Chat now with support
Chat with Support

Identity Manager 8.1.4 - Administration Guide for Connecting to Active Directory

Managing Active Directory environments Setting up Active Directory synchronization Basic data for managing an Active Directory environment
Account definitions for Active Directory user accounts Password policies for Active Directory user accounts Initial password for new Active Directory user accounts Email notifications about login data User account names Target system managers Editing a server
Active Directory domains Active Directory user accounts
Linking user accounts to employees Supported user account types Entering master data for Active Directory user accounts Additional tasks for managing Active Directory user accounts Automatic assignment of employees to Active Directory user accounts Updating employees when Active Directory user account are modified Automatic creation of departments and locations based on user account information Disabling Active Directory user accounts Deleting and restoring Active Directory user accounts
Active Directory contacts Active Directory groups
Entering master data for Active Directory groups Validity of group memberships Assigning Active Directory groups to Active Directory user accounts, Active Directory contacts, and Active Directory computers Additional tasks for managing Active Directory groups Deleting Active Directory groups Default solutions for requesting Active Directory groups and group memberships
Active Directory security IDs Active Directory container structures Active Directory computers Active Directory printers Active Directory locations Reports about Active Directory objects Configuration parameters for managing an Active Directory environment Default project template for Active Directory

Home and profile directory access permissions

Table 20: Configuration parameters for setting up user directories
Configuration parameter Meaning
QER | Person | User | AccessRights This configuration parameter allows configuration of access permissions to user directories.

NOTE: To assign permissions to directories and files, it is sometimes necessary to define user account names such as Administrators, Everyone, or Domain Users in specific languages. The default language for the user accounts names is English.

To grant access permissions to a home directory

  • In the Designer, set the QER | Person | User | AccessRights | HomeDir configuration parameter and its configuration subparameters, and enter the access permissions in the configuration parameters.

    Granting access permissions to the home directory is done by through One Identity Manager Service.

Table 21: Configuration parameters for home directory access permissions
Configuration parameter Effect when set

QER | Person | User | AccessRights | HomeDir

Configuration of access permissions of the user’s home directory. To set the permissions, the configuration parameter and subparameters must be set.

QER | Person | User | AccessRights | HomeDir | EveryOne

Everyone has permissions to access a user’s home directory. Default: -r-w-x

QER | Person | User | AccessRights | HomeDir | User

Defines the user’s home directory permissions. Default: +r+w-x

To grant access permission for the profile directory

  • In the Designer, set the QER | Person | User | AccessRights | ProfileDir configuration parameter and its configuration subparameters, and enter the access permissions in the configuration parameters.

    Granting access permissions to the profile directory is done by through One Identity Manager Service.

Table 22: Configuration parameters for profile directory access permissions
Configuration parameter Effect when set

QER | Person | User | AccessRights | ProfileDir

Configuration of access permissions for a user’s profile. To set the permissions, the configuration parameter and subparameters must be set.

QER | Person | User | AccessRights | ProfileDir | EveryOne

Everyone has permission to access a user’s profile directory. Default: -r-w-x

QER | Person | User | AccessRights | ProfileDir | User

Defines the user’s profile directory permissions. Default: +r+w-x

To grant access permissions to the home directory on a terminal server

  • In the Designer, set the QER | Person | User | AccessRights | TerminalHomeDir and its configuration subparameters, and enter the access permissions in the configuration parameters.

    Granting access permissions to the home directory is done by through One Identity Manager Service.

Table 23: Configuration parameters for access permissions to the home directory on a terminal server
Configuration parameter Effect when set

QER | Person | User | AccessRights | TerminalHomeDir

Configuration of access permissions for an Active Directory user account’s terminal server home directory. To set the permissions, the configuration parameter and subparameters need to be set.

QER | Person | User | AccessRights | TerminalHomeDir | EveryOne

Everyone has permission to access a user’s terminal server home directory. Default: -r-w-x

QER | Person | User | AccessRights | TerminalHomeDir | User

Defines the user’s terminal server home directory permissions. Default: +r+w-x

To grant access permissions to the profile directory on a terminal server

  • In the Designer, set the QER | Person | User | AccessRights | TerminalProfileDir configuration parameter and its configuration subparameters, and enter the access permissions in the configuration parameters.

    Granting access permissions to the profile directory is done by through One Identity Manager Service.

Table 24: Configuration parameters for access permissions to the profile directory on a terminal server
Configuration parameter Effect when set

QER | Person | User | AccessRights | TerminalProfileDir

Configuration of access permissions for an Active Directory user account’s terminal server profile directory. To set permissions, the configuration parameter and subparameters need to be set.

QER | Person | User | AccessRights | TerminalProfileDir | EveryOne

Everyone has permissions to access a user’s terminal server profile directory. Default: -r-w-x

QER | Person | User | AccessRights | TerminalProfileDir | User

Terminal server profile directory permissions. Default: +r+w-x

Related topics

Active Directory domains

NOTE: The Synchronization Editor sets up the domains in the One Identity Manager database.

To edit master data for an Active Directory domain

  1. Select the Active Directory | Domains category.
  2. Select the domain in the result list.
  3. Select the Change master data task.
  4. Edit the domain's master data.
  5. Save the changes.

General master data for Active Directory domains

Enter the following data on the General tab.

Table 25: Domain master data

Property

Description

Domain

NetBIOS domain name. This corresponds to the pre-Windows 2000 domain names. The domain name cannot be changed later.

Parent domain

Parent domain for mapping a hierarchical domain structure. The full name and the defined name are automatically updated through templates.

Domain subtype

Active Directory functional level. There are several features available in Active Directory at functional level. Refer to the documentation for the appropriate Windows to find out which functional levels are supported by the domain controller's Windows Server operating system to be implemented. Following functional levels are supported in One Identity Manager:

  • Windows Server 2000 (Win2000)
  • Windows Server 2003 native (Win2003 native)
  • Windows Server 2003 mixed (Win2003 mixed)
  • Windows Server 2008 (Win2008)
  • Windows Server 2008 R2 (Win2008 R2)
  • Windows Server 2012 (Win2012)
  • Windows Server 2012 R2 (Win2012 R2)
  • Windows Server 2016 (Win2016)

Display name

The display name is used to display the domain in the user interface. This is preset with the domain NetBIOS name; however, the display name can be changed.

Account definition (initial)

Initial account definition for creating user accounts. This account definition is used if automatic assignment of employees to user accounts is used for this domain and if user accounts are to be created that are already managed (Linked configured). The account definition's default manage level is applied.

User accounts are only linked to the employee (Linked state) if no account definition is given. This is the case on initial synchronization, for example.

Contact definition (initial)

Initial account definition for creating contacts. These account definitions are used if automatic assignment of employees to contacts is used for this domain, resulting in administered user accounts (Linked configured state). The account definition's default manage level is applied.

Contacts are only linked to the employee (Linked state) if no account definition is given. This is the case on initial synchronization, for example.

Target system managers

Application role in which target system managers are specified for the domain. Target system managers only edit the objects from domains that are assigned to them. Therefore, each domain can have a different target system manager assigned to it.

Select the One Identity Manager application role whose members are responsible for administration of this domain. Use the button to add a new application role.

Synchronized by

Type of synchronization through which the data is synchronized between the domain and One Identity Manager. You can no longer change the synchronization type once objects for these domains are present in One Identity Manager.

If you create a domain with the Synchronization Editor, One Identity Manager is used.

Table 26: Permitted values
Value Synchronization by Provisioned by

One Identity Manager

Active Directory connector

Active Directory connector

No synchronization

none

none

NOTE: If you select No synchronization, you can define custom processes to exchange data between One Identity Manager and the target system.

Description

Text field for additional explanation.

Related topics

Global account policies for an Active Directory domain

When you set up a user account, globally defined account policies and data are applicable for issuing passwords. You can enter these setting against the domain. Account policies apply when user accounts are newly added.

Enter the following master data on the Account policies tab.

Table 27: Account policies for domains
Property Description

Minimum password length

Minimum length of the password. Use this option to specify that a password has to be complex.

Minimum password lifetime

Minimum age of the password. Enter the length of time a password has to be used before the user is allowed to change it.

Max. password age

Maximum age of the password. Enter the length of time a password can be used before it expires.

Max. errors

Maximum number of errors. Set the number of invalid passwords. If the user has reached this number the user account is blocked.

Password history

  • Enter the number of passwords to be saved. For example, if you enter the value 5, the last 5 passwords for the user are saved.

    • Block duration [min]

    Block duration in minutes. Enter the time period the account should be locked for before it is automatically reset.

    Reset account [min]

    Duration in minutes of account reset. Enter the time period that can elapse between two invalid attempts to enter a password before a user account is locked.

    For domains from the functional level Windows Server 2008 R2 and above, it is possible to define multiple policies. You can also define password policies in One Identity Manager that you can apply to the user account passwords.

    NOTE: One Identity Manager password policies, global account policy settings for the Active Directory domain, and Active Directory account policies are all taken into account when verifying user passwords.
    Related topics
    Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating