Chat now with support
Chat with Support

Active Roles 7.2.1 - Evaluator Guide

Introduction Test lab setup Managing users and groups Delegating administration Using Managed Units Using Active Roles policies Managing Exchange recipients Managing permissions in Active Directory Using dynamic groups Delegating computer resource management Using audit trail and reporting Using Active Roes replication Customizing the Web Interface

Using Managed Units

Using Managed Units

The examples in this section demonstrate how to configure Managed Units, and allow you to see how Managed Units work.

Managed Unit (MU) is a collection of objects (administrative view), created for the purposes of distribution of administration, enforcement of business rules, and management of complex network environments. Managed Units provide the capability to separate the management framework from the Active Directory design. By using Managed Units, directory objects can be grouped into administrative views regardless of object location in Active Directory.

Create a Managed Unit

Using Managed Units > Create a Managed Unit

Consider an example in which the AD design is based on geographic locations, with domains named after cities or regions and OUs named for corporate departments or groups. Managed Units could be designed to manage specific departments or groups that are divided across multiple geographic locations.

In this example, each AD domain has a Human Resources (HR) OU and a Sales OU. The Active Roles design has an HR MU and a Sales MU. The HR MU enables administrators to configure the policies and security restrictions for all HR users in one place, while the Sales MU provides the same kind of capability for all Sales users.

MUs are defined by membership rules—criteria that Active Roles uses to evaluate which objects belong to specific MU.

In your test domain, create three OUs named PHX Sales, BST Sales, and SEA Sales. Then, perform the following steps to create the Sales MU.

To create Managed Unit

  1. Start the Active Roles console and connect to the Administration Service.
  2. Ensure that the console is in Advanced View mode: On the View menu, click Mode, and then select the Advanced Mode option.
  3. In the console tree, expand Configuration, right-click Managed Units, and select New | Managed Unit.

    The New Object - Managed Unit wizard starts.

  1. In the Name box, type the name of the Managed Unit - Sales MU. Click Next.
  2. Click Add.
  3. In the list of rule types, click Include by Query. Click OK.
  4. From the Find list, select Organizational Units.
  5. Click Browse next to the In box, and select your test domain.
  6. In the Name box, type *Sales*
  7. Optionally, click Preview Rule.

    The window displays a list of all the Sales OUs found.

  1. Click Add Rule.
  2. In the wizard, click Next, click Next, and then click Finish.

This procedure ensures that all OUs with names containing ‘Sales’ are included in the Sales MU. If you only want the MU to include the OUs with specific names, such as ‘PHX Sales OU’, ‘BST Sales OU’ and ‘SEA Sales OU’, use explicit inclusion. To create the Sales MU using explicit inclusion, modify the above procedure as follows:

  1. In Step 6, select Include Explicitly from the list of rule types.
  2. In the Select Objects window, specify the OU names (separated by semicolons), and then click OK.
  3. Follow the steps in the wizard to complete the creation of the MU.

Assign the Full Control role for an MU

Using Managed Units > Assign the Full Control role for an MU

Active Roles ensures that security restrictions specified on an MU are applied to all objects held in that MU. When an MU holds a container, all child objects in that container inherit the security restrictions defined at the MU level. This inheritance continues down the directory tree within all containers held in a given MU.

When you assign the Full Control role to a group for a given MU, you authorize the members of that group to perform all administrative tasks in that MU. The members of the group to which you have assigned an administrative role are referred to as delegated administrators.

To assign the Full Control role for an MU

  1. In the Active Roles console, right-click the Sales MU, and then click Delegate Control.
  2. In the Active Roles Security window, click Add.
  3. Follow the steps in the Delegation of Control wizard.
  4. On the Users or Groups page, click Add.
  5. Select the group to which you want to assign the Full Control role and click OK.
  6. Click Next.
  7. On the Access Templates page, expand Active Directory, select the check box next to All Objects – Full Control, and then click Next.
  8. Click Next, click Next, and then click Finish.
  9. In the Active Roles Security window, click OK.

When assigned the Full Control role for an MU, the delegated administrator is authorized to view the MU and manage all objects in it. In the Active Roles console, the MU appears under Managed Units in the console tree.

Test the delegated administrator’s rights

Using Managed Units > Test the delegated administrator’s rights

Delegated administrators can use the Active Roles console to perform administrative tasks within the MU. Take the following steps to verify the rights of the delegated administrator using the Active Roles console.

To verify delegation using the Active Roles console

  1. Start the Active Roles console and connect to the Administrative Server as the delegated administrator:
    1. Right-click the console tree root, and then click Connect.
    2. In the Connect to Administration Service dialog box, click Options.
    3. In the Connect as area, click The following user and specify the user logon name and password of the delegated administrator.
  2. In the console tree, expand Managed Units | Sales MU, and select an OU.
  3. Verify that you can administer objects in the OU: Right-click an object in the details pane and use commands on the shortcut menu.
  4. Verify that you can create new objects: In the console tree, under Sales MU, right-click an OU, point to New, and select the type of the object to create.

Delegated administrators can also use the Web Interface to perform administrative tasks. Take the following steps to verify the rights of the delegated administrator using the Active Roles Web Interface.

To verify delegation using the Web Interface

  1. Log on to your computer with the user name and password of the delegated administrator.
  2. Connect to the Web Interface for Administrators: Open your Web browser and navigate to http://localhost/ARWebAdmin.
  3. On the Web Interface Home page, click Directory Management.
  4. On the Views tab in the left pane of the Web Interface page, click Managed Units.
  5. In the list of Managed Units, click Sales to display a list of OUs held in the Sales Managed Unit.
  6. In the list of OUs, click the name of an OU to display a list of objects held in that OU.
  7. Verify that you can create new objects in the OU and administer the OU using commands in the right pane of the Web Interface page.
  8. Verify that you can administer objects held in the OU: Select the check box next to the name of an object in the list and then use commands in the upper part of the right pane.
Related Documents