Active Roles 7.3.1 - Synchronization Service Administrator Guide

Synchronization Service Overview Deploying Synchronization Service Getting started Connections to external data systems
External data systems supported out of the box
Working with Active Directory Working with an AD LDS (ADAM) instance Working with Skype for Business Server Working with Exchange Server Working with Active Roles Working with One Identity Manager Working with a delimited text file Working with Microsoft SQL Server Sample queries to modify SQL Server data Working with an OLE DB-compliant relational database Working with SharePoint Working with Microsoft Office 365 Working with Microsoft Azure Active Directory
Using connectors installed remotely Creating a connection Renaming a connection Deleting a connection Modifying synchronization scope for a connection Using connection handlers Specifying password synchronization settings for a connection
Synchronizing identity data Mapping objects Automated password synchronization Synchronization history Scenarios of use Appendix A: Developing PowerShell scripts for attribute synchronization rules Appendix B: Using a PowerShell script to transform passwords

Deleting a password sync rule

Deleting a password sync rule

To delete a password sync rule

  1. In the Synchronization Service Administration Console, open the Password Sync tab.
  2. Locate the rule you want to delete, and then click Delete this rule below the rule.

Modifying settings of a password sync rule

Modifying settings of a password sync rule

You can modify the following settings of an existing password sync rule:

  • Specify how many times you want the Synchronization Service to retry the password synchronization operation in the case of a password synchronization failure.
  • Specify a PowerShell script to transform a source Active Directory user password into an object password in the target connected system.
  • Specify rules to modify the attributes of the target connected system objects on which Synchronization Service changes passwords.

To modify the settings of a password sync rule

  1. In the Synchronization Service Administration Console, open the Password Sync tab.
  2. Click the Password sync settings link below the password sync rule you want to modify.
  3. In the dialog box that opens, use the following tabs:
    • Password Sync Retry Options. Use this tab to specify how many times you want Synchronization Service to retry the password synchronization operation in the event of a password synchronization failure. You can select one of the following options:
    • Unlimited number of times. Causes Synchronization Service to retry the password synchronization operation until it succeeds.
      • This maximum number of times. Specify the maximum number of times you want Synchronization Service to retry the password synchronization operation.
      • Password Transformation Script. Use this tab to type a PowerShell script that transforms source Active Directory user passwords into object passwords for the target connected system. Use this tab if you want the object passwords in the source and target connected systems to be different. If you do not want to transform passwords, leave the text box blank.
    • Rules to Modify Object Attributes. Use this tab to specify rules for modifying attribute values on the target connected system objects. These rules will only apply to the objects on which Synchronization Service modifies passwords in the target connected system.
  4. When you are finished, click OK to save your changes.

Fine-tuning automated password synchronization

Fine-tuning automated password synchronization

This section provides information about the optional tasks related to configuring the automated password synchronization from an Active Directory domain to connected data systems.

In this section:

Configuring Capture Agent

Configuring Capture Agent

Capture Agent has a number of parameters you can modify. After you install the agent, each of these parameters is assigned a default value, as described in the following table:

 

Table 106: Capture Agent parameters

Parameter

Description

Default value

Maximum connection point validity for Capture Agent Service

Determines the period of time (in hours) during which a connection between Capture Agent and Synchronization Service remains valid.

24 hours

Interval between connection retries

Determines the time interval (in minutes) during which Capture Agent tries to reconnect to Synchronization Service.

10 minutes

Maximum duration of a connection attempt

Determines the period of time (in days) during which Capture Agent tries to connect to Synchronization Service to send the information about changed user passwords.

During this period Capture Agent stores the user passwords to be synchronized in an encrypted file.

7 days

Certificate to encrypt Capture Agent traffic

Specifies a certificate for encrypting the password sync data transferred between Capture Agent and Synchronization Service.

For more information, see Specifying a custom certificate for encrypting password sync traffic.

By default, a built-in certificate is used.

Connection Point 1

Define the Synchronization Service instances to which Capture Agent provides information about changed user passwords.

If none of these parameters is set, Capture Agent looks for available instances of the Synchronization Service in the following container:

CN=Active Roles Sync Service,CN=One Identity,CN=System,DC=<domain name>

Connection Point 2

Connection Point 3

Connection Point 4

Connection Point 5

Connection Point 6

Connection Point 7

You can modify the default values of these parameters by using Group Policy and the Administrative Template supplied with the Synchronization Service. The next steps assume that all the domain controllers where the Capture Agent is installed are held within organizational units.

Complete these steps to modify the default Capture Agent settings:

Related Documents