Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Quest has tools and processes in place to identify, protect, detect, and remediate vulnerabilities and incidents when they occur, including external security partners. As part of our standard security operations, Quest does not use CrowdStrike in any of our operations. We are reviewing our third parties, and so far, there is minimal affect. It is Quest's policy not to provide further technical details unless they directly impact customer data.

Active Roles On Demand Hosted - User Guide

Table of Contents

Introduction Getting Started

Starting the Active Roles console

MMC interface access management Getting and using help

User Interface overview

Console_tree Details_pane Advanced_pane

Active Roles Security, Links Active Roles Policy Native Security Member Of, Members

View mode

Controlled_objects

Using Managed Units Setting up filter

Steps for sorting and filtering lists in the details pane

Finding objects

Steps for searching for a user, contact, or group Steps for searching for a computer Steps for searching for an Organizational Unit Steps for using advanced search options Steps for building a custom search LDAP syntax

Search filter format Operators Wildcards Special characters

Getting policy-related information

One Identity Starling Two-factor Authentication for Active Roles

Pre-requisites to configure One Identity Starling Logging in to MMC interface through 2FA authentication

User or Service Account Management

About user accounts User account management tasks

Creating a user account

Steps for creating a user account Steps for finding a user account

Finding a user account

Steps for finding a user account

Copying a user account

Steps for copying a user account

Modifying user account properties

Steps for modifying user account properties

Renaming a user account

Steps for renaming a user account

Disabling and enabling a user account

Steps for disabling a user account Steps for enabling a disabled user account

Resetting user password

Steps for resetting a user password

Adding user accounts to groups

Steps for adding a user account to a group

Removing a user account from groups

Steps for removing a user account from a group

Changing a user’s primary group

Steps for changing a user’s primary group

Performing Exchange tasks on a user account

Steps for performing Exchange tasks

Moving user accounts

Steps for moving a user account

Exporting and importing user accounts Deleting user accounts

Steps for deleting a user account

Deprovisioning a user account

Steps for deprovisioning a user account

Restoring a deprovisioned user account

Steps for restoring a deprovisioned user account

Managing user certificates

Steps for managing user certificates

Management of group Managed Service Accounts

gMSA management tasks

Creating_a_gMSA Managing_properties_of_a Searching_for_gMSA_in_th Disabling_or_re_enabling

Group Management

About groups Group management tasks

Creating a group

Steps for creating a group

Finding a group

Steps for finding a group Steps for finding groups in which a user is a member

Copying a group

Steps for copying a group

Modifying group properties

Steps for modifying group properties

Changing group type and group scope

Steps for changing group scope Steps for converting a group to another group type

Renaming a group

Steps for renaming a group

Assigning a manager over a group

Steps for assigning a manager over a group

Adding members to a group

Steps for adding a member to a group

Removing members from a group

Steps for removing a member from a group

Performing Exchange tasks on a group

Steps for performing Exchange tasks

Moving groups

Steps for moving a group

Exporting and importing groups Deleting groups

Steps for deleting a group

Deprovisioning groups

Steps for deprovisioning a group

Restoring deprovisioned groups

Steps for restoring a deprovisioned group

Administering query-based distribution groups

Steps for creating a query-based distribution group

Administering dynamic (rule-based) groups

Using temporal group memberships

Adding temporal members Viewing temporal members Rescheduling temporal group memberships Removing temporal members

Computer Account Management

About computer accounts Computer account management tasks

Creating a computer account

Steps for creating a computer account

Finding a computer account

Steps for finding a computer account

Modifying computer account properties

Steps for modifying computer account properties

Disabling and enabling a computer account

Steps for disabling a computer account Steps for enabling a disabled computer account

Resetting a computer account Adding computer accounts to groups

Steps for adding a computer account to a group

Removing a computer account from groups

Steps for removing a computer account from a group

Moving computer accounts

Steps for moving a computer account

Exporting and importing computer accounts Deleting computer accounts

Steps for deleting a computer account

Managing a remote computer Using Remote Desktop Connection Viewing BitLocker recovery passwords

Steps for viewing BitLocker recovery passwords

Organizational Unit Management

About Organizational Units Organizational Unit management tasks

Creating an Organizational Unit

Steps for creating an Organizational Unit

Finding an Organizational Unit

Steps for finding an Organizational Unit

Modifying Organizational Unit properties

Steps for modifying Organizational Unit properties

Renaming an Organizational Unit

Steps for renaming an Organizational Unit

Moving an Organizational Unit

Steps for moving an Organizational Unit

Deleting an Organizational Unit

Steps for deleting an Organizational Unit

Management of Contacts

About contacts Contact management tasks

Creating a contact

Steps for creating a contact

Finding a contact Modifying contact properties Renaming a contact Adding and removing contacts from groups Performing Exchange tasks on a contact

Steps for performing Exchange tasks

Moving contacts Exporting and importing contacts Deleting contacts

Management of Exchange Recipients

Creating an Exchange mailbox

Steps for creating a user mailbox Steps for creating a room or equipment Mailbox Steps for creating a linked mailbox Steps for creating a shared mailbox

Performing Exchange tasks

Exchange tasks on user accounts

Steps for performing Exchange tasks on a user account Move Mailbox task in Exchange 2013 or later

Exchange tasks on groups

Steps for performing exchange tasks on groups

Exchange tasks on contacts

Steps for performing Exchange tasks on contacts

Managing Exchange-related properties

Exchange General tab Exchange Advanced tab E-mail Addresses tab Mail Flow Settings tab Mailbox Settings tab Mailbox Features tab Calendar Settings tab Resource Information tab

Resource_Policy Resource_Information Resource_In_Policy_Reque Resource_Out_of_Policy_R

Master Account tab Mailbox Sharing tab

Managing Unified Messaging users

Enable a user for Unified Messaging View or change the properties of a UM-enabled user Reset Unified Messaging PIN for a UM-enabled user Disable Unified Messaging for a user

LDAP syntax

Search filters enable you to define search criteria and provide more efficient and effective searches. The search filters are represented by Unicode strings.

The Active Roles console supports the standard LDAP search filters as defined in RFC2254.

The following table lists some examples of standard LDAP search filters.

Table 5: LDAP search filters
Search filter	Description
`(objectClass=*)`	All objects
`(&(objectCategory=person)(objectClass=user)(!cn=andy))`	All user objects but "andy"
`(sn=sm*)`	All objects with a surname that starts with "sm"
`(&(objectCategory=person)(objectClass=contact)(\|(sn=Smith)(sn=Johnson)))`	All contacts with a surname equal to "Smith" or "Johnson"

Search filter format

Search filters use one of the following formats:

<filter>=(<attribute><operator><value>)

(<operator><filter1><filter2>)

In this example, <attribute> stands for the LDAP display name of the attribute by which you want to search.

Operators

The following table lists some frequently used search filter operators.

Table 6: Operators
Logical Operator	Description
=	Equal to
~=	Approximately equal to
<=	Lexicographically less than or equal to
>=	Lexicographically greater than or equal to
&	AND
\|	OR
!	NOT

Wildcards

You can also add wildcards and conditions to a search filter. The following examples show substrings that can be used to search the directory.

Get all entries:

(objectClass=*)

Get entries containing “bob” somewhere in the common name:

(cn=*bob*)

Get entries with a common name greater than or equal to “bob”:

(cn>='bob')

Get all users with an e-mail attribute:

(&(objectClass=user)(mail=*))

Get all user entries with an e-mail attribute and a surname equal to “smith”:

(&(sn=smith)(objectClass=user)(mail=*))

Get all user entries with a common name that starts with “andy”, “steve”, or “margaret”:

(&(objectClass=user) | (cn=andy*)(cn=steve)(cn=margaret))

Get all entries without an e-mail attribute:

(!(mail=*))

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Active Roles On Demand Hosted - User Guide

LDAP syntax

Search filter format

Operators

Wildcards