Provisioning Policy Objects allow configuration and application of the following policies.
Policy |
Description |
This policy generates a user logon name (pre-Windows 2000) for a user account being created. You can configure it to:
By combining these options, you can ensure uniqueness of the user logon name (pre-Windows 2000), which is a schema requirement in Active Directory. | |
This policy ensures that newly created user accounts have the appropriate e-mail aliases set up. You can configure it to generate aliases based on:
The policy provides the ability to make each alias unique by adding a uniqueness number to the alias. | |
This policy ensures that user mailboxes are created in appropriate mailbox stores or databases. You can configure it to:
The policy makes it possible to distribute mailboxes by using the round-robin method or by selecting a store or database with the least number of mailboxes. | |
This policy ensures that user accounts belong to appropriate groups. You can configure it to:
You can select groups and set up criteria. The policy adds a user account to, or removes it from, the selected groups depending on whether the user account meets the specified criteria. The policy can also be applied to directory objects other than user accounts. | |
This policy performs provisioning actions needed to assign home folders and home shares to user accounts. You can configure it to:
You can specify the server on which to create home folders and shares, determine naming conventions for home folders and shares, and configure access rights to the newly created home folders and shares. | |
This policy generates and validates directory data, such as user properties. You can configure it to:
You can specify how you want the policy to generate directory data by default and what validation criteria must be applied to ensure compliance of directory data with your corporate standards. | |
This policy runs a script upon requests to perform certain operations, such as creation or updating of user accounts. You can use scripts to:
You can link a custom script to an administrative operation and have the script receive control when the operation is requested or after the operation is completed. |
Deprovisioning Policy Objects allow configuration and application of the following policies.
Policy |
Description |
When deprovisioning a user, this policy modifies the user account so that the user cannot log on. You can configure this policy to:
You can also select account properties and configure this policy to update them when processing a deprovisioning request. | |
When deprovisioning a user, this policy removes the user account from groups. You can configure this policy to remove the account from security groups, mail-enabled groups, or both. In this policy, both distribution groups and mail-enabled security groups are collectively referred to as mail-enabled groups. You can also select the groups from which you want this policy not to remove the user account, or configure the policy not to remove the user account from any security groups or mail-enabled groups. | |
When deprovisioning a user, this policy moves the user account to a different location. You can select the organizational unit to which you want the policy to move the account. You can also configure the policy not to move the user accounts upon user deprovisioning. | |
When deprovisioning a user, this policy makes changes needed to deprovision Microsoft Exchange resources for that user. You can configure this policy to:
| |
When deprovisioning a user, this policy makes changes needed to prevent the user from accessing his or her home folder. You can configure this policy to:
| |
When deprovisioning a user, this policy schedules the user account for deletion. You can specify the number of days (retention period) before the account is deleted. Another option is to delete the deprovisioned user accounts immediately to Active Directory Recycle Bin. It is also possible to configure this policy so that the deprovisioned user accounts are not deleted automatically. | |
When deprovisioning a group, this policy makes changes to the group object in Active Directory in order to prevent the use of the group. You can configure this policy to:
| |
When deprovisioning a group, this policy moves the group object to a different container in Active Directory. You can select the organizational unit to which you want the policy to move the group object. | |
When deprovisioning a group, this policy schedules the group object for deletion in Active Directory. You can specify the number of days (retention period) before the group is deleted. Another option is to delete the deprovisioned groups immediately to Active Directory Recycle Bin. It is also possible to configure this policy so that the deprovisioned groups are not deleted automatically. | |
In the course of a deprovisioning operation, this policy sends a notification message to the e-mail recipients you specify. You can customize both the message subject and message body. | |
Upon completion of a deprovisioning operation, this policy sends a report to the e-mail recipients you specify. The report includes a list of actions taken during the deprovisioning operation and the details of the deprovisioning activity. You can customize the subject of the e-mail message containing the report. You can also configure this policy to send the report only if any errors occurred in the course of a deprovisioning operation. | |
In the course of a deprovisioning operation, this policy runs the script you specify. By using a script, you can implement custom deprovisioning actions. |
A Policy Object is a collection of administrative policies that specify the business rules to be enforced. A Policy Object includes stored policy procedures and specifications of events that activate each procedure.
A Policy Object associates specific events with its policy procedures, which can be built-in procedures or custom scripts. This provides an easy way to define policy constraints, implement sophisticated validation criteria, synchronize different data sources, and perform a number of administrative tasks as a single batch.
Active Roles enforces business rules by linking Policy Objects to:
By choosing where to link a Policy Object you determine the policy scope. For example, if you link a Policy Object to a container, all objects in the container and its sub-containers are normally subject to the Policy Object.
You can link different Policy Objects to different containers to establish container-specific policies. You might need to do so in the situation where each organizational unit uses a dedicated Exchange server to store mailboxes or file server to store home folders.
You can also link a Policy Object to a leaf object, such as a user object. As an example, consider a policy that prohibits changes to group memberships when copying a certain user object.
Policy Objects define the behavior of the system when directory objects are created, modified, moved, or deleted within the policy scope. Policies are enforced regardless of administrative rights of a user performing a management task. It is important to understand that even those who have administrator rights to Active Roles itself are forced to abide by administrative policies once they are enforced.
This section guides you through the Active Roles console to manage Policy Objects. The following topics are covered:
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy