Chat now with support
Chat with Support

Active Roles 7.2 - Evaluator Guide

Introduction Test lab setup Managing users and groups Delegating administration Using Managed Units Using Active Roles policies Managing Exchange recipients Managing permissions in Active Directory Using dynamic groups Delegating computer resource management Using audit trail and reporting Using Active Roes replication Customizing the Web Interface

Use the Active Roles Web Interface

Managing users and groups > Use the Active Roles Web Interface

Use the Active Roles Web Interface

Create a user account and add it to groups

To create a user account and add it to groups

  1. Connect to the Web Interface for Administrators: Open your Web browser and navigate to http://localhost/ARWebAdmin.
  2. In the Search box on the header of the Web Interface page, type the name of the OU where you want to create the user, and then press Enter.
  3. In the list of search results, click the name of the OU.
  4. In the right pane of the Web Interface page, click New User.
  5. Type in the First Name, Last Name, and User logon name boxes. Click Next.
  6. Click the Generate button (beneath the Confirm password box) to generate a password. Click Finish (or Next, if Microsoft Exchange Server is deployed in your test domain).
  7. If Microsoft Exchange Server is deployed in your test domain, you can create a mailbox for the new user. To do this, select the Create an Exchange mailbox check box. Click Finish.
  8. Close the property page that appears.
  9. In the Search box on the header of the Web Interface page, type the name of the user account you have created.
  10. In the list of search results, select the check box next to the name of the user account.
  11. In the right pane of the Web page, click Member Of.
  12. On the Member Of page that appears, click the Add button.
  13. On the Select Object page that appears, choose the groups to which you want to add the user account:
    1. Specify search criteria and press Enter to build a list of groups.
    1. Choose the desired groups by selecting the check box next to the name of the group in the list.
    2. When finished, click OK.

    For example, you can type group names separated by a semicolon in the Search box at the top of the Select Object page, and then press Enter.

  1. To remove the user account from groups, on the Member Of page, select the check box next to the name the group and then click the Remove button.

Find a user and reset the user’s password

To find a user account and then reset its password

  1. Connect to the Web Interface for Help Desk: Open your Web browser and navigate to http://localhost/ARWebHelpDesk.
  2. In the Search box on the header of the Web Interface page, type the name of the user you want to find, and then press Enter.
  3. In the list of search results, select the check box next to the name of the user account.
  4. In the right pane of the Web Interface page, click Reset Password.
  5. On the Reset Password page that appears, click the Generate button.

The new password is displayed in the Password box.

  1. Click the Finish button to apply your changes.

Perform self-administration

Active Roles makes it possible to authorize users to administer their own accounts in Active Directory. Specifically, users may be permitted to modify personal information in their accounts. An administrator can use the Active Roles console to delegate this task.

To delegate self-administration

  1. In the console tree, select the domain or OU where you want to delegate the self-administration task.
  2. Right-click the selection and click Delegate Control.
  3. In the Active Roles Security dialog box, click Add.
  4. Follow the steps in the Delegation of Control Wizard.
  5. On the Users or Groups page, click Add, use the Select Objects dialog box to select the Self object, and then click Next.
  6. On the Access Templates page, expand User Self-management, and select the check box next to Self - Account Management. Click Next.
  7. Click Next two times, and then click Finish.
  8. In the Active Roles Security window, click OK.

Once you have delegated the self-administration task, you can check how users can perform self-administration in the Active Roles Web Interface.

To perform self-administration

  1. Log on to your server as any user defined in your test domain.
  2. Connect to the Web Interface for Self-Administration: Open your Web browser and navigate to http://localhost/ARWebSelfService.
  3. On the Web Interface Home page, click User Profile Editor.
  4. On the User Profile Editor page that appears, use the General, Address, Telephones, and Picture tabs to view or change your personal information.
  5. When finished, click the Save button.

Delegating administration

Delegating administration

The examples in this section demonstrate how to delegate administration using Active Roles.

Assign the Help Desk role for an OU

Delegating administration > Assign the Help Desk role for an OU

When you assign the Help Desk role to a group for a given OU, you authorize the members of that group to reset user passwords, unlock user accounts, and view all properties of user accounts in that OU and its child OUs. The members of the group to which you have assigned an administrative role are referred to as delegated administrators.

To assign the Help Desk role for an OU

  1. In the Active Roles console, right-click the OU, and then click Delegate Control.
  2. In the Active Roles Security window, click Add.
  3. Follow the steps in the Delegation of Control wizard.
  4. On the Users or Groups page, click Add.
  5. Select the group to which you want to assign the Help Desk role and click OK.
  6. Click Next.
  7. On the Access Templates page, expand Active Directory, select the check box next to Users – Help Desk, and then click Next.
  8. Click Next, click Next, and then click Finish.
  9. In the Active Roles Security window, click OK.

To enable the delegated administrators to browse OUs in the domain, you must grant them the Read All Properties permission on the OU objects at the domain level.

To grant the Read All Properties permission

  1. Select the domain and use the Delegation of Control wizard as described in the previous procedure.
  2. On the Access Templates page, expand Active Directory, and select the check box next to OUs – Read All Properties.

Test the delegated administrator’s rights

Delegating administration > Test the delegated administrator’s rights

The delegated administrator can use the Active Roles console to perform administrative tasks. Use the following steps to verify the rights of a delegated administrator using the Active Roles console (MMC Interface).

To verify delegation using the Active Roles console

  1. Open the Active Roles console and connect to the Administrative Service as the delegated administrator:
    1. Right-click the console tree root, and then click Connect.
    2. In the Connect to Administration Service dialog box, click Options.
    3. In the Connect as area, click The following user and specify the user logon name and password of the delegated administrator.
  2. In the console tree, select the OU for which the delegated administrator is assigned the Help Desk role.
  3. Verify that you can reset passwords and unlock accounts: Right-click a user account in the details pane, and click Reset Password.
  4. Verify that you can view user properties: Right-click a user account in the details pane, and click Properties.

The delegated administrator can also use the Web Interface to perform administrative tasks. Take the following steps to verify the rights of a delegated administrator using the Active Roles Web Interface.

To verify delegation using the Web Interface

  1. Log on to your computer with the delegated administrator’s user name and password.
  2. Connect to the Web Interface for Help Desk: Open your Web browser and navigate to http://localhost/ARWebHelpDesk.
  3. In the Search box on the header of the Web Interface page, type the name of the OU for which the delegated administrator is assigned the Help Desk role, and then press Enter.
  4. In the list of search results, click the name of the OU to display a list of objects held in that OU.
  5. In the list of objects, select the check box next to the name of a user account.
  6. Verify that you can reset the user’s password and unlock the user account:
    1. In the right pane of the Web Interface page, click Reset Password.
    2. On the Reset Password page that appears, specify a new password, clear the Account is locked out check box if the check box is selected, and then click Finish.

    If the user account is not locked out, the Account is locked out check box is unavailable.

Related Documents