The delegation model based on the Active Roles Access Templates is fully applicable to the administrative tasks specific to deleted objects. A new Access Template called All Objects - View or Restore Deleted Objects makes it easy to delegate the following operations to selected users:
When applied to the Deleted Objects container, the Access Template gives the delegated users the right to view and restore any deleted object. With the Access Template applied to an Organizational Unit (OU) or a Managed Unit (MU), the delegated users are given the right to view and restore only those deleted objects that were located in that OU or MU at the time of deletion.
To delegate the operation of restoring deleted objects
Although it is possible to delegate the operation of restoring deleted objects in any managed domain, Organizational Unit or Managed Unit, a deleted object cannot be restored by using Active Roles unless the object belongs to a managed domain that has Active Directory Recycle Bin enabled. For instructions on how to enable Recycle Bin, see “Active Directory Recycle Bin Step-by-Step Guide” in Microsoft’s documentation for Windows Server 2008 R2.
In addition to the delegation of administrative tasks, Active Roles provides the ability to establish policy-based control over the process of restoring deleted objects. Policy rules can be used to perform additional verifications or custom script-based actions upon the restoration of deleted objects. Workflow rules can be applied so as to require approval for the restore operation or notify of the restore operation completion via e-mail.
The policy or workflow rules to control the process of restoring or otherwise managing deleted objects can be defined on:
For example, an administrator could create a workflow to require approval for the restoration of any user account that was deleted from a certain Organizational Unit (OU). The workflow definition would contain an appropriate approval rule, and have that OU specified as the target container in the workflow start conditions.
Policy rules are defined by configuring and applying Policy Objects.
To apply a Policy Object to the Deleted Objects container
For more information and instructions on configuring and applying Policy Objects, see Applying Policy Objects earlier in this document.
Workflow rules are defined by configuring workflow definitions and specifying the appropriate workflow start conditions.
To apply a workflow to the Deleted Objects container
To select a workflow, expand Configuration | Policies | Workflow, and then click the workflow definition object under Workflow in the console tree.
This displays the Workflow Options and Start Conditions page.
This will cause the workflow to start upon a request to restore a deleted object of the type specified.
You could select a container other than Deleted Objects. If you do so, the workflow starts only upon the restoration of an object that was deleted from the container you have selected.
For more information about workflows, see the Workflows chapter earlier in this document.
Active Roles provides the ability to manage directory data in Microsoft Active Directory Lightweight Directory Services (AD LDS), an independent mode of Active Directory formerly known as Active Directory Application Mode (ADAM).
A running copy of the AD LDS directory service is referred to as a service instance (or, simply, instance). To use Active Roles for managing data hosted by the AD LDS directory service, you first need to register the instance that holds the data to manage.
Once an instance has been registered, the Active Roles client interfaces—Console, Web Interface and ADSI Provider—can be used to access, view and modify directory data in the application and configuration partitions found on the instance. The instances registered with Active Roles are referred to as managed AD LDS instances.
To register an AD LDS instance with Active Roles
In Server, type the fully qualified DNS name (for example, server.company.com) of the computer on which the instance is running. In LDAP port, type the number of the Lightweight Directory Access Protocol (LDAP) communication port in use by the instance (the default communication port for LDAP is 389). You can also click Select to locate and select the AD LDS instance you want to register.
If you want each Administration Service to connect to the instance in the security context of its own service account, click The service account information the Administration Service uses to log on. With this option, different Administration Services may have different levels of access to the instance (the service account of one Service may have administrative rights on the instance while the service account of another Service may not). As a result, switching from one Administration Service to another may cause Active Roles to lose access to the instance.
If you want each Administration Service to connect to the instance using the same user account, click The Windows user account information specified below and type in the user name, password, and domain name. In this way, you specify a so-called override account, thereby causing the access rights of Active Roles on the instance to be determined by the access rights of that user account (rather than by those of the service account of the Administration Service).
The override account you specify in Step 5 must, at a minimum, be a member of the following groups in the AD LDS instance:
If you choose not to specify an override account, you should add the service account to these groups.
To allow Active Roles full access to the AD LDS instance, add the service account or, if specified, the override account to the following group:
If you add the account to the Administrators group, you don’t need to add it to the Instances or Readers group.
Use the AD LDS ADSI Edit console to add the account to the appropriate groups prior to registering the instance with Active Roles.
After an AD LDS instance is registered, you can view or change its registration settings by using the Properties command on the object representing that instance in the Managed AD LDS Instances (ADAM) container. Thus, you can make changes to the choices that were made in Step 5 of the above procedure.
If you no longer want to manage an AD LDS instance with Active Roles, you can unregister the instance by using the Delete command on the object representing that instance in the Managed AD LDS Instances (ADAM) container. Unregistering an instance only removes the registration information from Active Roles, without making any changes to the directory data within that instance.