지금 지원 담당자와 채팅
지원 담당자와 채팅

Active Roles 8.1.5 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Administrative Template

The Active Roles Administrative Template allows you to control the behavior and appearance of the Active Roles Console by using Group Policy. For more information, see Active Roles snap-in settings.

This Administrative Template also provides a number of policy settings allowing you to limit the list of Active Roles’s Administration Service instances for auto-connect. For more information, see Administration Service auto-connect settings.

Active Roles snap-in settings

With the Active Roles Snap-in policy settings you can:

  • Hide some areas of the user interface with the Console.

  • Specify default settings for some user interface elements.

  • Specify settings to register extension snap-ins with the Active Roles Console.

The Administrative Template provides the following policy settings to control the behavior and appearance of the Active Roles Console:

Table 124: Policy settings to control the behavior and appearance of the Active Roles Console

Policy Setting

Explanation

Hide Exchange management

Removes all user interface elements (commands, wizards, and dialog boxes) intended to manage Exchange recipients. If you enable this policy, users cannot perform any Exchange tasks and manage any Exchange recipient settings with the Active Roles Console. If you disable this policy or do not configure it, users with appropriate permissions can use the Active Roles Console to perform Exchange tasks and manage Exchange recipient settings.

Set default view mode

Specifies view mode in which the Active Roles Console will start. If you enable this policy, you can select view mode from a list. When started, the Active Roles Console will switch to the view mode you have selected. By default, users are allowed to change view mode by using the Mode command on the View menu. If you want to enforce a view mode, select the User is not allowed to change view mode policy option. This option ensures that the Console user cannot change the view mode that you have selected.

Hide Configuration node

Removes the Configuration node from the Console tree when the Active Roles Console is in Advanced view mode. If you enable this policy, in Advanced view mode, all objects and containers related to the Active Roles configuration are not displayed. The Managed Units node and its contents are displayed as well as all advanced Active Directory objects and containers.

Disable Remember password option

Clears and disables the Remember password check box in the Connect to Administration Service dialog. If you enable this policy, the Connect as: The following user option in the Active Roles Console requires the user to enter their password every time when using that option, rather than encrypting and storing the password once it has been entered.

NOTE: Saving passwords may introduce a potential security risk.

Disable Connect as options

Disables the Connect as options in the Connect to Administration Service dialog, including the Remember password check box. If you enable this policy, the Console users are only allowed to connect to the Administration Service under their logon accounts. With this policy, the Current user option is selected under Connect as, and cannot be changed.

Set controlled objects to be marked by default

Specifies whether to use a special icon for visual indication of the objects to which Access Templates or Policy Objects are applied (linked). If you enable this policy, you can choose the category of object to be marked with a special icon by default. Users can modify this setting using the Mark Controlled Objects command on the View menu.

In addition, the Administrative Template provides for policies allowing you to register extension snap-ins with the Active Roles Console. These policies are located in the folder named Extension Snap-ins. Each policy in that folder is used to register one of the following:

Table 125: Policies allowing to register extension snap-ins with Active Roles Console

Policy Setting

Explanation

Namespace extensions

Allows you to register extension snap-ins to extend the namespace of the Active Roles Console.

Context menu extensions

Allows you to register extension snap-ins to extend a context menu in the Active Roles Console.

Toolbar extensions

Allows you to register extension snap-ins to extend the toolbar of the Active Roles Console.

Property sheet extensions

Allows you to register extension snap-ins to extend property sheets in the Active Roles Console.

Task pad extensions

Allows you to register extension snap-ins to extend a task pad in the Active Roles Console.

View extensions

Allows you to register extension snap-ins to add user interface elements to an existing view or to create new views in the Active Roles Console.

When configuring a policy from the Extension Snap-ins folder, you are prompted to specify the name and the value of the item to be added.

The name parameter determines the type of the node you want to extend. Each type is identified with a GUID. For example, if you want to extend user objects, the GUID is {D842D417-3A24-48e8-A97B-9A0C7B02FB17}.

The value parameter determines the extension snap-ins to be added. Each snap-in is identified with a GUID. You add multiple snap-ins by entering their GUIDs separated by semicolons. For example, value might look as follows:

{AD0269D8-27B9-4892-B027-9B01C8A011A1}"Description";{71B71FD3-0C9B-473a-B77B-12FD456FFFCB}"Description"

The entry "Description" is optional and may contain any text describing the extension snap-in, enclosed in double quotation marks.

Administration Service auto-connect settings

The Administrative Template provides the following settings that allow you to limit the list of Active Roles’s Administration Service instances for auto-connect:

When applied to a computer running an Active Roles client application, such as the Active Roles Console, Web Interface or ADSI Provider, these settings make it possible to restrict auto-connection of the client application to a predefined set of computers running the Administration Service, with inclusions or exclusions of certain computers from the pool of the Administration Service instances to auto-connect.

You can enable all these settings or only some of these settings. For example, if you only want to allow the client application to auto-connect to specific instances of the Administration Service (and only to those instances), then you could only enable and configure the Allowed Servers for Auto-connect setting. If you only want to prevent the client application from auto-connecting to particular instances of the Administration Service, you could only enable and configure the Disallowed Servers for Auto-connect setting. If you want the client application to auto-connect to a server identified by a computer alias, enable the Additional Servers for Auto-connect setting and add the computer alias to that setting.

The following rules apply when two or more settings are enabled. If the name of a given computer is listed in both the Allowed Servers for Auto-connect and Disallowed Servers for Auto-connect settings, then the client application is allowed to auto-connect to the Administration Service on that computer. If the name or alias of a particular computer is listed in the Additional Servers for Auto-connect setting, then the client application auto-connects to the Administration Service on that computer regardless of the Allowed Servers for Auto-connect and Disallowed Servers for Auto-connect settings.

'Allowed Servers for Auto-connect' setting

When applied to a computer running an Active Roles client application, such as the Active Roles Console, Web Interface or ADSI Provider, this setting determines the instances of the Active Roles Administration Service to which the client application is allowed to auto-connect. This setting only affects the Administration Service instances that are published by Active Roles for auto-discovery. To have the client application connect to the Administration Service on a computer whose name or alias is not published for Administration Service auto-discovery, use the Additional Servers for Auto-connect setting.

If you enable this setting, you can specify a list of computer names identifying the computers running the Administration Service to which the client application is allowed to auto-connect. In a computer name, you may use an asterisk wildcard character (*) to represent any string of characters. If a given computer is listed in this setting, then the client application is allowed to auto-connect to the Administration Service on that computer. If a given computer is not listed in this setting, then the client application is not allowed to auto-connect to the Administration Service on that computer unless the name or alias of that computer is listed in the Additional Servers for Auto-connect setting.

If this setting is disabled or not configured, the client application auto-connects to any available Administration Service that is published by Active Roles for auto-discovery. However, you can use the Disallowed Servers for Auto-connect setting to prevent the client application from auto-connecting to certain published instances of the Administration Service.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택