サポートと今すぐチャット
サポートとのチャット

Active Roles 8.1.4 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Applying the Policy Object

You can apply the Policy Object by using the Enforce Policy page in the New Provisioning Policy Object Wizard, or you can complete the wizard and then use the Enforce Policy command on the domain, OU, or Managed Unit where you want to apply the policy.

For more information on how to apply a Policy Object, see Applying Policy Objects and Managing policy scope.

Group Object Deprovisioning

Group object deprovisioning policy specifies the changes to make to the group object in Active Directory in order to prevent the use of the group. It is intended to perform the following tasks when deprovisioning a group:

  • Hide the group from the Global Address List (GAL) to prevent access to the group from Exchange Server client applications such as Microsoft Outlook.

  • Change the type of the group from Security to Distribution to revoke access rights from the group.

  • Rename the group, to distinguish deprovisioned groups by name.

  • Remove members from the group to revoke user access to resources controlled by the group. This task has the option to specify the members that should not be removed from the group.

In addition, the policy can be configured to change or clear any other properties of a group, such as the pre-Windows 2000 name, e-mail addresses, or description.

How the Group Object Deprovisioning policy works

When processing a request to deprovision a group, Active Roles uses this policy to modify the group object in Active Directory, so that once the group has been deprovisioned, it cannot be used.

A policy can also be configured to update individual properties of groups. Depending on the policy configuration, each policy-based update results in the following:

  • Certain portions of group information, such as information about group members, are removed from the directory.

  • Certain properties of groups are changed or cleared.

A policy can be configured so that new property values include:

  • Properties of the group being deprovisioned, retrieved from the directory prior to starting the process of the group deprovisioning.

  • Properties of the user who originated the deprovisioning request.

  • Date and time when the group was deprovisioned.

Thus, when deprovisioning a group, Active Roles modifies the group object in Active Directory as determined by the Group Object Deprovisioning policy that is in effect.

Configuring a Group Object Deprovisioning policy

You can configure a new Group Object Deprovisioning policy with the Active Roles Console.

To configure a Group Object Deprovisioning policy

  1. On the Policy to Configure page, select Group Object Deprovisioning, then click Next.

    Figure 71: Disable Group

  2. On the Disable Group page, select the options you want the policy to apply when deprovisioning a group. You can select any combination of these options to prevent the use of the group:

    • Change the group type from Security to Distribution: Revokes access rights from deprovisioned groups. This option is applicable only to security groups.

    • Hide the group from the Global Address List (GAL): Prevents access to deprovisioned groups from Exchange Server client applications. This option is applicable to distribution groups or mail-enabled security groups.

    • Rename the group to: Changes the name of the group.

  3. If you selected Rename the group to, specify how you want the policy to update the group name when deprovisioning a group. To do so, click Configure and complete the Configure Value dialog by using the procedure outlined later in this topic. For more information, see Configuring a property update rule.

  4. Click Next.

    Figure 72: Remove members

  5. On the Remove Members page, do one of the following:

    • Click Do not remove members from the group for the policy not to make changes to the membership list of the group.

    • Click Remove all members, with optional exceptions for the policy to remove the members from the group.

  6. If you selected Remove all members, with optional exceptions, specify whether you want the policy not to remove certain objects from deprovisioned groups. Do the following:

    • Select the Keep these objects in the group check box and set up the list of the objects you want the policy not to remove from deprovisioned groups.

    • Leave the check box cleared if you want the policy to remove all members from deprovisioned groups.

  7. Click Next.

    Figure 73: Change Properties

  8. On this page, you can set up a list of group properties you want the policy to update. Each entry in the list includes the following information:

    • Property: When deprovisioning a group, Active Roles will update this property of the group object in Active Directory.

    • LDAP Display Name: Uniquely identifies the property to be updated.

    • Value to Assign: After the deprovisioning operation is completed, the property has the value defined by the rule specified.

    Specify how you want the policy to update properties of the group object when deprovisioning a group:

    • Click Add, then add property rules by completing the Select Object Property dialog.

    • Use View/Edit to modify existing rules.

    • Use Remove to delete existing rules.

  9. Click Next.

  10. On the Enforce Policy page, you can specify objects to which this Policy Object is to be applied:

    • Click Add, and use the Select Objects dialog to locate and select the objects you want.

  11. Click Next, then click Finish.

To complete the Configure Value dialog

  1. Click Add.

  2. Configure an entry to include in the value. For more information, see Configuring entries.

  3. In the Configure Value dialog, add more entries, delete or edit existing ones, then click OK.

To complete the Select Object Property dialog

  1. From the Object property list, select an object property, then click OK. The Add Value dialog appears.

    If you select multiple properties, the Add Value dialog is not displayed. The properties you have selected are added to the list on the Change Properties page, with the update rule configured to clear those properties, that is, to assign them the empty value.

    Figure 74: Add value

  2. In the Add Value dialog, do one of the following:

    • Select Clear value if you want the update rule to assign the empty value to the property.

    • Select Configure value if you want the update rule to assign a certain, non-empty value to the property. Then, click Configure and complete the Configure Value dialog.

  3. When you are done configuring a value, click OK to close the Add Value dialog. The property name along with the property update rule is added to the wizard page. If necessary, you can modify the update rule by clicking View/Edit beneath the list of properties. This displays a dialog, similar to the Add Value dialog, allowing you to choose a different update option or set up a different value for the ‘property’ must be condition.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択