Converse agora com nosso suporte
Chat com o suporte

Identity Manager 8.1.4 - Administration Guide for Connecting to Active Directory

Managing Active Directory environments Setting up Active Directory synchronization Basic data for managing an Active Directory environment
Account definitions for Active Directory user accounts Password policies for Active Directory user accounts Initial password for new Active Directory user accounts Email notifications about login data User account names Target system managers Editing a server
Active Directory domains Active Directory user accounts
Linking user accounts to employees Supported user account types Entering master data for Active Directory user accounts Additional tasks for managing Active Directory user accounts Automatic assignment of employees to Active Directory user accounts Updating employees when Active Directory user account are modified Automatic creation of departments and locations based on user account information Disabling Active Directory user accounts Deleting and restoring Active Directory user accounts
Active Directory contacts Active Directory groups
Entering master data for Active Directory groups Validity of group memberships Assigning Active Directory groups to Active Directory user accounts, Active Directory contacts, and Active Directory computers Additional tasks for managing Active Directory groups Deleting Active Directory groups Default solutions for requesting Active Directory groups and group memberships
Active Directory security IDs Active Directory container structures Active Directory computers Active Directory printers Active Directory locations Reports about Active Directory objects Configuration parameters for managing an Active Directory environment Default project template for Active Directory

Overview of all assignments

The Overview of all assignments report is displayed for some objects, such as authorizations, compliance rules, or roles. The report finds all the roles, for example, departments, cost centers, locations, business roles, and IT Shop structures in which there are employees who own the selected base object. In this case, direct as well as indirect base object assignments are included.

Examples
  • If the report is created for a resource, all roles are determined in which there are employees with this resource.
  • If the report is created for a group or another system entitlement, all roles are determined in which there are employees with this group or system entitlement.
  • If the report is created for a compliance rule, all roles are determined in which there are employees who violate this compliance rule.
  • If the report is created for a department, all roles are determined in which employees of the selected department are also members.
  • If the report is created for a business role, all roles are determined in which employees of the selected business role are also members.

To display detailed information about assignments

  • To display the report, select the base object from the navigation or the result list and select the Overview of all assignments report.
  • Click the Used by button in the report toolbar to select the role class for which you want to determine whether roles exist that contain employees with the selected base object.

    All the roles of the selected role class are shown. The color coding of elements identifies the role in which there are employees with the selected base object. The meaning of the report control elements is explained in a separate legend. To access the legend, click the icon in the report's toolbar.

  • Double-click a control to show all child roles belonging to the selected role.
  • By clicking the button in a role's control, you display all employees in the role with the base object.
  • Use the small arrow next to to start a wizard that allows you to bookmark this list of employees for tracking. This creates a new business role to which the employees are assigned.

Figure 3: Toolbar of the Overview of all assignments report.

Table 76: Meaning of icons in the report toolbar

Icon

Meaning

Show the legend with the meaning of the report control elements

Saves the current report view as a graphic.

Selects the role class used to generate the report.

Displays all roles or only the affected roles.

Configuration parameters for managing an Active Directory environment

The following configuration parameters are additionally available in One Identity Manager after the module has been installed.

Table 77: Configuration parameters
Configuration parameter Description
QER | ITShop | GroupAutoPublish

Preprocessor relevant configuration parameter for automatically adding groups to the IT Shop. This configuration parameter specifies whether all Active Directory and SharePoint target system groups are automatically added to the IT Shop. Changes to this parameter require the database to be recompiled.

QER | ITShop | GroupAutoPublish | ADSGroupExcludeList

This configuration parameter contains a list of all groups for which automatic IT Shop assignment should not take place. Names are listed in a pipe (|) delimited list that is handled as a regular search pattern.

Example:

.*Administrator.*|Exchange.*|.*Admins|.*Operators|IIS_IUSRS

TargetSystem | ADS

Preprocessor relevant configuration parameter for controlling the database model components for the administration of the target system Active Directory. If the parameter is set, the target system components are available. Changes to this parameter require the database to be recompiled.

TargetSystem | ADS | Accounts

This configuration parameter permits configuration of user account data.

TargetSystem | ADS | Accounts | InitialRandomPassword

This configuration parameter specifies whether a random generated password is issued when a new user account is added. The password must contain at least those character sets that are defined in the password policy.

TargetSystem | ADS | Accounts | InitialRandomPassword | SendTo

This configuration parameter specifies to which employee the email with the random generated password should be sent (manager cost center/department/location/business role, employee’s manager or XUserInserted). If no recipient can be found, the password is sent to the address stored in the configuration parameter TargetSystem | ADS | DefaultAddress.

TargetSystem | ADS | Accounts | InitialRandomPassword | SendTo | MailTemplateAccountName

This configuration parameter contains the name of the mail template sent to provide users with the login data for their user accounts. The Employee - new user account created mail template is used.

TargetSystem | ADS | Accounts | InitialRandomPassword | SendTo | MailTemplatePassword

This configuration parameter contains the name of the mail template sent to provide users with information about their initial password. The Employee - initial password for new user account mail template is used.

TargetSystem | ADS | Accounts | MailTemplateDefaultValues

This configuration parameter contains the mail template used to send notifications if default IT operating data mapping values are used for automatically creating a user account. The Employee - new user account with default properties created mail template is used.

TargetSystem | ADS | Accounts | NotRequirePassword

This configuration parameter defines if the No password required option is enabled in the Active Directory environment when a new user account is created.

TargetSystem | ADS | Accounts | PrivilegedAccount This configuration parameter allows configuration of settings for privileged Active Directory user accounts.

TargetSystem | ADS | Accounts |
PrivilegedAccount | SAMAccountName_Postfix

This configuration parameter contains the postfix for formatting login names for privileged user accounts.

TargetSystem | ADS | Accounts | PrivilegedAccount |
SAMAccountName_Prefix

This configuration parameter contains the prefix for formatting login names for privileged user accounts.

TargetSystem | ADS | Accounts | ProfileFixedString

 This configuration parameter contains a fixed character string that is appended to the user profile's default profile path.

TargetSystem | ADS | Accounts | TransferJPegPhoto

This configuration parameter specifies whether changes to the employee's picture are published in existing user accounts. The picture is not part of default synchronization. It is only published when employee data is changed.

TargetSystem | ADS | Accounts | TransferSIDHistory

This configuration parameter specifies whether the history of an SID is loaded from the target system.

TargetSystem | ADS | Accounts | TSProfileFixedString

This configuration parameter contains a fixed character string, which is appended to the user profile's default profile path on a terminal server.

TargetSystem | ADS | Accounts | UnlockByCentralPassword

This configuration parameter specifies whether the employee’s Active Directory user account is also blocked by synchronizing the central password.

TargetSystem | ADS | Accounts | UserMustChangePassword

This configuration parameter defines if the Change password at next login option is enabled when a new user account is created.

TargetSystem | ADS | AuthenticationDomains

This configuration parameter contains a pipe (|) delimited list of domains to be used by the manual Active Directory authentication module to authenticate users. The list is processed in the given order. This list should only contain domains to be synchronized.

Example:

MyDomain|MyOtherDomain

For detailed information about the One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.

TargetSystem | ADS | AutoCreateDepartment

This configuration parameter specifies whether departments are automatically created when user accounts are modified or synchronized.

TargetSystem | ADS | AutoCreateLocality

This configuration parameter specifies whether locations are automatically created when user accounts are modified or synchronized.

TargetSystem | ADS | AutoCreateHardwaretype

This configuration parameter specifies whether corresponding device types are created automatically in the database for imported printer objects.

TargetSystem | ADS | AutoCreateServers

This configuration parameter specifies whether entries for missing home servers and profile servers are created automatically when user accounts are synchronized.

TargetSystem | ADS | AutoCreateServers | PreferredLanguage

This configuration parameter contains the referred language for automatically created servers.

TargetSystem | ADS | DefaultAddress

The configuration parameter contains the recipient's default email address for sending notifications about actions in the target system.

TargetSystem | ADS | HardwareInGroupFromOrg

The configuration parameter specifies whether computers are added to groups on the basis of group assignment to roles.

TargetSystem | ADS | MaxFullsyncDuration

This configuration parameter contains the maximum runtime for synchronization. No recalculation of group memberships by the DBQueue Processor can take place during this time. If the maximum runtime is exceeded, group membership are recalculated.

TargetSystem | ADS | MembershipAssignCheck

When assigning group memberships in the One Identity Manager database, this configuration parameter specifies whether permissibility of the membership is verified at the time of saving.

Disable this configuration parameter if several trusted domains with access across memberships are managed in the database.

TargetSystem | ADS | MemberShipRestriction

General configuration parameter for restricting membership in Active Directory.

TargetSystem | ADS | MemberShipRestriction | Container

This configuration parameter contains the number of Active Directory objects allowed per container before warning email is sent.

TargetSystem | ADS | MemberShipRestriction | Group

This configuration parameter contains the number of Active Directory objects allowed per group before warning email is sent.

TargetSystem | ADS | MemberShipRestriction | MailNotification

This configuration parameter contain the default email address for sending warnings by email.

TargetSystem | ADS | PersonAutoDefault

This configuration parameter specifies the mode for automatic employee assignment for user accounts added to the database outside synchronization.

TargetSystem | ADS | PersonAutoDisabledAccounts

This configuration parameter specifies whether employees are automatically assigned to disabled user accounts. User accounts do not obtain an account definition.

TargetSystem | ADS | PersonAutoFullSync

This configuration parameter specifies the mode for automatic employee assignment for user accounts added to or updated in the database through synchronization.

TargetSystem | ADS | PersonExcludeList

List of all user accounts for which automatic employee assignment should not take place. Names are listed in a pipe (|) delimited list that is handled as a regular search pattern.

Example:

ADMINISTRATOR|GUEST|KRBTGT|TSINTERNETUSER|IUSR_.*|IWAM_.*|SUPPORT_.*|.* | $

TargetSystem | ADS | PersonUpdate

This configuration parameter specifies whether employees are updated if their user accounts are changed. This configuration parameter is set to allow ongoing update of employee objects from associated user accounts.

TargetSystem | ADS | ReplicateImmediately

This configuration parameter is used to speed up synchronization of modifications between two domain controllers. When set, the accumulated modifications in Active Directory are immediately replicated between domain controllers.

TargetSystem | ADS | VerifyUpdates

This configuration parameter specifies whether modified properties are checked by updating. If this parameter is set, the objects in the target system are verified after every update.

Default project template for Active Directory

A default project template ensures that all required information is added in One Identity Manager. This includes mappings, workflows, and the synchronization base object. If you do not use a default project template you must declare the synchronization base object in One Identity Manager yourself.

Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the Synchronization Editor.

The template uses mappings for the following schema types.

Table 78: Mapping Active Directory schema types to tables in the One Identity Manager schema
Schema type in Active Directory Table in the One Identity Manager Schema
builtInDomain ADSContainer
computer ADSMachine
contact ADSContact
container ADSContainer
domainDNS ADSDomain
forest (virtual schema type) ADSForest
group ADSGroup
inetOrgPerson ADSAccount
msDS-PasswordSettings ADSPolicy
organizationalUnit ADSContainer
printQueue ADSPrinter

serverInSite

ADSMachineInADSSite

site

ADSSite

trustedDomain DomainTrustsDomain
user ADSAccount
Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação