Chat now with support
Chat with Support

Active Roles 8.2 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Configuring rule-based autoprovisioning and deprovisioning
Configuring Provisioning Policy Objects
User Logon Name Generation E-mail Alias Generation Exchange Mailbox AutoProvisioning Group Membership AutoProvisioning Home Folder AutoProvisioning Property Generation and Validation Script Execution O365 and Azure Tenant Selection AutoProvisioning in SaaS products
Configuring Deprovisioning Policy Objects
User Account Deprovisioning Group Membership Removal User Account Relocation Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Permanent Deletion Office 365 Licenses Retention Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Script Execution Notification Distribution Report Distribution
Configuring entry types Configuring a Container Deletion Prevention policy Configuring picture management rules Managing Policy Objects Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Configuring policy extensions
Using rule-based and role-based tools for granular administration Workflows
About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Azure tenant types and environment types supported by Active Roles Using Active Roles to manage Azure AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports and URLs used by Active Roles Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Adding an AD LDS user to the directory

To enable the creation of users in AD LDS, the administrator should first import the optional definitions of user object classes that are provided with AD LDS. These definitions are provided in importable .ldf files (ms-User.ldf, ms-InetOrgPerson.ldf, ms-UserProxy.ldf), which can be found on the computer running the AD LDS instance. Alternatively, the software designers can extend the AD LDS schema with their custom definitions of AD LDS user object classes. Details on how to extend the AD LDS schema can be found in Microsoft’s documentation that comes with AD LDS.

To add an AD LDS user to the directory

  1. In the Console tree, under AD LDS (ADAM), right-click the container to which you want to add the user, and then select New > User to start the wizard that will help you perform the user creation task.

  2. Follow the instructions on the wizard pages to set values for user properties.

  3. If you want to set values for additional properties (those for which the wizard pages do not provide data entries), click Edit Attributes on the completion page of the wizard.

  4. After setting any additional properties for the new user, click Finish on the completion page of the wizard.

By default, an AD LDS user is enabled when the user is created. However, if you assign a new AD LDS user an inappropriate password or leave the password blank, the newly created AD LDS user account may be disabled. Thus, an AD LDS instance running on Windows Server 2003 automatically enforces any local or domain password policies that exist. If you create a new AD LDS user, and if you assign a password to that user that does not meet the requirements of the password policy that is in effect, the newly created user account will be disabled. Before you can enable the user account, you must set a password for it that meets the password policy restrictions. The instructions on how to set the password for an AD LDS user and how to enable an AD LDS user are given later in this section.

Adding an AD LDS group to the directory

AD LDS provides default groups, which reside in the Roles container of each directory partition in AD LDS. You can create additional AD LDS groups as necessary. New groups can be created in any container.

To add an AD LDS group to the directory

  1. In the console tree, under AD LDS (ADAM), right-click the container to which you want to add the group, and then select New > Group to start the wizard that will help you perform the group creation task.

  2. Follow the instructions on the wizard pages to set values for group properties.

  3. If you want to set values for additional properties (those for which the wizard pages do not provide data entries), click Edit Attributes on the completion page of the wizard.

  4. After setting any additional properties for the new group, click Finish on the completion page of the wizard.

You can add both AD LDS users and Windows users to the AD LDS groups that you create. For instructions, see the sub-section that follows.

Adding or removing members from an AD LDS group

When adding members to an AD LDS group, you can add security principals that reside in AD LDS instances or in Active Directory domains. Examples of security principals are AD LDS users, and Active Directory domain users and groups.

To add or remove members to or from an AD LDS group

  1. In the Console tree, under AD LDS (ADAM), locate and select the container that holds the group.

  2. In the details pane, right-click the group, and click Properties.

  3. On the Members tab in the Properties dialog, click Add.

  4. Use the Select Objects dialog to locate and select the security principals that you want to add to the group. When finished, click OK.

  5. On the Members tab, select the group members that you want to remove from the group, and then click Remove.

  6. After making the changes that you want to the group, click OK to close the Properties dialog.

When using the Select Objects dialog to locate a security principal, you first need to specify the AD LDS directory partition or Active Directory domain in which the security principal resides: click Browse and select the appropriate partition or domain.

It is only possible to select security principals that reside in managed AD LDS instances or Active Directory domains; that is, you can select security principals from only the instances and domains that are registered with Active Roles.

Disabling or enabling an AD LDS user account

You can disable the account of an AD LDS user in order to prevent the user from logging on to the AD LDS instance with that account.

To disable or enable an AD LDS user account

  1. In the Console tree, under AD LDS (ADAM), locate and select the container that holds the user account.

  2. In the details pane, right-click the user account, and do one of the following to change the status of the account:

    • If the user account is enabled, click Disable Account.

    • If the user account is disabled, click Enable Account.

If the AD LDS user whose account you want to disable is currently logged on to the AD LDS instance, that user must log off for the new setting to take effect.

Normally, an AD LDS user is enabled when the user is created. However, if the password of a new AD LDS user does not meet the requirements of the password policy that is in effect, the newly created user account will be disabled. Before you can enable the user account, you must set a password for it that meets the password policy restrictions. For more information, see Setting or modifying the password of an AD LDS user.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating