Chat now with support
Chat with Support

Active Roles 7.2 - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning Home Folder AutoProvisioning Script Execution User Account Deprovisioning Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Configuring replication Using AlwaysOn Availability Groups Using database mirroring Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
Using regular expressions Administrative Template Communication ports

Configuring the Home Folder Location Restriction policy

When creating home folders, Active Roles operates in the security context of the service account under which the Administration Service is running, so the service account must have sufficient rights to create home folders. Normally, the service account has administrative rights on an entire file server, which enables Active Roles to create home folders in any folder on any network file share that exists on that server. The Home Folder Location Restriction is used to restrict to a certain list the network file shares and folders in which Active Roles is authorized to create home folders.

The Home Folder Location Restriction policy determines the folders on the network file shares in which Active Roles is allowed to create home folders, and prevents Active Roles from creating home folders in other locations. The restrictions imposed by this policy do not apply if the home folder creation operation is performed by an Active Roles Admin role holder (normally, these are the users that have membership in the Administrators local group on the computer running the Active Roles Administration Service). Thus, when an Active Roles Admin role holder creates a user account, and a certain policy is in effect to facilitate home folder provisioning, the home folder is created regardless of the Home Folder Location Restriction policy settings.

By default, no network file shares and folders are listed in the policy. This means that Active Roles cannot create a home folder unless the user management operation that involves creation of the home folder is performed by the Active Roles Admin role holder. In order to allow delegated administrators to create home folders, you have to configure the policy so that it lists the folders on the network file shares in which creation of home folders is allowed. You can do this by using the Active Roles console as follows.

To configure the Home Folder Location Restriction policy

  1. In the console tree, expand Configuration | Policies | Administration, and select Builtin under Administration.
  2. In the details pane, double-click Built-in Policy - Home Folder Location Restriction.
  3. On the Policies tab, double-click the list item under Policy Description.
  4. On the Allowed Locations tab, view or modify the list of folders on the network file shares where creation of home folders is allowed.

When adding a folder to the list, specify the UNC name of the folder. If you specify the name in the form \\<Server>\<Share>, home folders can be created in any folder on the network file share specified. If you specify the name in the form \\<Server>\<Share>\<PathtoFolder>, home folders can be created in any sub-folder of the folder.

Scenario: Creating and assigning home folders

In this scenario, you configure a policy to create home folders when creating user accounts. The policy assigns home folders to newly created accounts and grants the users change access to their home folders.

To implement this scenario, you must perform the following actions:

  1. Verify that the network file share on which you want the policy to create home folders is listed in the Home Folder Location Restriction policy.
  2. Create and configure a Policy Object that defines the appropriate policy.
  3. Apply the Policy Object to a domain, OU, or Managed Unit.

As a result, when creating a user account in the container you selected in Step 3, Active Roles creates the user home folder and assigns that folder to the user account.

The following sub-sections elaborate on the steps to implement this scenario.

Step 1: Verifying the Home Folder Location Restriction policy

Rule-based AutoProvisioning and Deprovisioning > Policy configuration tasks > Home Folder AutoProvisioning > Step 1: Verifying the Home Folder Location Restriction policy
Step 1: Verifying the Home Folder Location Restriction policy

The network file share to hold home folders must be listed in the Home Folder Location Restriction policy. Use the Configuring the Home Folder Location Restriction policy instructions to verify that the policy allows creation of home folders on the network file share.

Step 2: Creating and Configuring the Policy Object

Step 2: Creating and Configuring the Policy Object

You can create and configure the Policy Object you need by using the New Provisioning Policy Object wizard. For information about the wizard, see Creating a Policy Object in the Policy Object management tasks section earlier in this chapter.

To configure the policy, click Home Folder AutoProvisioning on the Policy to Configure page of the wizard. Then, click Next.

On the Home Folder Management page, set up the following options:

  • In the Connect box, select the drive letter to assign to the home folder (for example, Z:).
  • In the To box, type the path in the form \\server\share\%username% where \\server\share is a valid UNC path to a network file share. For example, if you have a network file share set up on the server comp, with the share name set to home, you might specify the following path: \\comp\home\%username%
  • Select the Apply this home folder setting when user account is created check box.

As a result, the Home Folder Management page should look as shown in the following figure.

Figure 61: Policy Object:Home folder management

Click Next and follow the steps in the wizard to create the Policy Object.

Related Documents