Chatta subito con l'assistenza
Chat con il supporto

Active Roles 8.2 - Feature Guide

Introduction About Active Roles
Main Active Roles features Technical overview of Active Roles
About presentation components Overview of service components About network data sources About security and administration elements About Active Directory security management Customization using ADSI Provider and script policies About dynamic groups About workflows Operation in multi-forest environments
Examples of use
Administrative rules and roles
About Managed Units About Access Templates About Access Rules About rule-based autoprovisioning and deprovisioning
Configuring and administering Active Roles Overview of Active Roles Synchronization Service Support for AWS Managed Microsoft AD FIPS compliance LSA protection support STIG compliance

About Exchange Resource Forest Management

The Exchange Resource Forest Management (ERFM) feature of Active Roles allows you to automate mailbox provisioning for on-premises users in environments where the mailboxes and the user accounts are managed in different Active Directory (AD) forests. Such multi-forest environments are based on the resource forest model, and mailboxes provisioned in such environments are called linked mailboxes.

Multi-forest AD deployments have higher administrative and support costs. However, they offer the highest level of security isolation between AD objects and the Exchange service. As such, One Identity recommends configuring the resource forest model for use with Active Roles in organizations that:

  • Aim for an extra layer of data security.

  • Frequently experience organizational changes (for example, buying companies, or consolidating and breaking off branch companies, departments and other business units).

  • Abide by certain legal or regulatory requirements.

AD deployments following the resource forest model use two types of AD forests:

  • Account forests: These AD forests store the user objects. Organizations can use one or more account forests in the resource forest model.

  • Resource forest: This AD forest contains the Exchange server and stores the mailboxes of the user objects.

With ERFM, you can automate the provisioning, synchronization and deprovisioning of linked mailboxes in the resource forest for user accounts in the account forest(s).

  • During provisioning, Active Roles can automatically create linked mailboxes for new users (if you select to create a mailbox for the user), or create linked mailboxes for existing users without a mailbox.

    In both cases, Active Roles creates a disabled shadow user account in the resource forest for the user, then links it to the user account of the user in the account forest (also known as the master account).

    NOTE: By default, the shadow user account has the same name as the master user account in the account forest. However, if a shadow account with the same name already exists (for example, because Active Roles has already created a linked mailbox for a user in a different account forest), Active Roles uses a different shadow account name to maintain uniqueness.

  • Once a linked mailbox is created, Active Roles automatically synchronizes the properties of the master user accounts with their shadow accounts, whenever you modify them.

  • Finally, if the master user account is deprovisioned, Active Roles automatically deprovisions its shadow account as well, provided that you applied mailbox deprovisioning policies to the container that holds the shadow accounts in the resource forest.

    NOTE: Like other AD objects, you can un-deprovision master user accounts as well. However, their shadow accounts are un-deprovisioned automatically only if the container of the deprovisioned master accounts has the ERFM - Mailbox Management built-in policy applied on them.

Getting started

For more information on the prerequisites and configuration of ERFM and linked mailboxes, see Configuring linked mailboxes with Exchange Resource Forest Management in the Active Roles Administration Guide.

About Skype for Business Server User Management

To provision Skype for Business Server user accounts in single-forest and multi-forest Active Directory (AD) environments, Active Roles offers the Skype for Business User Management feature.

The Skype for Business Server User Management feature provides built-in Active Roles policies that synchronize user account information between Active Roles and Skype for Business Server, allowing you to perform Skype for Business Server user management tasks via the Active Roles Web Interface.

Skype for Business Server User Management lets you use Active Roles to:

  • Add and enable new Skype for Business users.

  • View or change Skype for Business Server user properties and policy assignments.

  • Move Skype for Business Server users from one Skype for Business Server pool to another.

  • Disable or re-enable user accounts for Skype for Business Server.

  • Remove users from Skype for Business Server.

To perform these administration tasks, the feature adds the following elements to Active Roles:

  • Built-in Policy Objects that enable Active Roles to perform user management tasks on Skype for Business Server, either in a single-forest or a multi-forest AD environment.

  • Additional commands and pages in the Active Roles Web Interface for managing Skype for Business Server users.

  • Access Templates (ATs) to delegate Skype for Business Server user management tasks.

The Skype for Business Server User Management policy allows you to control the following factors of creating and managing Skype for Business Server users:

  • SIP user name generation rules. When adding and enabling a new Skype for Business Server user, Active Roles can generate a SIP user name based on other properties of the user account.

  • SIP domain selection rules. When configuring the SIP address for a Skype for Business Server user, Active Roles can restrict the list of selectable SIP domains and suggest which SIP domain to select by default.

  • Telephony selection rules. When configuring telephony for a Skype for Business Server user, Active Roles can restrict the list of selectable telephony options and can suggest default options to select.

  • Pool selection rules. When adding and enabling a new Skype for Business Server user, Active Roles can restrict the list of selectable registrar pools and suggest which pool to select by default. This rule also applies to selecting the destination pool when moving a Skype for Business Server user from one pool to another.

Skype for Business Server User Management provides a number of ATs allowing you to delegate the following tasks in Active Roles:

  • Add and enable new Skype for Business Server users.

  • View existing Skype for Business Server users.

  • View or change the SIP address for Skype for Business Server users.

  • View or change the telephony option and related settings for Skype for Business Server users.

  • View or change Skype for Business Server user policy assignments.

  • Disable or re-enable user accounts for Skype for Business Server.

  • Move users from one Skype for Business Server pool to another.

  • Remove users from Skype for Business Server.

Getting started

For more information on the prerequisites and configuration of Skype for Business Server User Management, see Skype for Business Server Solution in the Active Roles Administration Guide.

Active Directory topologies supported by Skype for Business Server User Management

Skype for Business Server User Management supports the following Active Directory Domain Services (AD DS) topologies.

Single forest with single tree or multiple trees

In a single forest topology, the login-enabled user accounts managed by Active Roles are stored in the same Active Directory forest in which Skype for Business Server is deployed.

Skype for Business Server user management tasks have two main steps in a single-forest configuration:

  1. First, Active Roles makes changes to the attributes of the configured user account.

  2. Then, based on the attribute changes, the Skype for Business Server User Management policy requests the Skype for Business Server remote shell to update the user account accordingly.

For example, when creating a new Skype for Business Server user, Active Roles sets a virtual attribute on that user account directing the policy to invoke the remote shell command for enabling the new user for Skype for Business Server. When making changes to an existing Skype for Business Server user, Active Roles populates the attributes of the user account with the desired changes, causing the policy to apply those changes via the remote shell.

Multiple forests in a resource forest topology

In a resource forest topology, the servers running Skype for Business Server are hosted in a separate Skype for Business Server forest that does not host any login-enabled user accounts. Instead, the user accounts are stored in a user forest (or forests) where no Skype for Business Server instances are hosted.

  1. When creating a Skype for Business Server account for a user from an external forest, Active Roles:

  2. Creates an inactive user account (known as the "shadow account") in the Skype for Business Server forest.

  3. Links the associated user account in the user forest ("master account") with the inactive shadow account.

  4. Activates the shadow account for Skype for Business Server.

The policies of the Skype for Business Server User Management feature then work as follows:

The Master Account Management policy ensures that the attributes of the shadow account are synchronized with the attributes of the master account, so that you can administer Skype for Business Server user properties on the master account via Active Roles.

The User Management policy detects the attribute changes replicated from the master account to the shadow account in the Skype for Business Server forest, and translates them to remote shell commands on Skype for Business Server, similarly to how synchronization is performed in a single-forest configuration.

Multiple forests in a central forest topology

In a central forest topology, the servers running Skype for Business Server are hosted in a separate Skype for Business Server forest. However, unlike in a resource forest topology, this forest can also host login-enabled accounts. Outside the Skype for Business Server forest, user forests host login-enabled user accounts, but no servers running Skype for Business Server.

In this forest configuration, the Skype for Business Server User Management policy is applied to login-enabled user accounts in the Skype for Business Server forest. As a result, Active Roles can enable and administer those user accounts for Skype for Business Server in the same way as in case of using a single-forest configuration.

When creating a Skype for Business Server account for a user from an external forest, Active Roles performs the following actions:

  1. Creates a contact in the Skype for Business Server forest.

  2. Links the user account in the user forest (that is, the "master account") and the contact in the Skype for Business Server forest (that is, the "shadow account").

  3. Activates the contact for Skype for Business Server.

  4. The Master Account Management policy then ensures that the attributes of the contact are synchronized with the attributes of the user account, so that Skype for Business Server user properties can be administered on the user account via Active Roles.

  5. In the Skype for Business Server forest, the User Management policy detects the attribute changes replicated from the user account to the contact, and translates them to remote shell commands on Skype for Business Server, similarly to how synchronization is performed in a single-forest configuration.

Overview of Active Roles Synchronization Service

Identity information can be stored in various data systems, such as directories, databases, or even formatted text files. However, managing and synchronizing such identity information among several different data systems have several challenges:

  • The synchronization process can require considerable time and effort.

  • Performing data synchronization tasks manually is error-prone and can lead to duplicate information or incompatible data formats.

Active Roles Synchronization Service helps you avoid these problems by automating the process of identity data synchronization among various data systems used in your enterprise environment.

Synchronization Service increases the efficiency of identity data management by allowing you to automate the creation, deprovisioning, and update operations between the data systems you use. For example, when an employee joins or leaves the organization, the identity information managed by Synchronization Service is automatically updated in the managed data systems, reducing administrative workload and getting the new users up and running faster.

Synchronization Service also supports scripting capabilities, providing a flexible way to automate administrative tasks and integrate the administration of managed data systems with other business processes. By automating conventional tasks, Synchronization Service helps your organization to concentrate on strategic issues, such as planning the directory, increasing enterprise security, and supporting business-critical applications.

For more information on the main features of Synchronization Service, see the following sections.

Getting started

For more information on how to install, configure and use Synchronization Service, see the Active Roles Synchronization Service Administration Guide.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione