A user’s entitlement profile can be accessed from the Active Roles console or Web Interface, allowing you to quickly examine resources to which the user is entitled:
This opens the Entitlement Profile page that lists the user’s resources grouped in expandable blocks by resource type. Each block may be a section that represents a single resource, or it may comprise a number of sections each of which represents a single resource. The grouping of sections occurs for resources of the same type. For example, the security groups in which the user has membership may be grouped together in a single block, with each group being represented by a separate section.
Initially, each block or section displays only a heading that includes the following items:
To view resource details, click the heading of a block or section.
Out of the box, Active Roles is configured so that a user’s entitlement profile displays the user’s entitlements to the resources listed in the table that follows. Active Roles administrators can configure the entitlement profile to display information about additional resources. If a user is not entitled to any resources of a particular type, then the user’s entitlement profile does not contain the sections specific to that resource type. For example, if a user does not have an Exchange mailbox, then the user’s entitlement profile does not contain information about the user’s mailbox.
Resource Type |
Resource Name |
Resource Details |
Exchange Mailbox |
E-mail address of mailbox |
|
Home Folder |
Path and name of home folder |
|
Unix-enabled Account |
User principal name |
|
Enabled for Office Communications Server |
Live communications address |
|
Member of Security Group |
Group name |
|
Access to SharePoint Site |
Group name |
|
Owner of Security Group |
Group name |
|
Owner of Distribution List |
Group display name |
|
Owner of Resource Exchange Mailbox |
Mailbox display name |
|
Owner of Exchange Contact |
Contact display name |
|
Owner of Computer |
Computer name |
|
Owner of Resource (default) |
Managed object’s name |
|
By default, permission to view the entitlement profile is given to Active Roles Admin, the administrative account or group specified during Active Roles installation. Other users or groups can also be permitted to view the entitlement profile. A dedicated Access Template is provided for this purpose so that you can allow the use of the Entitlement Profile command by designated users or user groups.
To permit particular users or groups to view the entitlement profile of the users held in a certain container, such as an organizational unit or a Managed Unit, apply the Access Template as follows.
To authorize access to the entitlement profile
After you complete these steps, the users and groups you selected in Step 4 are authorized to view the entitlement profile of the users held in the container you selected in Step 1, as well as in any sub-container of that container.
Active Roles builds on Active Directory Recycle Bin, a feature of Active Directory Domain Services introduced in Microsoft Windows Server 2008 R2, to facilitate the restoration of deleted objects. When Recycle Bin is enabled, Active Roles makes it easy to undo accidental deletions, reducing the time, costs, and user impact associated with the recovery of deleted objects in Active Directory.
The use of Active Roles in conjunction with Active Directory Recycle Bin helps minimize directory service downtime caused by accidental deletions of directory data. Recycle Bin provides the ability to restore deleted objects without using backups or restarting domain controllers and a user interface featured by Active Roles expedites locating and recovering deleted objects from Recycle Bin. Flexible and powerful mechanisms provided by Active Roles for administrative tasks delegation, enforcement of policy rules and approvals, and change tracking ensure tight control of the recovery processes.
To undo deletions, Active Roles relies on the ability of Active Directory Recycle Bin to preserve all attributes, including the link-valued attributes, of the deleted objects. This makes it possible to restore deleted objects to the same state they were in immediately before deletion. For example, restored user accounts regain all group memberships that they had at the time of deletion.
Active Roles can be used to restore deleted objects in any managed domain that has Active Directory Recycle Bin enabled. This requires the forest functional level of Windows Server 2008 R2, so all the forest domain controllers must be running Windows Server 2008 R2. In a forest that meets these requirements, an administrator can enable Recycle Bin by using the Active Directory module for Windows PowerShell in Windows Server 2008 R2. For more information about Active Directory Recycle Bin, see What’s New in AD DS: Active Directory Recycle Bin (http://go.microsoft.com/fwlink/?LinkId=141392).
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy