Chat now with support
Chat with Support

Identity Manager 8.1.4 - Administration Guide for Connecting to Active Directory

Managing Active Directory environments Setting up Active Directory synchronization Basic data for managing an Active Directory environment
Account definitions for Active Directory user accounts Password policies for Active Directory user accounts Initial password for new Active Directory user accounts Email notifications about login data User account names Target system managers Editing a server
Active Directory domains Active Directory user accounts
Linking user accounts to employees Supported user account types Entering master data for Active Directory user accounts Additional tasks for managing Active Directory user accounts Automatic assignment of employees to Active Directory user accounts Updating employees when Active Directory user account are modified Automatic creation of departments and locations based on user account information Disabling Active Directory user accounts Deleting and restoring Active Directory user accounts
Active Directory contacts Active Directory groups
Entering master data for Active Directory groups Validity of group memberships Assigning Active Directory groups to Active Directory user accounts, Active Directory contacts, and Active Directory computers Additional tasks for managing Active Directory groups Deleting Active Directory groups Default solutions for requesting Active Directory groups and group memberships
Active Directory security IDs Active Directory container structures Active Directory computers Active Directory printers Active Directory locations Reports about Active Directory objects Configuration parameters for managing an Active Directory environment Default project template for Active Directory

Updating employees when Active Directory user account are modified

In One Identity Manager, modifications to employee properties are forwarded to the associated user accounts and subsequently provisioned in Active Directory. In certain circumstances, it may be necessary to forward user account modifications in Active Directory to employee properties in One Identity Manager.

Example

During testing, user accounts from Active Directory are only read into One Identity Manager and employees created. User account administration (creating, modifying, and deleting) should be done later through One Identity Manager. During testing, user accounts are modified further in Active Directory, which can lead to drifts in user account properties and employee properties. Due to this, user account modifications loaded on resynchronization should be temporarily published to employees who are already created. This means data is not lost when user account administration is put into effect through One Identity Manager.

To update employees when user accounts are modified

  • In the Designer, set the TargetSystem | ADS | PersonUpdate configuration parameter.

Modifications to user accounts are loaded into One Identity Manager during synchronization. These modifications are forwarded to the associated employees through subsequent scripting and processing.

NOTE: When making changes to user accounts, the employees are only updated for user accounts with the Unmanaged manage level and that are linked to an employee.

NOTE: Only the employee created by the modified user account is updated. The data source from which the employee was created is shown in the Import data source property. If other user accounts are assigned to the employee, changes to these user accounts do not cause the employee to be update.

User account properties are mapped to employee properties using the VI_PersonUpdate_ADSAccount script. Contact properties are mapped to employee properties using the ADS_PersonUpdate_ADSContact script. To adjust the mapping more easily, the scripts can be overwritten.

To customize, create a copy of the respective script and start the script coding follows:

Public Overrides Function ADS_PersonUpdate_ADSAccount(ByVal UID_Account As String,OldAccountDN As String, ProcID As String)

This redefines the script and overwrites the original. The process does not have to be changed in this case.

Automatic creation of departments and locations based on user account information

You can create new departments and locations in One Identity Manager based on user account department and location data. Furthermore, departments, and locations are assigned to employees of the user accounts as primary department and primary location. These employees can obtain their company resources through these assignments if One Identity Manager is configured correspondingly.

Prerequisites for using this method

Employees must be created automatically when user accounts are added or modified. At least one of the following configuration parameters must be activated and the corresponding method implemented.

Table 48: Configuration Parameter for Automatic Employee Assignment
Configuration parameter Effect when set

TargetSystem | ADS | PersonAutoDefault

Automatic employee assignment for user accounts added to the database outside synchronization based on the given mode.

TargetSystem | ADS | PersonAutoFullsync

Automatic employee assignment for user accounts created or updated in the database as a result of the synchronization based on the given mode.

TargetSystem | ADS | PersonUpdate

Ongoing update of employee objects from linked user accounts.

To implement this method

  • In the Designer, set the TargetSystem | ADS | AutoCreateDepartment configuration parameter to generate departments from the user account information.
  • In the Designer, set the TargetSystem | ADS | AutoCreateLocality configuration parameter to generate locations from the user account information.
Related topics

Disabling Active Directory user accounts

The way you disable user accounts depends on how they are managed.

Scenario:
  • The user account is linked to employees and is managed through account definitions.

User accounts managed through account definitions are disabled when the employee is temporarily or permanently disabled. The behavior depends on the user account manage level. Accounts with the Full managed manage level are disabled depending on the account definition settings. For user accounts with a manage level, configure the required behavior using the template in the ADSAccount.AccountDisabled column.

Scenario:
  • The user accounts are linked to employees. No account definition is applied.

User accounts managed through user account definitions are disabled when the employee is temporarily or permanently disabled. The behavior depends on the QER | Person | TemporaryDeactivation configuration parameter

  • If the configuration parameter is set, the employee’s user accounts are disabled when the employee is permanently or temporarily disabled.

  • If the configuration parameter is not set, the employee’s properties do not have any effect on the associated user accounts.

To disable the user account when the configuration parameter is disabled

  1. In the Manager, select the Active Directory | User accounts category.

  2. Select the user account in the result list.

  3. Select the Change master data task.

  4. On the General tab, set the Account is disabled option.

  5. Save the changes.
Scenario:
  • User accounts not linked to employees.

To disable a user account that is no longer linked to an employee

  1. In the Manager, select the Active Directory | User accounts category.

  2. Select the user account in the result list.

  3. Select the Change master data task.

  4. On the General tab, set the Account is disabled option.

  5. Save the changes.

For more detailed information about deactivating and deleting employees and user accounts, see the One Identity Manager Target System Base Module Administration Guide.

Related topics

Deleting and restoring Active Directory user accounts

Objects in Active Directorysuch as, for example user accounts, are issued with a unique identification number that is also linked to entitlements. For domains with functional levels below Windows Server 2008 R2, when user accounts are deleted in Active Directory, the ID and the associated authorizations are irreversibly lost. This makes it difficult to restore user accounts. For domains from the functional level Windows Server 2008 R2 and above, user accounts can be deleted using the recycling bin. This moves the users to the recycle bin and from where they can be restored within a defined period without loss of IDs or entitlements.

When you configure the synchronization project you define whether, when adding an Active Directory object, the system should first check if the object is in the Active Directory recycling bin and can be restored.

One Identity Manager uses various methods for deleting user accounts.

Deleting without an Active Directory recycle bin

This method can be applied to all domains that:

  • Have a functional level below Windows Server 2008 R2 and therefore no recycling bin is available.

    - OR-

  • Have a functional level from Windows Server 2008 R2 and above but the recycling bin is not activated.

After you have confirmed the security alert, the user account is marked for deletion in One Identity Manager. The user account is locked in One Identity Manager and finally deleted from the One Identity Manager database and the Active Directory depending on the deferred deletion setting.

Deleting with the Active Directory recycle bin

This method is used for domains from the functional level Windows Server 2008 R2, in which the recycling bin is activated.

After you have confirmed the security alert, the user account is marked for deletion in One Identity Manager. The user account is locked in One Identity Manager and is finally deleted from the One Identity Manager database once the deferred deletion time has expired. In Active Directory, the user account is moved into the recycling bin and is finally deleted from Active Directory once the deferred deletion time has expired. The retention time for objects in the recycling bin is entered in the domain in the Retention period property.

NOTE: When you delete a user account, an Active Directory SID entry is created in One Identity Manager.

NOTE: As long as an account definition for an employee is valid, the employee retains the user account that was created by it. If the assignment of an account definition is removed, the user account that was created from this account definition is deleted.

To delete a user account

  1. Select the Active Directory | User accounts category.
  2. Select the user account in the result list.
  3. Delete the user account.
  4. Confirm the security prompt with Yes.

To restore a user account

  1. Select the Active Directory | User accounts category.
  2. Select the user account in the result list.
  3. Click Undo delete in the result list toolbar.

When a user accounts is deleted the configuration parameter defining handling of user directories is taken into account.

  • Check the configuration parameters and modify them as necessary to suit your requirements.
    Table 49: Configuration parameters for deleting user accounts
    Configuration parameter Effect when set

    QER | Person | User | DeleteOptions

    This configuration parameter to control behavior when users are deleted

    QER | Person | User | DeleteOptions | FolderAnonymPre

    If the delete options specify that a directory or a share should not be deleted, it is renamed and the given prefix is applied.

    QER | Person | User | DeleteOptions | HomeDir

    Deletes the user home directory.

    QER | Person | User | DeleteOptions | HomeShare

    Deletes the user home share.

    QER | Person | User | DeleteOptions | ProfileDir

    Deletes the user profile directory.

    QER | Person | User | DeleteOptions | ProfileShare

    Deletes the user profile share.

    QER | Person | User | DeleteOptions | TerminalHomeDir

    Deletes the user terminal home directory.

    QER | Person | User | DeleteOptions | TerminalHomeShare

    Deletes the user terminal home share.

    QER | Person | User | DeleteOptions | TerminalProfileDir

    Deletes the user terminal profile directory.

    QER | Person | User | DeleteOptions | TerminalProfileShare

    Delete the user terminal profile share.

Configuring deferred deletion

By default, user accounts are finally deleted from the database after 30 days.The user accounts are initially disabled. You can reenable the user accounts until deferred deletion is run. After deferred deletion is run, the user accounts are deleted from the database and cannot be restored anymore. In the Designer, you can set an alternative delay on the ADSAccount table.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating