サポートと今すぐチャット

オンラインヘルプの参照
登録の完了

サインイン

価格設定をリクエスト

営業担当に連絡

Active Roles 8.1.5 - Administration Guide

コンテンツのナビゲーション

Introduction Getting started with Active Roles

Starting the Active Roles Console Restricting access to the Active Roles Console Minimum required permissions of the Active Roles service account

Configuring rule-based administrative views

Administering Managed Units

Creating a Managed Unit Modifying Managed Unit properties Modifying permission settings on a Managed Unit Modifying policy settings on a Managed Unit Displaying members of a Managed Unit Adding membership rules to a Managed Unit Modifying membership rules of a Managed Unit Removing membership rules from a Managed Unit Including a member to a Managed Unit Excluding a member from a Managed Unit Adding group members to a Managed Unit Removing group members from a Managed Unit Copying a Managed Unit Exporting and importing a Managed Unit Renaming a Managed Unit Deleting a Managed Unit

Scenario: Implementing role-based administration across multiple OUs

Creating the Managed Unit Adding users to the Managed Unit Preparing the Access Template Applying the Access Template

Configuring role-based administration

Access Template management tasks

Using predefined Access Templates Creating an Access Template Applying Access Templates

Applying an Access Template directly Applying Access Templates on a securable object Applying Access Templates on a user or group

Managing Access Template links Synchronizing permissions to Active Directory Adding, modifying, or removing Access Template permissions

Adding permissions to an Access Template Modifying permissions in an Access Template Removing permissions from an Access Template

Managing nested Access Templates Copying an Access Template Exporting and importing Access Templates Renaming an Access Template Deleting an Access Template

Access Rule management tasks

Prerequisites for using Access Rules

Configuring the Administration Service to support Kerberos authentication

Enabling claim support

Domain controller requirements for claims-based authorization Client computer

Managing Windows claims

Managing claim types Enabling and disabling claim types

Managing and applying Access Rules

Creating or modifying an Access Rule Configuring a conditional expression for an Access Rule Applying an Access Rule to Access Template links

Deploying an Access Rule

Prerequisites of deploying an Access Rule Enabling claim support Creating a claim type Creating the Access Rule Applying the Access Rule

Rule-based autoprovisioning and deprovisioning

Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks

Creating a Policy Object Adding policies to a Policy Object Modifying policies in a Policy Object Removing policies from a Policy Object Blocking all policies in a Policy Object Applying Policy Objects

Adding Managed Units or containers to policy scope Adding Policy Objects to policy list for directory object

Managing policy scope

Managing Policy Object links Excluding an object from a policy scope

Copying a Policy Object Renaming a Policy Object Exporting and importing Policy Objects Deleting a Policy Object

Policy configuration tasks

Property Generation and Validation

How the Property Generation and Validation policy works Configuring a Property Generation and Validation policy

Entry type: Text Entry type: <Object> Property Entry type: Parent OU Property Entry type: Parent Domain Property Entry type: Mask Configuring entries

Scenario 1: Using mask to control phone number format

Creating and configuring the Policy Object Applying the Policy Object

Scenario 2: Using regular expressions to control phone number format

Configuring the Policy Object Applying the Policy Object

User Logon Name Generation

How the User Logon Name Generation policy works Configuring a User Logon Name Generation policy

Configuring a logon name generation rule Entry type: Uniqueness Number

Scenario 1: Using uniqueness number

Creating and configuring the Policy Object Applying the Policy Object

Scenario 2: Using multiple rules

Configuring the Policy Object Applying the Policy Object

Group Membership AutoProvisioning

How the Group Membership AutoProvisioning policy works Configuring a Group Membership AutoProvisioning policy Scenario: Adding users to a specified group

Configuring the Group Membership AutoProvisioning Policy Object Applying the Policy Object

Exchange Mailbox AutoProvisioning

How the Exchange Mailbox AutoProvisioning policy works Configuring an Exchange Mailbox AutoProvisioning policy Scenario: Mailbox store load balancing

Creating and configuring the Exchange Mailbox AutoProvisioning Policy Object Applying the Policy Object

Default creation options for Exchange mailboxes

AutoProvisioning in SaaS products

How the AutoProvisioning in SaaS products policy works Creating a provisioning policy for Starling Connect

OneDrive Provisioning

How the OneDrive Provisioning policy works Creating a provisioning policy for OneDrive

Home Folder AutoProvisioning

How the Home Folder AutoProvisioning policy works

Creating home folders and shares when creating user accounts Renaming home folders when renaming user accounts Option to prevent operation on file server

Configuring a Home Folder AutoProvisioning policy

Connect <Drive Letter> to <Network Path> Enforce this home folder setting in Active Directory Apply this home folder setting when user account is created Apply this home folder setting when user account is renamed Create or rename home folder on file server as needed Copy user permissions on home folder from parent folder Set user as home folder owner Set user permissions on home folder

Using the built-in policy for home folder provisioning Configuring the Home Folder Location Restriction policy Scenario: Creating and assigning home folders

Verifying the Home Folder Location Restriction policy Creating and Configuring the Policy Object Applying the Policy Object

Script Execution

How the Script Execution policy works Configuring a Script Execution policy

Importing a script Creating a script Editing a script

Scenario: Restricting group scope

Preparing the script module Creating and configuring the Policy Object Applying the Policy Object

Microsoft 365 and Azure Tenant Selection

How the Microsoft 365 and Azure Tenant Selection policy works Configuring an O365 and Azure Tenant Selection policy Applying a new policy

E-mail Alias Generation

How the E-Mail Alias Generation policy works Configuring an E-mail Alias Generation policy

Configuring a custom generation rule

Scenario: Generating e-mail alias based on user names

Creating and configuring the Policy Object Applying the Policy Object

User Account Deprovisioning

How the User Account Deprovisioning policy works Configuring a User Account Deprovisioning policy

Configuring a property update rule Entry type: Date and Time Entry type: Initiator ID Configuring a custom rule to build the Initiator ID

Scenario 1: Disabling and renaming the user account upon deprovisioning

Creating and configuring the Policy Object Applying the Policy Object

Scenario 2: Managed Unit for deprovisioned user accounts

Creating and configuring the Managed Unit Configuring the Policy Object Applying the Policy Object

Office 365 Licenses Retention

How the Microsoft 365 Licenses Retention policy works Configuring a Microsoft 365 license retention policy Report on deprovisioning results

Group Membership Removal

How the Group Membership Removal policy works Configuring a Group Membership Removal policy Scenario: Removing deprovisioned users from all groups

Creating and configuring the Group Membership Removal Policy Object Applying the Policy Object

Exchange Mailbox Deprovisioning

How the Exchange Mailbox Deprovisioning policy works Configuring an Exchange Mailbox Deprovisioning policy Scenario: Hide mailbox and forward email to manager

Creating and configuring the Exchange Mailbox Deprovisioning Policy Object Applying the Policy Object

Home Folder Deprovisioning

How the Home Folder Deprovisioning policy works Configuring a Home Folder Deprovisioning policy Scenario: Removing access to home folder

Creating and configuring the Policy Object Applying the Policy Object

User Account Relocation

How the User Account Relocation policy works Configuring a User Account Relocation policy Scenario: Organizational Unit for deprovisioned user accounts

Creating and configuring the Policy Object Applying the Policy Object

User Account Permanent Deletion

How the User Account Permanent Deletion policy works Configuring a User Account Permanent Deletion policy Scenario: Deleting deprovisioned user accounts

Creating and configuring the Policy Object Applying the Policy Object

Group Object Deprovisioning

How the Group Object Deprovisioning policy works Configuring a Group Object Deprovisioning policy Scenario 1: Disabling and renaming the group upon deprovisioning

Configuring the Group Object Deprovisioning Policy Object Applying the Policy Object

Scenario 2: Managed Unit for deprovisioned groups

Creating and configuring the Managed Unit for the Group Object Deprovisioning policy Configuring the Policy Object for Group Object Deprovisioning Applying the Policy Object

Group Object Relocation

How the Group Object Relocation policy works Configuring a Group Object Relocation policy Scenario: Organizational Unit for deprovisioned groups

Configuring the Group Object Relocation Policy Object Applying the Policy Object

Group Object Permanent Deletion

How the Group Object Permanent Deletion policy works Configuring a Group Object Permanent Deletion policy Scenario: Deleting deprovisioned groups

Creating and configuring the Policy Object Applying the Policy Object

Notification Distribution

How the Notification Distribution policy works Configuring email settings Configuring a Notification Distribution policy Scenario: Sending deprovisioning notification

Creating the email configuration Creating, configuring, and applying the Policy Object

Report Distribution

How the Report Distribution policy works Configuring a Report Distribution policy Scenario: Sending deprovisioning report

Creating the email configuration Creating, configuring, and applying the Policy Object

Deployment considerations Checking for policy compliance Deprovisioning users or groups

Default deprovisioning options Delegating the Deprovision task Using the Deprovision command Report on deprovisioning results

Report contents

Report section: User Account Deprovisioning Report section: Group Membership Removal Report section: Exchange Mailbox Deprovisioning Report section: Home Folder Deprovisioning Report section: User Account Relocation Report section: User Account Permanent Deletion Report section: Group Object Deprovisioning Report section: Group Object Relocation Report section: Group Object Permanent Deletion Report section: Notification Distribution Report section: Report Distribution

Restoring deprovisioned users or groups

Policy options to undo user deprovisioning Delegating the task to undo deprovisioning Using the Undo Deprovisioning command Report on results of undo deprovisioning

Report contents

Report section: Undo User Account Deprovisioning Report section: Undo Group Membership Removal Report section: Undo Exchange Mailbox Deprovisioning Report section: Undo Home Folder Deprovisioning Report section: Undo User Account Relocation Report section: Undo User Account Permanent Deletion Report section: Undo Group Object Deprovisioning Report section: Undo Group Object Relocation Report section: Undo Group Object Permanent Deletion

Container Deletion Prevention policy

Protecting objects from accidental deletion

Picture management rules Policy extensions

Design elements

Policy type deployment Policy type usage Policy Type objects

Creating and managing custom policy types

Creating a Policy Type object Changing an existing Policy Type object Using Policy Type containers Exporting policy types Importing policy types Configuring a policy of a custom type Deleting a Policy Type object

Using rule-based and role-based tools for granular administration

Example: Configuring high granularity by hiding a specific Azure group

Configuring a Managed Unit to hide specific Microsoft 365 groups Configuring an Access Template to hide Microsoft 365 Groups Enabling or disabling the granular access to Microsoft 365 Groups

Example: Configuring high granularity by hiding specific Azure users

Configuring a Managed Unit to hide specific Azure users Configuring an Access Template to hide Azure users Enabling or disabling the granular access to Azure users

Example: Configuring high granularity by showing only specific Azure users

Configuring a Managed Unit for specific Azure users Configuring Access Templates to read specific Azure users Enabling or disabling the granular access to specific Azure users

Key workflow features and definitions

Workflow Workflow definition Workflow start conditions Workflow instance Workflow activity Workflow Designer Workflow engine Email notifications

About workflow processes Workflow processing overview

About workflow start conditions

Workflow activities overview

Approval activity

Approvers and escalation Request for information Customization Notification

Workflow notification recipients Notification delivery Workflow notification message Web Interface address Email server for workflow notifications

Notification activity

Workflow notification recipients Workflow notification message Web Interface address Email server for workflow notifications

Script activity

Notification – Script activity Error handling – Script activity

If-Else activity

If-Else branch conditions Error handling – If-Else activity

Stop/Break activity Add Report Section activity Search activity

Search scenario Object type Search scope Search options Search for inactive accounts Search filter Notification Error handling – Search activity "Run as" options Additional settings – Search activity Stop Search activity

CRUD activities

Create activity Update activity Add to group activity Remove from group activity Move activity Deprovision activity Undo deprovision activity Delete activity Activity target Notification Error handling – CRUD activities "Run as" options Additional settings – CRUD activities

Save Object Properties activity

Retrieving saved properties

Modify Requested Changes activity

Configuring a workflow

Creating a workflow definition for a workflow Configuring workflow start conditions

Operation conditions Initiator conditions Filtering conditions

Configuring filtering conditions Configuring script-based conditions "Run as" options Enforce approval

Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity

Configuring approvers Configuring escalation Configuring request for additional information Configuring request for review Customizing the header of the approval task page Customizing approval action buttons

Configuring a Notification activity

Events, recipients, messages Active Roles Web Interface URL in Notifications Email server settings

Configuring a Script activity Configuring an If-Else activity

Configuring error handling Configuring conditions for an If-Else branch

Configuring a script-based condition

Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity

Configuring Scope and filter settings

Configuring a search filter

Configuring a notification for a Search activity Configuring error handling for a Search activity Configuring “Run as” options for a Search activity Configuring additional settings for a Search activity

Configuring CRUD activities

Configuring a Create activity Configuring an Update activity Configuring an “Add to group” activity Configuring a Remove from group activity Configuring a Move activity Configuring a Deprovision activity Configuring an Undo deprovision activity Configuring a Delete activity Configuring a notification for a CRUD activity Configuring error handling for a CRUD activity Configuring “Run as” options for a CRUD activity Configuring additional settings for a CRUD activity

Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script

Approval workflow

Definition of terms – Approval workflow How the Approval workflow works

Approve action Reject action Multiple approvers Multiple tasks

Creating and configuring an approval workflow

Creating a workflow definition for a workflow Specifying workflow start conditions for an Approval workflow Specifying approvers for an approval workflow Configuring notifications for an approval workflow

Approval workflow notification recipients Approval workflow notification delivery Approval workflow notification message template

Email-based approval

Integration with Microsoft Outlook

Software and configuration requirements for Microsoft Outlook integration

Integration with non-Outlook email clients

Software and configuration requirements for non-Outlook integration

Email transport via Exchange Web Services

Configuration settings for email transport Configuring the use of Exchange Web Services

Automation workflow

Automation workflow options and start conditions

Run the workflow on a schedule

Server to run the workflow

Allow the workflow to be run on demand “Run as” options for an automation workflow

Enforce approval

Additional settings for an automation workflow Parameters for an automation workflow Initialization script for an automation workflow

Using automation workflows

Creating an automation workflow definition Configuring start conditions for an automation workflow Adding activities to an automation workflow Running an automation workflow on demand Viewing the run history of an automation workflow Stopping a running automation workflow Blocking an automation workflow from running Unblocking an automation workflow to run Delegating automation workflow tasks

Allowing access to workflow containers Delegating full control of automation workflows Delegating the task of running automation workflows Delegating the task of viewing the run history of automation workflows

Sample Azure Hybrid Migration

Managing remote mailboxes

Microsoft 365 automation workflow

Creating a Microsoft 365 automation workflow Sample Office 365 workflow scripts Creating Office 365 shared mailboxes Enabling Azure Roles

Activity extensions

Design elements for activity extension

Activity type deployment Activity type usage Policy Type objects

Creating and managing custom activity types

Creating a Policy Type object Changing an existing Policy Type object Using Policy Type containers Exporting activity types Importing activity types Configuring an activity of a custom type Deleting a Policy Type object

Temporal Group Memberships

Using temporal group memberships

Adding temporal members Viewing temporal members Rescheduling temporal group memberships Removing temporal members

Design overview of Group Family How Group Family works

Cross-domain Group Family

Group Family policy options Creating a Group Family

Starting the New Group Family Wizard Naming the Group Family Grouping options Location of managed objects Selection of managed objects Group-by properties

About multi-valued group-by properties

Capture existing groups manually Group naming rule

Group-by Property entry type Separate rule for each naming property

Group type and scope Location of groups Exchange-related settings Group Family scheduling

Administering Group Family

Controlled groups General tab Controlled groups tab

Group creation-related rules

Groupings tab Schedule tab Action Summary tab

Action summary log

Departmental Group Family

Cross-domain membership Dynamic groups policy options Converting a basic group to a dynamic group Displaying the members of a dynamic group Adding a membership rule to a dynamic group Removing a membership rule from a dynamic group Converting a dynamic group to a basic group Modifying, renaming, or deleting a dynamic group Automatically moving users between groups

Creating the groups Configuring the membership rules

Active Roles Reporting

Collector to prepare data for reports

Starting the Active Roles Collector wizard Collecting data from the network Processing gathered events Importing events from an earlier database version Deploying reports to the Report Server

Working with reports

Configuring the data source Generating and viewing a report Contents of the Active Roles Report Pack

Active Directory Assessment/Domains Active Directory Assessment/Users/Account Information Active Directory Assessment/Users/Exchange Active Directory Assessment/Users/Obsolete Accounts Active Directory Assessment/Users/Miscellaneous Information Active Directory Assessment/Groups Active Directory Assessment/Group Membership Active Directory Assessment/Organizational Units Active Directory Assessment/Other Directory Objects Active Directory Assessment/Potential Issues Active Roles Tracking Log/Active Directory Management Active Roles Tracking Log/Dashboard Active Roles Tracking Log/Active Roles Events Active Roles Tracking Log/Active Roles Configuration Changes Active Roles Tracking Log/Active Roles Workflow Administrative Roles Managed Units Policy Objects Policy Compliance

Management History

Management History considerations and best practices Management History configuration

Change-tracking policy Change Tracking log configuration Replication of Management History data

Replication is not yet configured Replication is already configured Re-configuring replication of Management History data

Centralized Management History storage

Importing data to the new Management History database

Viewing change history

Workflow activity report sections

“Approval” activity report section “Script” activity report section “Stop/Break” activity report section “Add Report Section” activity report section “Create” activity report section “Update” activity report section “Add to group” activity report section “Remove from group” activity report section “Move” activity report section “Deprovision” activity report section “Undo deprovision” activity report section “Delete” activity report section

Policy report items

Policy report sections

Active Roles internal policy report items

Active Roles internal policy report sections

Examining user activity

Entitlement profile

About entitlement profile specifiers

Entitlement type Entitlement rules Resource display About entitlement profile build process

Entitlement profile configuration

Creating entitlement profile specifiers Changing entitlement profile specifiers Predefined specifiers

Viewing entitlement profile

Authorizing access to entitlement profile

Finding and listing deleted objects

Searching the Deleted Objects container Searching for objects deleted from a certain OU or MU

Restoring a deleted object Delegating operations on deleted objects Applying policy or workflow rules

AD LDS data management

Managing AD LDS objects

Adding an AD LDS user to the directory Adding an AD LDS group to the directory Adding or removing members from an AD LDS group Disabling or enabling an AD LDS user account Setting or modifying the password of an AD LDS user Adding an Organizational Unit to the directory Adding an AD LDS proxy object (user proxy)

Configuring Active Roles for AD LDS

Configuring Managed Units to include AD LDS objects Viewing or setting permissions on AD LDS objects Viewing or setting policies on AD LDS objects

One Identity Starling Join and configuration through Active Roles

Prerequisites to configure One Identity Starling Configuring Active Roles to join One Identity Starling Disconnecting One Identity Starling from Active Roles

Managing One Identity Starling Connect

Viewing Starling Connect settings in Active Roles Configuration Center Create Provisioning policy for Starling Connect Provision a new SaaS user using the Web Interface Provision an existing Active Roles user for SaaS products Update the SaaS product user properties Delete the SaaS product user Deprovision an existing Active Roles user for SaaS products Notifications for Starling operations SCIM attribute mapping with Active Directory

Configuring linked mailboxes with Exchange Resource Forest Management

Prerequisites of configuring linked mailboxes

Registering the resource and account forests in Active Roles Applying the ERFM Mailbox Management policy to an OU Configuring the ERFM Mailbox Management scheduled task Changing the location of the shadow accounts Configuring the synchronized, back synchronized or substituted properties of linked mailboxes

Creating a linked mailbox for a new user Creating a linked mailbox for an existing user with no mailbox Modifying the Exchange properties of a linked mailbox Configuring a user with a linked mailbox for managing mail-enabled groups Converting a user mailbox to a linked mailbox Converting a linked mailbox to a user mailbox Deprovisioning a user with a linked mailbox Undo deprovisioning for a user with a linked mailbox (re-provisioning) Deleting a user with a linked mailbox

Configuring remote mailboxes for on-premises users

Assigning a remote mailbox to an on-premises user Verifying that a remote mailbox is assigned to an on-premises user

Migrating Active Roles configuration with the Configuration Transfer Wizard

Configuration Transfer Wizard components

Configuration Collection wizard Configuration Deployment wizard ARSconfig command-line tool

Installing Configuration Transfer Wizard

Configuration Transfer Wizard requirements Installing Configuration Transfer Wizard

Using the Configuration Transfer Wizard

General considerations for using Configuration Transfer Wizard

Dangling links during configuration transfer

Using the Configuration Collection Wizard and the Configuration Deployment Wizard Using the ARSconfig command-line tool

ARSconfig syntax ARSconfig parameters Example: Transferring an Active Roles configuration Example: Rolling back the configuration changes

Managing Skype for Business Server with Active Roles

About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management

Single forest topology for Skype for Business Server User Management Resource forest topology for Skype for Business Server User Management Central forest topology for Skype for Business Server User Management

User Management policy for Skype for Business Server User Management

Skype for Business Server User Management policy settings

Connecting to Skype for Business Server SIP user name generation rule SIP domain restriction rule Pool restriction rule Telephony restriction rule

Master Account Management policy for Skype for Business Server User Management

Master Account Management policy settings for Skype for Business Server User Management

Skype for Business Server forest mode Container for new Skype for Business Server shadow accounts Default description for new Skype for Business Server shadow accounts Shadow account reference attribute Synchronized Skype for Business Server properties Skype for Business Server Back-synchronized Skype for Business Server properties

Master Account Management policy actions for Skype for Business User Management Scheduled Skype for Business Server synchronization

Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature

Prerequisites of deploying the Skype for Business Server User Management feature

Deployment conditions of Skype for Business Server

Deploying Skype for Business Server User Management in a single forest Deploying Skype for Business Server User Management in a multi-forest environment

Active Roles deployment prerequisites for Skype for Business Server User Management

Logging in as an Active Roles Admin Registering domains with Active Roles

Configuring Skype for Business Server User Management in a single-forest environment Configuring Skype for Business Server User Management in a multi-forest environment

Applying the Master Account Management policy Applying the User Management policy

Upgrading the Skype for Business Server configuration from an earlier version

Managing Skype for Business Server users

Enabling or disabling users for Skype for Business Server

Adding and enabling a new Skype for Business Server user Disabling or re-enabling a user account for Skype for Business Server Removing a user account from Skype for Business Server

Managing Skype for Business Server user properties

Viewing or changing Skype for Business Server user properties Moving a user to another server or pool in Skype for Business Server

Exchanging provisioning information with Active Roles SPML Provider

Key SPML Provider features SPML Provider usage scenarios Basic SPML Provider concepts and definitions How SPML Provider works Configuring Active Roles SPML Provider

Configuring SPML Provider settings in the SPML.Config file

Sample SPML Provider configuration file

Extending the SPML Provider schema

Using Active Roles SPML Provider

SPML Provider operation modes Active Roles controls supported by SPML Provider

Sending controls to the Active Roles Administration Service Specifying controls to return to the SPML Provider client Sample SPML requests

Supported SPML Provider operations SPML Provider samples of use

SPML Provider configuration settings in the sample.config file Core SPML Provider operation samples

Sample SPML Provider request to modify shared mailbox user permissions

SPML Provider capability samples

Active Roles SPML Provider terminology Troubleshooting SPML Provider

Cannot remove the specified item because it was not found in the specified Collection Some of the specified attributes for the object class are not defined in the schema

Monitoring Active Roles with Management Pack for SCOM

Management Pack for SCOM features

Management Pack for SCOM monitoring views

Getting started with Management Pack for SCOM Monitoring Active Roles Administration Service with Management Pack for SCOM

General response - Script General response - Alert Replication monitoring - Script Replication monitoring - Alert Monitoring connection to configuration database Monitoring of Dynamic Group-related operations Monitoring of Group Family-related operations Internal error - Alert Critical error on startup - Alert License system failure - Alert

Monitoring Active Roles Web Interface

Availability - Script Availability - Alert

Monitoring performance with Management Pack for SCOM

AD changes processed/sec Changes queue length (AD + Database) Connected clients Database changes processed/sec LDAP operations in progress LDAP operations/sec Private bytes Queued post-processing policies Requests in progress Requests/sec Script module average execution time Script modules executing

Configuring Active Roles for AWS Managed Microsoft AD

Supported AWS Managed Microsoft AD deployment configuration Deployment requirements for AWS Managed Microsoft AD support Main steps of configuring Active Roles for AWS Managed Microsoft AD

Creating the AWS Managed Microsoft AD instance Creating the EC2 instance for Active Roles Joining the EC2 instance to AWS Managed Microsoft AD Creating the RDS instance for the Active Roles SQL Server Verifying connectivity between the EC2 and RDS instances Installing and configuring Active Roles on the EC2 instance

Azure AD, Microsoft 365, and Exchange Online Management

Configuring Active Roles to manage Hybrid AD objects

Configuring Active Roles to manage Azure AD using the GUI

Configuring a new Azure tenant and consenting Active Roles as an Azure application Importing an Azure tenant and consenting Active Roles as an Azure application Viewing or modifying the Azure tenant type Enabling OneDrive in an Azure tenant

Prerequisites of enabling OneDrive in an Azure tenant

Checking and adding the Sites.FullControl.All permission for Active Roles

Configuring OneDrive for an Azure tenant

Removing an Azure tenant Viewing the Azure Health status for Azure tenants and applications Viewing the Azure Licenses Report of an Azure tenant Viewing the Office 365 Roles Report of an Azure tenant

Adding an Azure AD tenant using Management Shell Adding an Azure AD application using Management Shell Active Roles configuration steps to manage hybrid AD objects

Configuring the Azure - Default Rules to Generate Properties policy

Active Roles configuration to synchronize existing Azure AD objects to Active Roles

Configuring Sync Workflow to back synchronize Azure AD objects to Active Roles automatically using the Active Roles Synchronization Service Console Configuring Sync Workflow to back synchronize Azure AD objects to Active Roles manually

Configuring Sync Workflow to back synchronize AD contacts

Changes to Azure M365 Policies in Active Roles after 7.4.1

Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning

How the M365 and Azure Tenant Selection policy works Configuring an M365 and Azure Tenant Selection policy Applying a new M365 and Azure Tenant Selection policy

Changes to Active Roles policies for cloud-only Azure objects

Managing the configuration of Active Roles

Connecting to the Administration Service

Delegating control to users for accessing Active Roles Console

Managed domains

Adding or removing a managed domain

Using unmanaged domains

Configuring an unmanaged domain

Evaluating product usage

Viewing product usage statistics

Delegating access to the managed object statistics

Scheduled task to count managed objects Managed scope to control product usage Voluntary thresholds for the managed object count Installation label

Creating and using virtual attributes

Scenario: Implementing a Birthday attribute

Examining client sessions Monitoring performance Customizing the Console

Other Properties tab in the Properties dialog Other Properties page in object creation wizard Customizing object display names

Using Configuration Center

Configuration Center design elements Configuring a local or remote Active Roles instance Running Configuration Center

Prerequisites for running the Configuration Center

Tasks you can perform in Configuration Center

Initial configuration tasks

Configuring the Administration Service Configuring the Web Interface

Administration Service management tasks

Viewing the core Administration Service settings Changing the core Administration Service settings Importing configuration data Importing Management History data Viewing the state of the Administration Service Starting, stopping or restarting the Administration Service

Web Interface management tasks

Identify Web Interface sites Create a Web Interface site Modify a Web Interface site Delete a Web Interface site Export a Web Interface site’s configuration object to a file Configure Web Interface for secure communication Disabling secure communication for Web Interface sites Configuring federated authentication

Starling Join configuration task Active Roles Console access management Logging management tasks Solution Intelligence

Enabling or disabling Solution Intelligence

Configuring gMSA as an Active Roles Service account

Configuring the Active Roles Service account to use a gMSA Changing the Active Roles Service account to use a gMSA

Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer

Using Log Viewer

SQL Server replication

SQL Server replication terminology SQL Server replication model overview

Replication group management Data synchronization and conflict resolution

SQL Server-related permissions Configuring SQL Server Configuring replication About replication groups

Creating a replication group Adding members to a replication group Removing members from a replication group

Removing Subscribers from a replication gorup Removing the Publisher from a replication group

Monitoring replication Always On Availability Groups

Configuring AlwaysOn Availability Groups in Active Roles

Using database mirroring

Role switching Database mirroring setup in Active Roles

Viewing replication settings

Replication Agent schedule

Identifying replication-related problems Viewing database connection settings Modifying database connection settings Changing the service account Changing the SQL Server Agent logon account Modifying Replication Agent credentials

Windows authentication SQL Server authentication

Moving the Publisher role

Demoting the Publisher Promoting an SQL Server to Publisher

Recovering replication if the Publisher is not available

Removing Subscribers if the Publisher is not available Promoting an SQL Server to Publisher

Troubleshooting replication failures

Replication Agent malfunction Replication Agent authentication problems SQL Server identification problems

Using regular expressions

Examples of regular expressions Order of precedence

Administrative Template

Active Roles snap-in settings Administration Service auto-connect settings

'Allowed Servers for Auto-connect' setting 'Disallowed Servers for Auto-connect' setting 'Additional Servers for Auto-connect' setting

Loading the Administrative Template

Configuring federated authentication

Configuring federated authentication settings Examples of configuring identity providers

Communication ports

Access to the managed environment Access to Active Roles Administration Service Access to Active Roles Web Interface

Active Roles and supported Azure environments

Azure object management supported in various Azure environments Azure object management in a Non-Federated environment Azure object management in Federated and Synchronized Identity environments

Integrating Active Roles with other products and services

Active Roles integration with other One Identity and Quest products Active Roles integration with Duo Active Roles integration with Okta

Configuring the Active Roles application in Okta Configuring Okta in the Active Roles Configuration Center

Active Roles Language Pack

Supported languages Localization limitations Modifying the language of Active Roles components in the Windows registry Modifying the language of the Web Interface

Active Roles Diagnostic Tools

Using the System Checker Using the Log Viewer tool Using the Directory Changes Monitor command-line interface

Active Roles Add-on Manager

Using the Add-on Manager command-line interface Creating an add-on

Report section: User Account Deprovisioning

Rule-based autoprovisioning and deprovisioning > Deprovisioning users or groups > Report on deprovisioning results > Report section: User Account Deprovisioning

Table 18: User Account Deprovisioning
Report item (Success)	Report item (Failure)
The user account is disabled.	Failed to disable the user account.
The user password is reset to a random value.	Failed to reset the user password.
The user logon name is changed to a random value.	Failed to change the user logon name.
The user logon name (pre-Windows 2000) is changed to a random value.	Failed to change the user logon name (pre-Windows 2000).
The user name is changed. Original name: <name>. New name: <name>.	Failed to change the user name. Current name: <name>. Failed to set this name: <name>.
User properties are changed. List: User properties, old and new property values.	Failed to change user properties. List: User properties, error description.

Report section: Group Membership Removal

Rule-based autoprovisioning and deprovisioning > Deprovisioning users or groups > Report on deprovisioning results > Report section: Group Membership Removal

Table 19: Group Membership Removal
Report item (Success)	Report item (Failure)
In accordance with policy, the user is not removed from security groups, except for Dynamic Groups and groups controlled by Group Family. Details: Security groups to which the user belongs.	Not applicable
The user is removed from all security groups. Details: Security groups from which the user is removed	Failed to remove the user from some security groups. Details: Security groups from which the user is removed. Security groups from which the user is not removed due to an error.
In accordance with policy, the user is retained in some security groups. Details: Security groups from which the user is removed. Security groups from which the user is not removed in accord with policy.	Failed to remove the user from some security groups. Details: Security groups from which the user is removed. Security groups from which the user is not removed in accord with policy. Security groups from which the user is not removed due to an error.
In accordance with policy, the user is not removed from distribution groups or mail-enabled security groups, except for Dynamic Groups and groups controlled by Group Family. Details: Distribution groups and mail-enabled security groups to which the user belongs.	Not applicable
The user is removed from all distribution groups and mail-enabled security groups. Details: Distribution groups and mail-enabled security groups from which the user is removed.	Failed to remove the user from some distribution groups or mail-enabled security groups. Details: Distribution groups and mail-enabled security groups from which the user is removed. Distribution groups or mail-enabled security groups from which the user is not removed due to an error.
In accordance with policy, the user is retained in some distribution groups or mail-enabled security groups. Details: Distribution groups and mail-enabled security groups from which the user is removed. Distribution groups or mail-enabled security groups from which the user is not removed in accord with policy.	Failed to remove the user from some distribution groups or mail-enabled security groups. Details: Distribution groups and mail-enabled security groups from which the user is removed. Distribution groups or mail-enabled security groups from which the user is not removed in accord with policy. Distribution groups or mail-enabled security groups from which the user is not removed due to an error.

Report section: Exchange Mailbox Deprovisioning

Rule-based autoprovisioning and deprovisioning > Deprovisioning users or groups > Report on deprovisioning results > Report section: Exchange Mailbox Deprovisioning

Table 20: Exchange Mailbox Deprovisioning
Report item (Success)	Report item (Failure)
Mailbox deprovisioning is skipped because the user does not have an Exchange mailbox.	Not applicable
The user mailbox is removed (hidden) from the Global Address List (GAL).	Failed to remove (hide) the user mailbox from the Global Address List (GAL).
The user mailbox is configured to suppress non-delivery reports (NDR).	Failed to configure the user mailbox to suppress non-delivery reports (NDR).
The manager of the user is provided with full access to the user mailbox. Manager name: <name>	Failed to provide the manager of the user with access to the user mailbox. Manager name: <name>
N/A	Failed to provide the user’s manager with access to the user mailbox. Reason: The user’s manager is not specified in the directory.
The required users and groups are provided with full access to the user mailbox. List: Users and groups	Failed to provide the required users or groups with access to the user mailbox. List: Users and groups
Forwarding messages to alternate recipients is disallowed on the user mailbox.	Failed to disallow forwarding messages to alternate recipients on the user mailbox.
The user mailbox is configured to forward incoming messages to the user’s manager.	Failed to configure the user mailbox to forward incoming messages to the user’s manager.
The user mailbox is configured to forward incoming messages to the user’s manager, with the option to leave message copies in the mailbox.	Failed to configure the user mailbox to forward incoming messages to the user’s manager.
Failed to configure the user mailbox to forward incoming messages to the user’s manager. Reason: the user’s manager is not specified in the directory.	Not applicable
Automatic replies turned on.	Failed to turn on automatic replies.

Report section: Home Folder Deprovisioning

Rule-based autoprovisioning and deprovisioning > Deprovisioning users or groups > Report on deprovisioning results > Report section: Home Folder Deprovisioning

Table 21: Home Folder Deprovisioning
Report item (Success)	Report item (Failure)
Home folder deprovisioning is skipped because the user does not have a home folder.	N/A
The user’s rights on the home folder are removed.	Failed to remove the user’s rights on the home folder.
The manager of the user is provided with read-only access to the user home folder. Manager name: <name>.	Failed to provide the manager of the user with read-only access to the user home folder. Manager name: <name>.
Not applicable	Failed to provide the user’s manager with read-only access to the user home folder. Reason: The user’s manager is not specified in the directory.
In accordance with the policy, the user home folder will be deleted when the user account is deleted. Home folder name: <name>.	Not applicable
The required users and groups are provided with read-only access to the user home folder. List: Users and groups	Failed to provide the required users or groups with read-only access to the user home folder. List: Users and groups
The new owner is assigned to the user home folder. Owner name: <name>.	Failed to assign the new owner to the user home folder. Failed to set this owner name: <name>.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択

© 2024 One Identity LLC. ALL RIGHTS RESERVED. 利用規約プライバシー Cookie Preference Center