Chat now with support
Chat with Support

Active Roles 8.1.3 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Configuring the Policy Object

You can configure the Policy Object you need by modifying the Policy Object that implements Scenario 1: Using mask to control phone number format.

Display the Properties dialog for that Policy Object and go to the Policies tab. Then, select the policy from the list, and click View/Edit to display the Property Generation and Validation Policy Properties dialog.

The Policy Rule tab in the Property Generation and Validation Policy Properties dialog looks similar to the Configure Policy Rule page in the wizard you used to configure the policy. You can use that tab to modify the policy rules.

First, modify the rule to remove the mask entry. On the Policy Rule tab, in the upper box, clear the ‘Telephone Number’ must be <value> check box.

Next, choose to configure a rule based on regular expressions. On the Policy Rule tab, in the upper box, select the ‘Telephone Number’ must match regular expression <value> check box. To access this check box, you need to scroll down the list of check boxes.

Finally, specify the regular expressions that define the policy in question. The regular expressions you need are as follows:

^\+([0-9]+ )+[0-9]+$

^\+([0-9]+ )+x[0-9]+$

The following table briefly describes the elements that are used in the two above syntax. For more information about regular expressions, see Using regular expressions.

Table 6: Regular expressions

This Element

Indicates

^

The beginning of the input string to validate.

\+

The escape sequence to represent the plus character (+).

([0-9]+ )+

Concatenation of one or more substrings, with each substring consisting of one or more digit characters followed by a space character.

[0-9]+

One or more digit characters.

x[0-9]+

A lowercase "x" followed by one or more digit characters.

$

The end of the input string to validate.

Thus, the policy must be configured to only allow the telephone numbers that match ^\+([0-9]+ )+[0-9]+$ (telephone numbers without extensions) or ^\+([0-9]+ )+x[0-9]+$ (telephone numbers that include extensions). Proceed with configuring the policy as follows:

  1. On the Policy Rule tab, in the lower box, click the link labeled <click to add value>.

  2. In the Add Value dialog, enter ^\+([0-9]+ )+[0-9]+$, and click OK.

  3. On the Policy Rule tab, in the lower box, click <click to add value>.

  4. In the Add Value dialog, enter ^\+([0-9]+ )+x[0-9]+$, and click OK.

  5. Click OK to close the Property Generation and Validation Policy Properties dialog.

Applying the Policy Object

You can apply the Policy Object without closing its Properties dialog. Go to the Scope tab and do the following:

  1. On the Scope tab, click the Scope button to display the Active Roles Policy Scope window for the Policy Object you are managing.

  2. Click Add and select the domain, OU, or Managed Unit where you want to apply the policy to.

    You can also use the Remove button to remove items where you want the policy to no longer be applied.

  3. Click OK to close the Active Roles Policy Scope window.

  4. Click OK to close the Properties dialog for the Policy Object.

For more information on how to apply a Policy Object, see Applying Policy Objects and Managing policy scope.

User Logon Name Generation

Policies in this category are intended to automate the assignment of the pre-Windows 2000 user logon name when creating or modifying a user account, with flexible options to ensure uniqueness of the policy-generated name.

The ability to generate a unique name is essential. If Active Roles attempts to assign a policy-generated name when there is an existing user account with the same pre-Windows 2000 user logon name, a naming conflict will occur. Active Directory does not support multiple accounts with the same pre-Windows 2000 user logon name. A policy can be configured to generate a series of names in order to prevent naming conflicts with existing accounts.

When configuring a policy of this category, you can define multiple rules so that the policy applies them successively, attempting to generate a unique name in the event of a naming conflict. You can also configure a rule to include an incremental numeric value to ensure uniqueness of the policy-generated name. You also have the option to allow policy-generated names to be modified by operators who create or update user accounts.

How the User Logon Name Generation policy works

When creating a user account, Active Roles relies on this policy to assign a certain pre-Windows 2000 user logon name to the user account. The policy generates the name based on properties of the user account being created. A policy may include one or more rules that construct the name value as a concatenation of entries that are similar to those you encounter when using a Property Generation and Validation policy.

A special entry—uniqueness number—is provided to help make the policy-generated name unique. A uniqueness number entry represents a numeric value the policy will increment in the event of a naming conflict. For example, a policy may provide the option to change the new name from JSmith to J1Smith if there is an existing user account with the pre-Windows 2000 user logon name set to JSmith. If the name J1Smith is also in use, the new name can be changed to J2Smith, and so on.

The policy configuration provides the option to allow or disallow manual edits of policy-generated names. Permission to modify a policy-generated name can be restricted to the case where the name is in use by another account.

Some specific features of the policy behavior are as follows:

  • With a single rule that does not use a uniqueness number, Active Roles simply attempts to assign the generated name to the user account. The operation may fail if the generated name is not unique, that is, the same pre-Windows 2000 user logon name is already assigned to a different user account. If the policy allows manual edits of policy-generated names, the name can be corrected by the operator who creates the user account.

  • With multiple rules or with a rule that uses a uniqueness number, Active Roles adds a button at the client side, next to the User logon name (pre-Windows 2000) field on the user creation and modification forms.

  • To generate a name, the client user (operator) must click that button, which is also the case where the generated name is in use. Clicking the Generate button applies a subsequent rule or increases the uniqueness number by one, thereby allowing the name to be made unique.

  • The policy defines a list of characters that are unacceptable in pre-Windows 2000 user logon names. The following characters are not allowed: " / \ [ ] : ; | = , + * ? < >

  • The policy causes Active Roles to deny processing of operation requests that assign the empty value to the pre-Windows 2000 user logon name.

  • When checking user accounts for policy compliance, Active Roles detects, and reports of, the pre-Windows 2000 user logon names that are set up not as prescribed by the user logon name generation policy.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating