Support for remote Exchange Management Shell
When performing Exchange recipient management tasks on Exchange Server, Active Roles uses remote Exchange Management Shell to communicate with Exchange Server, so you do not need to install the Exchange management tools on the computer running the Administration Service.
Prerequisites
To use remote Exchange Management Shell, the Administration Service must be running on a computer that has:
Remote Shell also requires the following:
-
TCP port 80 must be open between the computer running the Administration Service and the remote Exchange server.
-
The user account the Administration Service uses to connect to the remote Exchange server (the service account or the override account) must be enabled for remote Shell. To enable a user account for remote Shell, update that user account by using the Set-User cmdlet with the RemotePowerShellEnabled parameter set to $True.
-
Windows PowerShell script initialization must be enabled on the computer running the Administration Service. To enable script initialization for signed scripts, run the Set-ExecutionPolicy RemoteSigned command in an elevated Windows PowerShell window.
Access to managed AD LDS instances
Active Roles access to Active Directory Lightweight Directory Services (AD LDS) instances is limited by the access rights of the service account, or the override account, if specified. For all managed AD LDS instances with no override account specified, you should configure the service account to have permissions you want Active Roles to have in those instances. If you use an override account when registering an AD LDS instance with Active Roles, ensure that the override account (rather than the service account) has these permissions for that instance.
To control access to directory data, AD LDS provides four default, role-based groups: Administrators, Instances, Readers, and Users. These groups reside in the configuration partition and in each application partition, but not in the schema partition. To register an AD LDS instance with Active Roles, the service account or, if specified, the override account must, at a minimum, be a member of the following groups:
-
Instances (CN=Instances,CN=Roles) in the configuration partition.
-
Readers (CN=Readers,CN=Roles) in the configuration partition and in each application partition.
To allow Active Roles full access to the AD LDS instance, add the account to the following group:
NOTE: If you add the account to the Administrators group, you do not need to add it to the Instances or Readers group.
Access to file servers
To enable Active Roles to perform the provisioning and deprovisioning tasks related to user home folders and home shares, the service account (or the override account, if specified) must belong to the Server Operators or Administrators group on each file server that hosts the user home folders to be administered by Active Roles.
Active Roles provides the following policy categories to automate the management of user home folders and home shares:
- Home Folder AutoProvisioning: Performs the provisioning actions needed to assign home folders and home shares to user accounts, including the creation of home folders for newly created user accounts and renaming home folders upon renaming of user accounts. Specifies the server on which to create home folders and shares, and configures access rights to the newly created home folders and shares.
- Home Folder Deprovisioning: Makes the changes needed to prevent deprovisioned users from accessing their home folders, including the removal of the user’s permissions on the home folder, changing the ownership of the home folder, and deleting the home folder when the user account is deleted.
The service account or override account must be configured so that it has sufficient rights to perform the operations provided for by those policies: create, modify (including the ability to change permission settings and ownership), and delete folders and shares on the designated file servers.
You can give the required permissions to the service account or override account by adding that account to the appropriate administrative group (Administrators or Server Operators) on each file server where you are planning Active Roles to manage user home folders.
Access to BitLocker recovery information
Viewing BitLocker recovery passwords in Active Roles requires the domain administrator rights for the account being used by the Active Roles Administration Service to access the domain. Ensure that the service account or, if specified, the override account is a member of the Domain Admins group in each managed domain where you want to use Active Roles for viewing BitLocker recovery passwords.
With the domain administrator rights given to the Active Roles Administration Service, Active Roles allows delegated administrators to locate and view BitLocker recovery passwords held in the Active Directory domain. To view BitLocker recovery passwords, the delegated administrator must be granted the appropriate permissions in Active Roles. The Computer Objects - View BitLocker Recovery Keys Access Template provides sufficient permissions to view BitLocker recovery passwords.
In addition, viewing BitLocker recovery passwords in a given domain requires the following:
-
The domain must be configured to store BitLocker recovery information. For more information, see Backing Up BitLocker and TPM Recovery Information to AD DS in the Microsoft BitLocker Drive Encryption documentation.
-
The computers protected by BitLocker must be joined to the domain.
-
BitLocker Drive Encryption must be enabled on the computers.
The BitLocker recovery information is displayed on the BitLocker Recovery tab in the Properties dialog of the computer object, in the Active Roles Console. It is also possible to perform domain-wide searches for BitLocker recovery passwords.
