Chat now with support
Chat with Support

Identity Manager 8.1.4 - Administration Guide for Connecting to Active Directory

Managing Active Directory environments Setting up Active Directory synchronization Basic data for managing an Active Directory environment
Account definitions for Active Directory user accounts Password policies for Active Directory user accounts Initial password for new Active Directory user accounts Email notifications about login data User account names Target system managers Editing a server
Active Directory domains Active Directory user accounts
Linking user accounts to employees Supported user account types Entering master data for Active Directory user accounts Additional tasks for managing Active Directory user accounts Automatic assignment of employees to Active Directory user accounts Updating employees when Active Directory user account are modified Automatic creation of departments and locations based on user account information Disabling Active Directory user accounts Deleting and restoring Active Directory user accounts
Active Directory contacts Active Directory groups
Entering master data for Active Directory groups Validity of group memberships Assigning Active Directory groups to Active Directory user accounts, Active Directory contacts, and Active Directory computers Additional tasks for managing Active Directory groups Deleting Active Directory groups Default solutions for requesting Active Directory groups and group memberships
Active Directory security IDs Active Directory container structures Active Directory computers Active Directory printers Active Directory locations Reports about Active Directory objects Configuration parameters for managing an Active Directory environment Default project template for Active Directory

Assigning extended properties to Active Directory contacts

Extended properties are meta objects, such as operating codes, cost codes, or cost accounting areas that cannot be mapped directly in One Identity Manager.

To assign extended properties for a contact

  1. Select the Active Directory | Contacts category.
  2. Select the contact in the result list.
  3. Select the Assign extended properties task.

  4. In the Add assignments pane, assign extended properties.

    TIP: In the Remove assignments pane, you can remove assigned extended properties.

    To remove an assignment

    • Select the extended property and double-click .
  5. Save the changes.

For detailed information about using extended properties, see the One Identity Manager Identity Management Base Module Administration Guide.

Deleting and restoring Active Directory contacts

One Identity Manager uses various methods to delete contacts. For more information, see Deleting and restoring Active Directory user accounts.

NOTE: As long as an account definition for an employee is valid, the employee retains the contact that was created by it. If the account definition assignment is removed, the contact created through this account definition, is deleted.

To delete a contact

  1. Select the Active Directory | Contacts category.
  2. Select the contact in the result list.
  3. Delete the contact.
  4. Confirm the security prompt with Yes.

To restore a contact

  1. Select the Active Directory | Contacts category.
  2. Select the contact in the result list.
  3. Click Undo delete in the result list toolbar.
Configuring deferred deletion

By default, Active Directory contacts are finally deleted from the database after 30 days. During this period you have the option to reactivate the contacts. A restore is not possible once deferred deletion has expired. In the Designer, you can set an alternative delay on the ADSContact table.

Active Directory groups

Read the documentation for your Active Directory for an explanation of group concepts under Windows Server.

In Active Directory, contacts, computers, and groups can be collected into groups for which the access to resources can be regulated not only within a domain but across domains.

We distinguish between two group types:

  • Security groups

    Authorizations are issued through security groups. User accounts, computers, and other groups are added to security groups and which makes administration easier. Security groups are also used for email distribution groups.

  • Distribution groups

    Distribution groups can be used as email-enabled distribution groups. Distribution groups do not have any security.

In addition, a group area is defined for each group type. Permitted group types are:

  • Universal

    Groups within this scope are described as universal groups. Universal groups can be used to make cross-domain authorizations available. Universal group members can be user accounts and groups from all domains in one domain structure.

  • Local domain

    Groups in this scope are described as groups of the local domain. Local groups are used when authorizations are issued within the same domain. Members of a domain local group can be user accounts, computers, or groups in any domain.

  • Global

    Groups within this scope are described as global groups. Global groups can be used to make cross-domain authorizations available. Members of a global group are only user accounts, computers, and groups belonging to the global group’s domain.

Related topics

Entering master data for Active Directory groups

To edit group master data

  1. In the Manager, select the Active Directory | Groups category.

  2. Select the group in the result list and run the Change master data task.

  3. On the master data form, edit the master data for the group.

  4. Save the changes.
Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating