Chat now with support
Chat with Support

Identity Manager 9.0 LTS - Administration Guide for Connecting to Active Directory

Managing Active Directory environments Synchronizing an Active Directory environment
Setting up initial synchronization with an Active Directory domain Adjusting the synchronization configuration for Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Active Directory user accounts and employees
Account definitions for Active Directory user accounts and Active Directory contacts Assigning employees automatically to Active Directory user accounts Supported user account types Updating employees when Active Directory user account are modified Automatic creation of departments and locations based on user account information Specifying deferred deletion for Active Directory user accounts and Active Directory contacts
Managing memberships in Active Directory groups Login information for Active Directory user accounts Mapping of Active Directory objects in One Identity Manager
Active Directory domains Active Directory container structures Active Directory user accounts Active Directory contacts Active Directory groups Active Directory computers Active Directory security IDs Active Directory printers Active Directory sites Reports about Active Directory objects
Handling of Active Directory objects in the Web Portal Basic data for managing an Active Directory environment Configuration parameters for managing an Active Directory environment Default project template for Active Directory Processing methods of Active Directory system objects Active Directory connector settings

Active Directory user account home directory and profile directory

Enter the data for the user's home and profile directories.

NOTE: If the QER | Person | User | ConnectHomeDir configuration parameter is set, some of the following data for the home directory is formed automatically. In the Designer, set the configuration parameter if necessary.

When you enter a profile directory, a new user profile is created through One Identity Manager Service that is loaded over the network when the user logs on.

Enter the following main data on the Profile tab.

Table 35: Main data for a user directory
Property Description

Home server

Home server. You can select the home server depending on the number of home directories per home server that already exist (according to the database). If you assigned an account definition, the home server is determined from the current IT operating data for the assigned employee depending on the manage level.

Home share

The share that is stored under the user’s home directory on the home server. Default is HOMES.

Home directory path

Name of the home directory for the user under the home share. By default, the login name (pre Windows 2000) is used to format the home directory path.

Home shared as

Home directory share. This share is formatted using the default home directory path.

Home drive

The drive to be connected when the user logs in. The default domain home drive is used.

Home directory

The user's home directory. The given home directory is automatically added and shared by the One Identity Manager Service.

Size home directory [MB]

Size of the home directory in MB. Find the size of the home directory by running the schedule supplied by default. In the Designer, configure and enable the Load size of home folders for user accounts schedule.

Maximum home storage space [MB]

Maximum size for the home directory on the home server in MB.

Profile server

Profile server. If you assigned an account definition, the profile server is determined from the current IT operating data for the assigned employee depending on the manage level.

Profile share

The share that is stored under the user’s profile directory on the profile server. Default is PROFILES.

Profile shared as

Profile directory share.

Profile directory path

Name of the profile directory for the user under the profile share. By default, the login name (pre Windows 2000) is used to format the profile directory path.

Login script

Name of the login script. If the script is in a subdirectory of the login script path (normally Winnt\Sysvol\domain\scripts), you need enter the subdirectory as well. The given login script is run when the user logs in.

Related topics

Login credentials for Active Directory user accounts

On the Log in tab, enter the following main data

Table 36: Credentials
Property Description

Last login

Date of last login. The date is read in from the Active Directory system and cannot be changed manually.

Login workstation

Workstation on which the user can log in. A user can log in on all workstations by default.

Select the button next to the input field to activate it and add workstations. Use the button to remove workstations from the list.

Login times

Times and days on which the user is allowed to be logged in. By default, login is permitted at all hours and every day of the week. If a user is logged in, the login is disconnected at the end of the valid login period.

The calendar shows a 7-day week, each box represents one hour. The configured login times are shown in color, respectively. If a box is filled, login is allowed. If the box is empty, login is denied.

To specify login times

  • Select a time period with the mouse or keyboard.

  • Select Assign to enable login in the selected period.

  • Select Remove to deny login in the selected period.

  • Select Reverse to invert the selected period.

  • Use the arrow keys to reset or repeat a selection.

Dial-in access using Remote Access Service (RAS) for Active Directory user accounts

NOTE: Remote Access Service (RAS) properties are only synchronized and provisioned if the Enable RAS properties option is set.

Allocate remote dial-up permissions for the user account in the network and specify the callback option. The following data can be edited depending on the selected domain mode (mixed or native).

Enter the following main data on the RAS tab.

Table 37: Remote access service
Property Description

Dial-up permitted

Specifies whether the user may dial up the network. Permitted values are:

  • Allow access: This permits the user to dial up the network.

  • Deny access: This specifies that you deny the user the dial-in to the network.

  • Control access using remote access policy: This data specifies that access to the network is controlled over RAS guidelines. RAS guidelines are usually used to apply the same access permissions to several Active Directory user accounts.

No callback

The callback function is switched off by this option.

Set by caller

The server expects the user to input the number that they can be called back on.

Always callback

The server tries to call the user back over the given number.

Verifying caller ID

A predefined number with which the user should dial into the network.

Static IP address

A fixed IP address assigned to the user.

Static routes with IP address, network address and metric

Target network IP addresses, network addresses and metrics for dialing in over fixed routes.

Related topics

Terminal server connection data for Active Directory user accounts

NOTE: Terminal server properties are only synchronized and provisioned if the Enable terminal server properties option is set.

Enter the following data for adding a user profile, which will be made available for logging the Active Directory user account on to a terminal server. A profile directory can be provided, which is available to the user to log on to a terminal server for terminal server sessions. A home directory can be added on the terminal server in the same way.

NOTE: If the QER | Person | User | ConnectHomeDir configuration parameter is set, some of the following data for the home directory is formed automatically. If necessary, in the Designer, set the configuration parameter.

Enter the following data on the Terminal service tab.

Table 38: Main data for a terminal server
Property Description

Login permitted on terminal server

Specifies whether terminal server login is allowed. Enable this option to allow a user to log on to a terminal server.

Use own configuration

Specifies whether a startup program can be defined. Enable this option to specify a program, which should be started when you log on to the terminal server and enter the program's command line and working directory.

NOTE: If this data is inherited from the client, disable this option.

Command line

Command line to start the program.

Working directory

Working directory of program to start.

Connect client drives at login Specifies whether client drive connections should automatically be restored when logging into a terminal server.

Connect client printers at login

Specifies whether client printer connections should automatically be restored when logging on to a terminal server.

Client default printer

Specifies whether default printer connections should automatically be restored when logging into a terminal server.

Active session limit [min]

Maximum connection time in minutes. After the time is exceeded the connection to the terminal server is detached or ended.

End disconnected session [min]

Time period in minutes for maintaining a disconnected connection.

Idle session limit [min]

Maximum time without client activity before the connection is detached or ended.

Connect disconnected session from previous client

Specifies whether a disconnected session can be restored from an arbitrary client computer.

End session if connection is interrupted

Specifies whether a session should be returned to a disconnected state if the connection is interrupted.

Enable remote control

Specifies whether remote monitoring or control is enabled for this session.

Get permission of user

Specifies whether permission needs to be obtained for the user to monitor the session.

Display user session

Specifies whether to monitor the user session

Interact with session

Specifies whether the user to be monitored can input data into the session over the keyboard or mouse.

Profile server

Profile server. If you assigned an account definition, the profile server is determined from the current IT operating data for the assigned employee depending on the manage level.

Profile share

The share that is stored under the user’s profile directory on the profile server. Default is TPROFILES.

Profile directory path

Name of the profile directory for the user under the profile share. By default, the login name (pre Windows 2000) is used to format the profile directory path.

Profile path

The full path to the user’s profile directory.

Home server

Home server. If you assigned an account definition, the profile server is determined from the current IT operating data for the assigned employee depending on the manage level.

Home share

The share that is stored under the user’s home directory on the home server. Default is THOMES.

Home directory path

Name of the home directory for the user under the home share. By default, the login name (pre Windows 2000) is used to format the home directory path.

Shared as

Home directory share. This share is formatted using the default home directory path.

Home drive

The drive to be connected when the user logs in. The default domain home drive is used.

Home directory

Home directory. The given home directory is automatically added and shared by the One Identity Manager Service.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating