Assigning Active Directory account policies to Active Directory user accounts and Active Directory groups
If several account policies are assigned to one user account, the actual account policy is found using specific rules. If there are no special account policy the domain setting apply. Please refer to your Active Directory documentation on fine-grained account policies under Windows Server for information about the rules for calculating this.
To specify account policies for a user account
- Select the Active Directory | Account policies category.
- Select the account policy in the result list.
- Select the Assign user accounts task.
-
In Add assignments pane, assign user accounts.
TIP: In the Remove assignments pane, you can remove assigned user accounts.
To remove an assignment
- Select the user account and double-click
.
- Save the changes.
To specify account policies for a group
- Select the Active Directory | Account policies category.
- Select the account policy in the result list.
- Select the Assign groups task.
-
In the Add assignments pane, assign groups.
TIP: In the Remove assignments pane, you can remove the assignment of groups.
To remove an assignment
- Select the group and double-click .
- Save the changes.
How to edit a synchronization project
Synchronization projects in which a domain is already used as a base object can also be opened in the Manager. You can, for example, check the configuration or view the synchronization log in this mode. The Synchronization Editor is not started with its full functionality. You cannot run certain functions, such as, running synchronization or simulation, starting the target system browser and others.
NOTE: The Manager is locked for editing throughout. To edit objects in the Manager, close the Synchronization Editor.
To open an existing synchronization project in the Synchronization Editor
- Select the Active Directory | Domains category.
- Select the domain in the result list. Select the Change master data task.
- Select the Edit synchronization project task.
Related topics
Monitoring the number of memberships in Active Directory groups and Active Directory containers
Table 31: Effective configuration parameters
|
TargetSystem | ADS | MemberShipRestriction | Container |
This configuration parameter contains the number of Active Directory objects allowed per container before warning email is sent. |
|
TargetSystem | ADS | MemberShipRestriction | Group |
This configuration parameter contains the number of Active Directory objects allowed per group before warning email is sent. |
|
TargetSystem | ADS | MemberShipRestriction | MailNotification |
This configuration parameter contain the default email address for sending warnings by email. |
A mechanism to monitor user account memberships to limit the number of members in groups and containers,
- The ADSAccountInADSGroup and ADSAccounttables are monitored with respect to the number of user account memberships in a group and the number of user accounts in a container.
- The ADSContactInADSGroup and ADSContact tables are monitored with respect to the number of contact memberships in a group and the number of contacts in a container.
- The ADSGrouInADSGroup and ADSGroup tables are monitored with respect to the number of contact memberships in a group and the number of groups in a container.
- The ADSMachineInADSGroup and ADSMachine tables are monitored with respect to the number of computer memberships in a group and the number of computers in a container.
NOTE: The primary groups of Active Directory objects are not taken into account when membership per group is calculated.
Thresholds are set using configuration parameters. If the values in the parameters are exceeded, a warning message is sent to a defined mail address. The warning is only generated the first time the threshold is exceeded. This prevents warnings being send to the given address each time the threshold is exceeded, which could occur during synchronization for example.
Example of monitoring
The threshold value for the number of objects in a Members group is limited to ten members (TargetSystem | ADS | MemberShipRestriction | Group=10). The Members group currently contains ten user accounts. When an 11th user account is added, a warning is generated and sent by email to the given address. When further user accounts are added, however, no more warning emails are sent.
Active Directory user accounts
You manage user account in One Identity Manager with Active Directory. A user account is a security principal in Active Directory. That means a user account can log in to the domain. A user receives access to network resources through group membership and access permission.
The managed service accounts introduced in Windows Server 2008 R2 and the group managed service accounts introduced with Windows Server 2012 are not supported in One Identity Manager.
Related topics
