Chat now with support
Chat with Support

Active Roles 8.2 - Feature Guide

Introduction About Active Roles
Main Active Roles features Technical overview of Active Roles
About presentation components Overview of service components About network data sources About security and administration elements About Active Directory security management Customization using ADSI Provider and script policies About dynamic groups About workflows Operation in multi-forest environments
Examples of use
Administrative rules and roles
About Managed Units About Access Templates About Access Rules About rule-based autoprovisioning and deprovisioning
Configuring and administering Active Roles Overview of Active Roles Synchronization Service Support for AWS Managed Microsoft AD FIPS compliance LSA protection support STIG compliance

About E-Mail Alias Generation

E-mail Alias Generation policies automate the assignment of the email alias when designating a user as mailbox-enabled on Microsoft Exchange Server. By default, Microsoft Exchange Server provides the following recipient email address format: <email-alias>@<domain-name>.

You can use predefined rules to generate email aliases, or configure custom rules. For example, you can configure a policy to compose the email alias of the first initial followed by the last name of the user. Custom rules provide for the addition of an incremental numeric value to ensure uniqueness of the alias. You can also specify whether the alias can be modified by the operator who creates or updates the user account.

When making a user mailbox-enabled, Active Roles relies on this policy to assign a certain email alias to the user account. The policy generates the alias based on user properties, such as the pre-Windows 2000 user logon name, first name, initials, and last name. A custom rule can be configured to use other properties.

A custom rule can also be configured to add so-called uniqueness number. A uniqueness number is a numeric value the policy includes into the alias, incrementing that value in the event of an alias naming conflict. For example, the policy can automatically change the generated alias from John.Smith to John1.Smith if a mailbox with the alias John.Smith already exists. If the alias John1.Smith is also in use, the new alias will be changed to John2.Smith, and so on.

The policy configuration provides the option to allow or disallow manual edits of policy-generated aliases. Permission to modify a policy-generated alias can be restricted to the case where the alias is in use by another mailbox.

Some specific features of the policy behavior are as follows:

  • With a rule that does not use a uniqueness number, Active Roles simply attempts to assign the generated alias to the user account. The operation may fail if the generated alias is not unique, that is, the alias is already assigned to a different user account. If the policy allows manual edits of policy-generated aliases, the alias can be corrected by the operator who creates the user account.

  • With a custom rule that uses a uniqueness number, Active Roles adds a button at the client side, next to the Alias field on the user creation and modification forms.

    To generate an alias, the client user (operator) must click that button, which also applies if the generated alias is in use. Clicking Generate increases the uniqueness number by one, thereby allowing the alias to be made unique.

  • With a custom rule configured to include user properties that are normally not displayed on the user creation forms, an extra page is added to the New Object - User Wizard in the Active Roles Console, making it possible to specify the user properties required to generate the alias.

  • The policy defines a list of characters that are unacceptable in e-mail aliases. Space characters and the following characters are not accepted:

    @ * + | = \ ; : ? [ ] , < > /

  • The policy denies processing of operation requests that assign the empty value to the e-mail alias.

  • When checking user accounts for Active Roles policy compliance, Active Roles detects, and reports on, the aliases that are not set up as prescribed by the alias generation policy.

For more information on configuring this Policy Object, see Configuring an E-Mail Alias Generation policy in the Active Roles Administration Guide.

About Exchange Mailbox AutoProvisioning

Exchange Mailbox AutoProvisioning policies automate the selection of a mailbox store or database when designating a user as mailbox-enabled, or creating a mailbox on Microsoft Exchange Server.

When configuring the policy, you can:

  • Specify Exchange Servers and mailbox stores or databases where mailbox creation is allowed.

  • Specify rules to distribute mailboxes among multiple stores.

For example, you can configure a policy to automatically choose a store that holds the least number of mailboxes.

When making a user mailbox-enabled or creating a mailbox, Active Roles relies on this policy to select the mailbox store or database. The policy defines a single store, or a set of stores, in which creation of mailboxes is allowed. Some specific features of the policy behavior are as follows:

  • If the policy specifies a single store, mailboxes are created in that store. A different store cannot be selected by the operator who creates or updates the user account.

  • If the policy specifies multiple stores, the store is selected either automatically (by Active Roles) or manually (by the operator who creates or updates the user account), depending on policy options.

In case of multiple stores, the policy provides these options to govern the selection of a store:

  • Manually: Allows the operator to select a store from the list defined by the policy.

  • By using the round-robin method: Redirects mailbox creation requests sequentially across the stores, selecting the first store for the first request, the second store for the second request and so on. After the last store is reached, the next request is passed to the first store in the sequence.

  • Containing the least number of mailboxes: Forwards mailbox creation requests to the store that holds the least amount of mailboxes.

For more information on configuring this Policy Object, see Configuring an Exchange Mailbox AutoProvisioning policy in the Active Roles Administration Guide.

About Group Membership AutoProvisioning

Group Membership AutoProvisioning policies help you to automate adding or removing the specified objects (such as user objects) to or from the specified groups.

In case of cloud-only Azure objects, you can use the Group Membership Autoprovisioning policy to automatically assign (or unassign) Azure users and Azure guest users to (or from) the specified O365 group(s) in the same Azure tenant.

To set up a policy, select the type of objects you want to provision, select the affected group(s), and then configure the policy rules. Once set up, the policy adds (or removes) directory objects to (or from) the selected groups depending on whether the provisioned objects meet the specified rules.

To help you get started with configuring policy-based administration in your organization, Active Roles includes a set of built-in Policy Objects that offer provisioning and deprovisioning rules to the most typical administrative use cases. To find the built-in Policy Objects, navigate to the following node of the Active Roles Console:

Configuration > Policies > Administration > Builtin

NOTE: Active Roles does not automatically check for changes in directory objects, containers or groups specified for provisioning in the configured Policy Objects. This means that if any changes are made in any directory resources in use in a policy, you must update the impacted policies manually. For example, if a directory group used by a Group Membership AutoProvisioning Policy Group is deleted, the Policy Group must be updated manually to reflect the changes.

A Group Membership AutoProvisioning policy performs provisioning tasks such as adding or removing users from groups. A policy can be configured to define a list of groups and conditions so that a user account is automatically added to, or removed from, those groups depending on whether the properties of the user account meet the policy conditions.

Active Roles automatically checks users against conditions, and adds or removes users from specified groups based on the check results. Although the capabilities of this policy are similar to those provided by Dynamic Groups, a Group Membership AutoProvisioning policy gives the administrator extra flexibility and control over group memberships.

Whereas the Dynamic Groups feature delivers a rules-based mechanism for managing a group membership list as a whole, a Group Membership AutoProvisioning policy allows the administrator to define membership rules on a per-user basis. This policy automates the process of adding particular users to particular groups without affecting the other members of those groups.

For more information on configuring this Policy Object, see Configuring a Group Membership AutoProvisioning policy in the Active Roles Administration Guide.

About Home Folder AutoProvisioning

Home Folder AutoProvisioning policies automate the creation or renaming of user home folders and home shares when creating or renaming user accounts via Active Roles.

With this policy, you can:

  • Specify the server on which to create home folders and home shares.

  • Define how to set permissions for new home folders and shares.

  • Specify naming conventions for new home folders and home shares.

  • Limit the number of concurrent connections to home shares.

For example, using the Home Folder AutoProvisioning policy, you can define a corporate rule so that every time a user account is created with Active Roles, the system also creates a folder on a network file share and assigns it as the user’s home folder.

For more information on configuring this Policy Object, see Configuring a Home Folder AutoProvisioning policy in the Active Roles Administration Guide.

When running a Home Folder AutoProvisioning policy, Active Roles performs various actions depending on whether a user is created, copied, or renamed.

Creating home folders and shares for new user accounts

When Active Roles creates a user account (whether from scratch or by copying an existing account), the policy can cause Active Roles to create a home folder and, optionally, a home share for the account using the path specified in the policy. The name of the home share is composed of the user name, and the prefix and suffix specified in the policy.

The policy provides the option to enable creation of home folders with paths and names that differ from the path and name prescribed by the policy. For example, a Property Generation and Validation policy can be configured to generate the Home Drive and Home Directory properties on user accounts. When making changes to those properties, Active Roles verifies that the specified home folder exists, and creates the home folder if necessary.

A special policy is implemented in Active Roles that restricts the folders on the network file shares in which home folders can be created. The Policy Object containing that policy is located in the Configuration/Policies/Administration/Builtin container. The name of the Policy Object is Built-in Policy - Home Folder Location Restriction. You can access it by using the Active RolesConsole. The policy settings include a list of the folders on the network file shares in which creation of home folders is allowed. For instructions on how to view or modify that list, see Configuring the Home Folder Location Restriction policy in the Active Roles Administration Guide.

Renaming home folders for renamed user accounts

When Active Roles modifies the user logon name (pre-Windows 2000) of a user account, the policy can rename the home folder and, optionally, re-create the home share for that user account. The name of the new home share is set up in accordance with the naming convention specified in the policy.

The policy renames the existing home folder based on the new user logon name (pre-Windows 2000). However, if the home folder is in use, Active Roles cannot rename the folder. In this case, Active Roles creates a new home folder with the new name and does not affect the existing home folder.

Preventing disk operations on the file server

By default, Active Roles attempts to create or rename a (non-local) home folder on the file server when the Home Directory property is set or modified on a user account in Active Directory. If the creation or renaming of the home folder fails (for example, because the file server is inaccessible), then the creation or modification of the user account fails as well. To prevent such an error, a Home Folder AutoProvisioning policy can be configured so that Active Roles applies the changes to the Home Drive and Home Directory properties in Active Directory without attempting an operation on the file server. This policy option enables the use of a tool other than Active Roles for creating home folders on the file server.

Active Roles comes with a preconfigured Policy Object that allows the creation or renaming of home folders when setting home folder properties on user accounts in Active Directory. The Policy Object is located in the Configuration/Policies/Administration/Builtin container in Active Roles Console tree. The name of the Policy Object is Built-in Policy - Default Rules to Provision Home Folders. If you want to prevent Active Roles from attempting to create or rename home folders, you can modify the policy in the built-in Policy Object or configure and apply another Home Folder AutoProvisioning policy with the respective option turned off.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating