Chat now with support
Chat with Support

Active Roles 8.1.1 - Administration Guide

Introduction Getting started Rule-based administrative views Role-based administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based access rules
Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configure an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Managing Hybrid AD users
Creating a new Azure AD user with the Web Interface Viewing or updating the Azure AD user properties with the Web Interface Viewing or modifying the manager of a hybrid Azure user Disabling an Azure AD user Enabling an Azure AD user Deprovisioning of an Azure AD user Undo deprovisioning of an Azure AD user Adding an Azure AD user to a group Removing an Azure AD user from a group View the change history and user activity for an Azure AD user Deleting an Azure AD user with the Web Interface Creating a new hybrid Azure user with the Active Roles Web Interface Converting an on-premises user with an Exchange mailbox to a hybrid Azure user Licensing a hybrid Azure user for an Exchange Online mailbox Viewing or modifying the Exchange Online properties of a hybrid Azure user Creating a new Azure AD user with Management Shell Updating the Azure AD user properties with the Management Shell Viewing the Azure AD user properties with the Management Shell Delete an Azure AD user with the Management Shell Assigning Microsoft 365 licenses to new hybrid users Assigning Microsoft 365 licenses to existing hybrid users Modifying or removing Microsoft 365 licenses assigned to hybrid users Updating Microsoft 365 licenses display names
Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Microsoft 365 roles management for hybrid environment users Managing Microsoft 365 contacts Managing Hybrid AD groups Managing Microsoft 365 Groups Managing cloud-only distribution groups Managing cloud-only dynamic distribution groups Managing Azure security groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Modern Authentication Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Report section: Undo Group Object Deprovisioning

Table 48: Undo Group Object Deprovisioning

Report Item (Success)

Report Item (Failure)

The group is changed back to the Security group type.

Failed to change the group back to the Security group type.

The group is restored in the Global Address List (GAL).

Failed to restore the group in the Global Address List (GAL).

The group name is restored.

Old name: <name>

Restored name: <name>

Failed to restore the group name.

Current name: <name>

Failed to set this name: <name>

The membership list of the group is restored. Details:

List of the members added to the group

Failed to restore the membership list of the group. Details:

List of the members added to the group

List of the members that are not added to the group due to an error

Group properties are restored. List:

  • <Group properties, new property values>

Failed to restore group properties. List:

  • <Group properties, error description>

Report section: Undo Group Object Relocation

Table 49: Undo Group Object Relocation

Report Item (Success)

Report Item (Failure)

No changes to undo.

N/A

The group is moved to its original location.

Former location: <name of container>

Restored original location: <name of container>

Failed to move the group to its original location.

Current location: <name of container>

Failed to move to this location: <name of container>

Report section: Undo Group Object Permanent Deletion

Table 50: Undo Group Object Permanent Deletion

Report Item (Success)

Report Item (Failure)

No changes to undo.

N/A

Scheduled deletion of the group is canceled.

Failed to cancel scheduled deletion of the group.

The group is going to be deleted on this date: <date>

Container Deletion Prevention policy

A bulk deletion may occur in a situation where an administrator selects and deletes a container object, such as an Organizational Unit, that has subordinate objects. Although bulk deletions are rare, they are disruptive events you can guard against by leveraging a new policy: Container Deletion Prevention.

One of the most common bulk deletions is a container deletion, which occurs when Active Roles is used to delete a container object that holds other (subordinate) objects. By default, a container deletion has the following characteristics:

  • First, Active Roles builds a list of all the objects found in the container (subordinate objects), and then starts deleting the listed objects one by one.

  • Then, for every object in the list, Active Roles performs an access check to determine if the user or process that requested the deletion has sufficient rights to delete the object. If the access check allows the deletion, then the object is deleted; otherwise, Active Roles does not delete the object, and proceeds to deletion of a subsequent object in the list.

  • Finally, once all the subordinate objects are deleted, Active Roles deletes the container itself. If any of the subordinate objects are not deleted, the container is not deleted as well.

As a result of this behavior, an administrator who has full control over an Organizational Unit in Active Roles can accidentally delete the entire Organizational Unit, with all its contents, within a single operation. To prevent this, Active Roles provides for a certain policy to deny deletion of non-empty containers.

The Container Deletion Prevention policy defines a configurable list of names of object types as specified by the Active Directory schema (for example, the Organizational Unit object type). When an Active Roles client requests the deletion of a particular container, the Administration Service evaluates the request in order to determine whether the type of the container is in the list defined by the policy. If the container type is in the list and the container holds any objects, the Administration Service denies the request, preventing the deletion of the container. In this case, the client prompts to delete all objects held in the container before attempting to delete the container itself.

To configure a Container Deletion Prevention policy

  1. In the Console tree, select Configuration > Policies > Administration > Builtin.

  2. In the details pane, double-click Built-in Policy - Container Deletion Prevention.

  3. On the Policies tab, select the policy from the list and then click View/Edit.

  4. On the Types of Containers tab, click Add and use the Select Object Type dialog to select the type (or types) of container you want to protect, and then click OK.

    For example, you can select the Organizational Unit object type to prevent deletion of non-empty Organizational Units.

  5. Click OK to close the dialogs you opened.

The built-in Policy Object you have configured using the above instructions prevents deletion of non-empty containers in any managed domain.

You may not want Active Roles to prevent deletion of non-empty containers that are outside a certain scope (such as a certain domain, Organizational Unit, or Managed Unit), whereas deletion should be prohibited on the non-empty containers that fall within that particular scope. In this scenario, you need to create and configure a copy of the built-in Policy Object and apply that copy to the scope in question. Then, block the effect of the built-in Policy Object by selecting the Disable all policies included in this Policy Object check box on the Policies tab in the dialog for managing properties of the Policy Object.

If you only need to allow deletion of non-empty containers within a certain scope, then you can simply block the effect of the built-in Policy Object on the object representing the scope in question. Thus, if you want to allow deletion of Organizational Units that fall within a certain Managed Unit, you can use the Enforce Policy command on that Managed Unit to display the dialog for managing policy settings and then select the Blocked check box next to the name of the built-in Policy Object.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating