Chat now with support
Chat with Support

We are currently experiencing a OneLogin Outage within the US region, please consult https://www.onelogin.com/status for further details.

Active Roles 8.1.3 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Set user as home folder owner

Upon creation or renaming of a home folder for a particular user account, this option ensures that the user account is set as the owner of the home folder.

An owner of a folder is authorized to make any changes to permission settings on the folder. For example, an owner can authorize other persons to access the folder.

Set user permissions on home folder

Upon creation or renaming of a home folder for a particular user account, this option ensures that the user account has the specified access rights on the home folder.

With the Grant Full Access setting, the user account is authorized to perform any operation on the folder and its contents except for making changes to permission settings. With the Grant Change Access setting, the user account is authorized to view and modify the contents of the folder.

When finished, click Next to display the Home Share Management page. This page lets you configure policy options for creating home shares.

Figure 50: Home share management

To have the policy create home shares, select the Create home share when home folder is created or renamed check box.

When you configure the policy to create home shares, you can specify the prefix and suffix for the home share names.

Specifying a prefix and suffix allows you to establish a naming convention for home shares. Suppose you want home shares to be displayed at the top of the list of shares. To do so, you can use an underscore as the prefix.

You may also assign a suffix to distinguish home shares created by the policy. For example, to distinguish the home shares of users from the Sales department, you could use the suffix _s. Then, when you create a user account with the pre-Windows 2000 logon name set to JohnB, the policy will map the user’s home folder to the selected drive and specify \\Server\_JohnB_s as the path to the home folder. The policy will also create the share _JohnB_s that points to the folder \\Server\Home\JohnB.

Optionally, in the Description box, you can type a comment about the home share. The users will see it when viewing share properties.

You can also limit the number of users that can connect to the share at one time. Click Maximum allowed or Allow this number of users. With the latter option, specify a number in the box next to the option.

Using the built-in policy for home folder provisioning

If you want to configure Active Roles so that setting or changing home folder related properties on any user account in any managed domain does not result in an attempt to create or rename a folder on a file server, then you can use the Active Roles Console to modify the built-in Policy Object:

  1. In the Console tree, select Configuration > Policies > Administration > Builtin.

  2. In the Details pane, double-click Built-in Policy - Default Rules to Provision Home Folders.

  3. On the Policies tab, select the policy from the list and then click View/Edit.

  4. On the Home Folder tab, clear the Create or rename home folder on file server as needed check box.

  5. Click OK to close the dialogs you opened.

If you have any other Policy Objects containing policies of the Home Folder AutoProvisioning category, then you need to configure them as appropriate: Select or clear the Create or rename home folder on file server as needed check box in each of those policies depending on whether or not Active Roles should attempt creation or renaming of home folders for user accounts that fall within the scope of the respective Policy Object.

Another scenario may require Active Roles to create or rename home folders for user accounts that are outside a certain scope (such as a certain domain, Organizational Unit, or Managed Unit), whereas creation or renaming of home folders should not be attempted on user accounts that fall within that particular scope. In this scenario, ensure that the Create or rename home folder on file server as needed option is selected in the built-in Policy Object. Then, create and configure a Policy Object containing a policy of the Home Folder AutoProvisioning category with the Create or rename home folder on file server as needed option cleared, and apply that Policy Object to the scope in question.

Configuring the Home Folder Location Restriction policy

When creating home folders, Active Roles operates in the security context of the service account under which the Administration Service is running, so the service account must have sufficient rights to create home folders. Normally, the service account has administrative rights on an entire file server, which enables Active Roles to create home folders in any folder on any network file share that exists on that server. The Home Folder Location Restriction is used to restrict to a certain list the network file shares and folders in which Active Roles is authorized to create home folders.

The Home Folder Location Restriction policy determines the folders on the network file shares in which Active Roles is allowed to create home folders, and prevents Active Roles from creating home folders in other locations. The restrictions imposed by this policy do not apply if the home folder creation operation is performed by an Active Roles Admin role holder (normally, these are the users that have membership in the Administrators local group on the computer running the Active Roles Administration Service). Thus, when an Active Roles Admin role holder creates a user account, and a certain policy is in effect to facilitate home folder provisioning, the home folder is created regardless of the Home Folder Location Restriction policy settings.

By default, no network file shares and folders are listed in the policy. This means that Active Roles cannot create a home folder unless the user management operation that involves creation of the home folder is performed by the Active Roles Admin role holder. In order to allow delegated administrators to create home folders, you have to configure the policy so that it lists the folders on the network file shares in which creation of home folders is allowed. You can do this by using the Active Roles Console as follows.

To configure the Home Folder Location Restriction policy

  1. In the Console tree, expand Configuration > Policies > Administration, and select Builtin under Administration.

  2. In the Details pane, double-click Built-in Policy - Home Folder Location Restriction.

  3. On the Policies tab, double-click the list item under Policy Description.

  4. On the Allowed Locations tab, view or modify the list of folders on the network file shares where creation of home folders is allowed.

    When adding a folder to the list, specify the UNC name of the folder. If you specify the name in the form \\<Server>\<Share>, home folders can be created in any folder on the network file share specified. If you specify the name in the form \\<Server>\<Share>\<PathtoFolder>, home folders can be created in any sub-folder of the folder.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating