Chat now with support
Chat with Support

Active Roles 7.5 - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 and Azure Tenant Selection User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management One Identity Starling Two-factor Authentication for Active Roles Managing One Identity Starling Connect Azure AD, Office 365, and Exchange Online management
Configuring Active Roles to manage hybrid AD objects Managing Hybrid AD Users Unified provisioning policy for Azure O365 Tenant Selection, Office 365 License Selection, and Office 365 Roles Selection, and OneDrive provisioning Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Office 365 Groups Managing Azure Security Groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments Appendix E: Enabling Federated Authentication Appendix F: Active Roles integration with other One Identity and Quest products Appendix G: Active Roles integration with Duo MFA Appendix H: Active Roles integration with Okta MFA

Examples of regular expressions

The following table includes some examples of regular expressions and matches.


Table 114: Examples of regular expressions



Does not match


Austin and Boston



Austin and Boston




Boston or Austin



South Boston or North Boston Harbor


Boston and Galveston



Seattle and Seaside and Oceanside

Seoul or Sidney



Dallas or Lockhart


Etoile and Wylie



Etoile and Wylie and Beeville



Etoile and Beeville



Addison and Caddo



Highland Village and Lake Dallas


Order of precedence

Once you have constructed a regular expression, it is evaluated much like an arithmetic expression. It is evaluated from left to right and follows an order of precedence.

The following table shows the order of precedence for the various regular expression operators, starting with the highest:

Table 115: Order of precedence





(), []

Parentheses and Brackets

*, +, ?, {n}, {n,}, {n,m}


^, $, \anymetacharacter

Anchors and Sequences



Appendix B: Administrative Template

The Active Roles Administrative Template allows you to control the behavior and appearance of the Active Roles console by using Group Policy (see Active Roles snap-in settings).

This Administrative Template also provides a number of policy settings allowing you to limit the list of Active Roles’ Administration Service instances for auto-connect (see Administration Service auto-connect settings later in this document).

Active Roles snap-in settings

Active Roles snap-in settings

With the Active Roles Snap-in policy settings you can:

  • Cause the console to hide some portions of the user interface.
  • Specify default settings for some user interface elements.
  • Specify settings to register extension snap-ins with the Active Roles console.

The Administrative Template provides the following policy settings to control the behavior and appearance of the Active Roles console:

Table 116: Policy settings to control the behavior and appearance of

Policy Setting


Hide Exchange management

Removes all user interface elements (commands, wizards, and dialog boxes) intended to manage Exchange recipients. If you enable this policy, users cannot perform any Exchange tasks and manage any Exchange recipient settings with the Active Roles console. If you disable this policy or do not configure it, users with appropriate permissions can use the Active Roles console to perform Exchange tasks and manage Exchange recipient settings.

Set default view mode

Specifies view mode in which the Active Roles console will start. If you enable this policy, you can select view mode from a list. When started, the Active Roles console will switch to view mode you have selected. By default, users are allowed to change view mode by using the Mode command on the View menu. If you want to enforce view mode, select the User is not allowed to change view mode policy option. This option ensures that the console user cannot change the view mode you have selected.

Hide Configuration node

Removes the Configuration node from the console tree when the Active Roles console is in Advanced view mode. If you enable this policy, in Advanced view mode, all objects and containers related to the Active Roles configuration are not displayed. The Managed Units node and its contents are displayed as well as all advanced Active Directory objects and containers.

Disable 'Remember password' option

Clears and disables the Remember password check box in the Connect to Administration Service dialog box. If you enable this policy, the Connect as: The following user option in the Active Roles console requires that the user enter his password every time when using that option, rather than encrypting and storing the password once it has been entered. Note that saving passwords may introduce a potential security risk.

Disable 'Connect as' options

Disables the Connect as options in the Connect to Administration Service dialog box, including the Remember password check box. If you enable this policy, the console users are only allowed to connect to the Administration Service under their logon accounts. With this policy, the Current user option is selected under Connect as, and cannot be changed.

Set controlled objects to be marked by default

Specifies whether to use a special icon for visual indication of the objects to which Access Templates or Policy Objects are applied (linked). If you enable this policy, you can choose the category of object to be marked with a special icon by default. Users can modify this setting using the Mark Controlled Objects command on the View menu.

In addition, the Administrative Template provides for policies allowing you to register extension snap-ins with the Active Roles console. These policies are located in the folder named Extension Snap-ins. Each policy in that folder is used to register one of the following:

Table 117: Policies allowing to register extension snap-ins with Active Roles Console

Policy Setting


Namespace extensions

Allows you to register extension snap-ins to extend the namespace of the Active Roles console.

Context menu extensions

Allows you to register extension snap-ins to extend a context menu in the Active Roles console.

Toolbar extensions

Allows you to register extension snap-ins to extend the toolbar of the Active Roles console.

Property sheet extensions

Allows you to register extension snap-ins to extend property sheets in the Active Roles console.

Task pad extensions

Allows you to register extension snap-ins to extend a task pad in the Active Roles console.

View extensions

Allows you to register extension snap-ins to add user interface elements to an existing view or to create new views in the Active Roles console.

When configuring a policy from the Extension Snap-ins folder, you are prompted to specify the name and the value of the item to be added.

The name parameter determines the type of the node you want to extend. Each type is identified with a GUID. For example, if you want to extend user objects, the GUID is {D842D417-3A24-48e8-A97B-9A0C7B02FB17}. For information on other node types, refer to the Active Roles SDK.

The value parameter determines the extension snap-ins to be added. Each snap-in is identified with a GUID. You add multiple snap-ins by entering their GUIDs separated by semicolons. For example, value might look as follows:


The entry "Description" is optional and may contain any text describing the extension snap-in, enclosed in double quotation marks.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating