

Managing cloud-only Azure guest users

Inviting an Azure guest user Viewing Azure guest users Disabling or Enabling an Azure guest user Revoking the session of an Azure guest user Resending the invitation to an Azure guest user Renaming an Azure guest user Viewing and updating the properties of an Azure guest user

Configuring the Identity settings of an Azure guest user Configuring the Settings of an Azure guest user Configuring the Job Info settings of an Azure guest user Configuring the Contact Info settings of an Azure guest user Configuring the Licenses settings of an Azure guest user Configuring the O365 Admin Roles settings of an Azure guest user

Viewing or updating the Exchange Online properties of an Azure guest user

Configuring the mail flow settings of an Exchange Online mailbox Configuring the delegation settings of an Exchange Online mailbox Configuring the general email address settings of an Exchange Online mailbox Configuring the mailbox features of an Exchange Online mailbox Configuring the mailbox settings of an Exchange Online mailbox

Resetting the password of an Azure guest user Deleting an Azure guest user Configuring the O365 Group membership of an Azure guest user Viewing the change history of an Azure guest user

Managing cloud-only Azure contacts

View cloud-only Azure contacts Create new cloud-only Azure contacts View or modify Azure contacts properties Renaming Azure cloud contacts Viewing and modifying Exchange Online properties Viewing the change history of cloud-only Azure contacts Deleting an Azure contact

Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes

Creating a new room mailbox Viewing or modifying a room mailbox Deleting a room mailbox

Managing cloud-only shared mailboxes

Creating a new shared mailbox Viewing or modifying the general properties of a shared mailbox Viewing or modifying the contact settings of a shared mailbox Viewing or modifying the organization settings of a shared mailbox Viewing or modifying the email settings of a shared mailbox Viewing or modifying the auto-reply settings of a shared mailbox Viewing or modifying the protocol settings of a shared mailbox Viewing or modifying the advanced email settings of a shared mailbox Viewing or modifying the policy settings of a shared mailbox Configuring the distribution group membership of a shared mailbox Viewing the change history of a shared mailbox Deleting a shared mailbox

Modern Authentication

Working with Modern Authentication

Managing the configuration of Active Roles

Connecting to the Administration Service

Delegating control to users for accessing Active Roles Console

Managed domains

Adding or removing a managed domain

Using unmanaged domains

Configuring an unmanaged domain

Evaluating product usage

Viewing product usage statistics

Delegating access to the managed object statistics

Scheduled task to count managed objects Managed scope to control product usage Voluntary thresholds for the managed object count Installation label

Creating and using virtual attributes

Scenario: Implementing a Birthday attribute

Examining client sessions Monitoring performance Customizing the Console

Other Properties tab in the Properties dialog Other Properties page in object creation wizard Customizing object display names

Using Configuration Center

Configuration Center design elements Configuring a local or remote Active Roles instance Running Configuration Center

Prerequisites for running the Configuration Center

Tasks you can perform in Configuration Center

Initial configuration tasks

Configuring the Administration Service Configuring the Web Interface

Administration Service management tasks

Viewing the core Administration Service settings Changing the core Administration Service settings Importing configuration data Importing Management History data Viewing the state of the Administration Service Starting, stopping or restarting the Administration Service

Web Interface management tasks

Identify Web Interface sites Create a Web Interface site Modify a Web Interface site Delete a Web Interface site Export a Web Interface site’s configuration object to a file Configure Web Interface for secure communication Disabling secure communication for Web Interface sites Configuring federated authentication

Starling Join configuration task Active Roles Console access management Logging management tasks Solution Intelligence

Enabling or disabling Solution Intelligence

Configuring gMSA as an Active Roles Service account

Configuring the Active Roles Service account to use a gMSA Changing the Active Roles Service account to use a gMSA

Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer

Using Log Viewer

SQL Server replication

SQL Server replication terminology SQL Server replication model overview

Replication group management Data synchronization and conflict resolution

SQL Server-related permissions Configuring SQL Server Configuring replication About replication groups

Creating a replication group Adding members to a replication group Removing members from a replication group

Removing Subscribers from a replication gorup Removing the Publisher from a replication group

Monitoring replication Always On Availability Groups

Configuring AlwaysOn Availability Groups in Active Roles

Using database mirroring

Role switching Database mirroring setup in Active Roles

Viewing replication settings

Replication Agent schedule

Identifying replication-related problems Viewing database connection settings Modifying database connection settings Changing the service account Changing the SQL Server Agent logon account Modifying Replication Agent credentials

Windows authentication SQL Server authentication

Moving the Publisher role

Demoting the Publisher Promoting an SQL Server to Publisher

Recovering replication if the Publisher is not available

Removing Subscribers if the Publisher is not available Promoting an SQL Server to Publisher

Troubleshooting replication failures

Replication Agent malfunction Replication Agent authentication problems SQL Server identification problems

Using regular expressions

Examples of regular expressions Order of precedence

Administrative Template

Active Roles snap-in settings Administration Service auto-connect settings

'Allowed Servers for Auto-connect' setting 'Disallowed Servers for Auto-connect' setting 'Additional Servers for Auto-connect' setting

Loading the Administrative Template

Communication ports

Access to the managed environment Access to Active Roles Administration Service Access to Active Roles Web Interface

Active Roles and supported Azure environments

Azure object management supported in various Azure environments Azure object management in a Non-Federated environment Azure object management in Federated and Synchronized Identity environments

Integrating Active Roles with other products and services

Active Roles integration with other One Identity and Quest products Active Roles integration with Duo Active Roles integration with Okta

Configuring the Active Roles application in Okta Configuring Okta in the Active Roles Configuration Center

Active Roles Language Pack

Supported languages Localization limitations Modifying the language of Active Roles components in the Windows registry Modifying the language of the Web Interface

Active Roles Diagnostic Tools

Using System Checker Using the Log Viewer tool Using the Directory Changes Monitor command-line interface

Active Roles Add-on Manager

Using the Add-on Manager command-line interface Creating an add-on

Display name setting

Role-based administration > Windows claims-based access rules > Managing Windows claims > Display name setting

The display name of the claim type object is used to represent the claim type as a choice throughout the user interface. Thus, when you configure a conditional expression for an access rule, the condition builder allows you to select a claim type from a list where each list item is the display name of a certain claim type object. For this reason, each claim type object must be given a unique display name. The display name accepts alphanumeric characters as valid data.

Description setting

Role-based administration > Windows claims-based access rules > Managing Windows claims > Description setting

You can use the description of the claim type object to specify a short comment about the claim type. Comments typically include purpose, department usage, or business justification.

User or computer claim issuance setting

Role-based administration > Windows claims-based access rules > Managing Windows claims > User or computer claim issuance setting

You have the option to choose whether claims of the given claim type can be issued for user or computer object class, or both. With the option to issue claims for the user object class, the claim type causes domain controllers (DCs) to issue user claims based on the attribute of the authenticating user. With the option to issue claims for the computer object class, the claim type causes DCs to issue device claims based the attribute of the computer of the authenticating user. You can configure a claim type to issue both user and device claims. When you create a conditional expression for an access rule, and choose the claim type to evaluate, the condition builder allows you to distinguish between user and device claims of the same claim type.

Protection from accidental deletion

Role-based administration > Windows claims-based access rules > Managing Windows claims > Protection from accidental deletion

By default, claim type objects are protected from accidental deletion. This option prohibits all users, including domain and enterprise administrators, from deleting the claim type object. Protection is achieved by adding an explicit permission entry to the claim type object that denies everyone the right to delete the object. When you create a claim type object, the option to protect the object from accidental deletion is selected by default. As a best practice, it is advisable to leave this option selected.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione

© ALL RIGHTS RESERVED. Feedback Termini di utilizzo Privacy Cookie Preference Center