This scenario describes how to configure the following policy to monitor deprovisioning operations in all domains registered with Active Roles (managed domains):
To implement this scenario, you must perform the following actions:
As a result, upon completion of a deprovisioning operation in any managed domain, the administrator receives a report in the event of any error during that operation. The message subject includes the name of the object that has been deprovisioned.
The following two sections elaborate on the steps to implement this scenario.
You can use the instructions in the previous section to create the e-mail configuration (see Scenario: Sending deprovisioning notification). When prompted to specify a name for the new configuration, type Deprovisioning Report Distribution.
You can create, configure, and apply the Policy Object you need by using the New Deprovisioning Policy Object wizard. For information about the wizard, see Creating a Policy Object in the Policy Object management tasks section earlier in this document.
To configure the policy, click Report Distribution on the Select Policy Type page of the wizard. Then, click Next.
On the Report Recipients and Message page, click the button next to the Report recipients box to display the Deprovisioning Report Recipients dialog box. In that dialog box, type the administrator’s e-mail address, such as administrator@mydomain.com, and then click OK.
Then, customize the message subject as necessary. For example, you might enter the following subject: Deprovisioning of %<objectClass> ’%<name>’ Completed with Errors. Verify that the Send out the report only if any errors occur check box is selected and then click Next to display the Outgoing Mail Server page.
From the list in the Outgoing mail server (SMTP) box, select Deprovisioning Report Distribution—the e-mail configuration you have created in Step 1, and then click Next to display the Enforce Policy page.
On the Enforce Policy page, click the Add button and select the Active Directory folder to add to the list. Click Next, and then click Finish to close the wizard.
You can also use the Enforce Policy command on the Active Directory folder in the console tree to apply the policy to that folder. For more information on how to apply a Policy Object, see Applying Policy Objects and Managing policy scope earlier in this chapter.
Active Roles enforces policies by applying Policy Objects to promote data integrity throughout the directory. This is done by generating and validating the data entered into the directory. Each Policy Object is basically a container that holds one or more policy entries (also referred to as policies). There are several types of policy entries that can be configured within a Policy Object. The two major ones are Property Generation and Validation, and Script Execution. Property Generation and Validation policy entries provide a point-and-click interface for creating basic rules for attribute population. Script Execution policy entries enable the use of scripting for a broad range of custom actions that could supplement, extend, or replace the policy types included with Active Roles out of the box.
Just as with Group Policy Objects in Active Directory, the location that Active Roles’ Policy Objects are linked to is critical:
From here the best way to apply policies is at the top level of the directory tree they will affect. Usually however policies are only needed to affect certain Organizational Units within the tree. In this case, a Managed Unit is the most effective way to apply the policies. Include the desired Organizational Units explicitly into a Managed Unit, and then link the Policy Object to that Managed Unit.
A policy consists of three major components. These are:
Typically, a single Policy Object should include all the entries for a specific set of policies. It is not efficient to create one entry per Policy Object since this defeats the purpose of having separation between the Policy Object and policy entries.
A policy cannot be filtered for specific sets of administrators. Once applied to a given object or container, a policy will be in effect for every administrator under every condition. This is unless a Script Execution policy is included as a policy entry that utilizes the IEDSEffectivePolicyRequest interface to override the policies determined by other policy entries. This interface is documented in Active Roles SDK.
Script Execution polices are policy entries that utilize scripts written in a scripting language such as Microsoft Windows PowerShell or VBScript. Policy scripts use event handles that are executed before or after every action that can happen in the directory. See the following table for a list of these handlers:
Basically, when an action happens, Active Roles looks to see if there are any Policy Objects applied that hold Script Execution policies. If so, the policy script is checked to see if it has an event handler for the specific action being performed. The object being acted upon is passed into the event handler for further actions. These event handlers are normally run in the security context of the service account, so even if a user does not have rights to perform the actions outlined in the policy script, it will still execute correctly. If any errors occur during the execution of a policy script, the errors can be found in the Active Roles event log for post-action handlers and are displayed to the client for pre-action handlers.
Policy scripts are typically written in a scripting language such as Windows PowerShell or VBScript. Many examples of scripts based on Windows PowerShell and VBScript, along with instructions on how to use the Active Roles ADSI Provider both for policy scripts and for standalone scripts, can be found in Active Roles SDK.
It is also important to note that policy scripts can pick up and take action upon directory changes made natively as well. To turn on this behavior, you should choose the option that directs in the policy script to handle directory changes reported by the directory synchronization function (select the check box Handle changes from DirSync control on the Script Module tab in the Properties dialog box for the policy entry), and use the IEDSRequestParameters interface in a post-action event handler. More on this topic can be found in the Active Roles SDK documentation.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy