Chat now with support
Chat with Support

Active Roles 8.0 LTS - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 and Azure Tenant Selection User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Office 365, and Exchange Online management
Configuring Active Roles to manage hybrid AD objects Managing Hybrid AD Users Unified provisioning policy for Azure O365 Tenant Selection, Office 365 License Selection, and Office 365 Roles Selection, and OneDrive provisioning Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Microsoft 365 Groups Managing Azure Security Groups Managing cloud-only distribution groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments Appendix E: Active Roles integration with other One Identity and Quest products Appendix F: Active Roles integration with Duo Appendix G: Active Roles integration with Okta Active Roles Language Pack

Steps for configuring a Home Folder AutoProvisioning policy

To configure a Home Folder AutoProvisioning policy

  1. On the Policy to Configure page, select Home Folder AutoProvisioning, and then click Next.
  2. On the Home Folder Management page, do the following:
    • From the Connect list, select the drive letter to which you want the policy to map the home folder.
    • In the To box, specify a network path to the home folder.

      The path must include a common share at one level above the home folders. For example, you might specify \\Ant\Home\%username% for the policy to create home folders on the share Home on the server Ant. The path such as \\SERVER\%username% is not valid.

    • To have the policy verify that the home folder path and name on user accounts are set in compliance with this policy, select Enforce this home folder setting in Active Directory.

      When this check box is cleared, the policy allows home folder paths and names that differ from the path and name prescribed by the policy.

    • To have Active Roles automatically set the home folder properties in accord with this policy upon user account creation in Active Directory, select Apply this home folder setting when user account is created.
    • To have Active Roles automatically set the home folder properties in accord with this policy upon user account renaming in Active Directory, select Apply this home folder setting when user account is renamed.
    • To have Active Roles attempt creation or renaming of a (non-local) home folder on the file server when home folder properties are set or changed on a user account in Active Directory, select Create or rename home folder on file server as needed.

      If you want to configure the policy so that it not only sets home folder properties on user accounts in Active Directory but also creates or renames home folders and home shares in accord with the policy settings, you must keep the Create or rename home folder on file server as needed check box selected (this is the default setting). If the check box is cleared, then the policy can only set or verify home folder properties on user accounts in Active Directory.

    • Specify how you want the policy to configure permission settings on home folders. You can choose from the following options:
      • Copy user permissions on home folder from parent folder.  Upon creation or renaming of a home folder for a user account, ensures that the user account has the same rights on the home folder as on the folder in which the home folder resides.
      • Set user as home folder owner.  Upon creation or renaming of a home folder for a user account, ensures that the user account is set as the owner of the home folder.
      • Set user permissions on home folder.  Upon creation or renaming of a home folder for a user account, ensures that the user account has the specified access rights on the home folder (such as Change Access or Full Access).

    Click Next.

  3. On the Home Share Management page, specify settings for user home shares. Do the following:
    • Select Create home share when home folder is created or renamed for the policy to create or rename the home share when creating or renaming the home folder.
    • Optionally, in Share name prefix and Share name suffix, type a prefix and suffix for the name of the home share. For details, see How to configure a Home Folder AutoProvisioning policy earlier in this chapter.
    • Optionally, in Description, type a comment to add to the home share.
    • If you want to limit the number of users that can connect to the share at a time, click Allow this number of users and specify the maximum number of users in the box next to that option. Otherwise, click Maximum allowed.

    Click Next.

  4. On the Enforce Policy page, you can specify objects to which this Policy Object is to be applied:
    • Click Add, and use the Select Objects dialog box to locate and select the objects you want.
  5. Click Next, and then click Finish.

NOTE: For more information about the Home Folder AutoProvisioning policy configuration options, see How to configure a Home Folder AutoProvisioning policy earlier in this chapter.

Using the built-in policy for home folder provisioning

If you want to configure Active Roles so that setting or changing home folder related properties on any user account in any managed domain does not result in an attempt to create or rename a folder on a file server, then you can use the Active Roles console to modify the built-in Policy Object:

  1. In the console tree, select Configuration | Policies | Administration | Builtin.
  2. In the details pane, double-click Built-in Policy - Default Rules to Provision Home Folders.
  3. On the Policies tab, select the policy from the list and then click View/Edit.
  4. On the Home Folder tab, clear the Create or rename home folder on file server as needed check box.
  5. Click OK to close the dialog boxes you opened.

If you have any other Policy Objects containing policies of the Home Folder AutoProvisioning category, then you need to configure them as appropriate: Select or clear the Create or rename home folder on file server as needed check box in each of those policies depending on whether or not Active Roles should attempt creation or renaming of home folders for user accounts that fall within the scope of the respective Policy Object.

Another scenario may require Active Roles to create or rename home folders for user accounts that are outside a certain scope (such as a certain domain, organizational unit, or Managed Unit), whereas creation or renaming of home folders should not be attempted on user accounts that fall within that particular scope. In this scenario, ensure that the Create or rename home folder on file server as needed option is selected in the built-in Policy Object. Then, create and configure a Policy Object containing a policy of the Home Folder AutoProvisioning category with the Create or rename home folder on file server as needed option un-selected, and apply that Policy Object to the scope in question.

Configuring the Home Folder Location Restriction policy

When creating home folders, Active Roles operates in the security context of the service account under which the Administration Service is running, so the service account must have sufficient rights to create home folders. Normally, the service account has administrative rights on an entire file server, which enables Active Roles to create home folders in any folder on any network file share that exists on that server. The Home Folder Location Restriction is used to restrict to a certain list the network file shares and folders in which Active Roles is authorized to create home folders.

The Home Folder Location Restriction policy determines the folders on the network file shares in which Active Roles is allowed to create home folders, and prevents Active Roles from creating home folders in other locations. The restrictions imposed by this policy do not apply if the home folder creation operation is performed by an Active Roles Admin role holder (normally, these are the users that have membership in the Administrators local group on the computer running the Active Roles Administration Service). Thus, when an Active Roles Admin role holder creates a user account, and a certain policy is in effect to facilitate home folder provisioning, the home folder is created regardless of the Home Folder Location Restriction policy settings.

By default, no network file shares and folders are listed in the policy. This means that Active Roles cannot create a home folder unless the user management operation that involves creation of the home folder is performed by the Active Roles Admin role holder. In order to allow delegated administrators to create home folders, you have to configure the policy so that it lists the folders on the network file shares in which creation of home folders is allowed. You can do this by using the Active Roles console as follows.

To configure the Home Folder Location Restriction policy

  1. In the console tree, expand Configuration | Policies | Administration, and select Builtin under Administration.
  2. In the details pane, double-click Built-in Policy - Home Folder Location Restriction.
  3. On the Policies tab, double-click the list item under Policy Description.
  4. On the Allowed Locations tab, view or modify the list of folders on the network file shares where creation of home folders is allowed.

When adding a folder to the list, specify the UNC name of the folder. If you specify the name in the form \\<Server>\<Share>, home folders can be created in any folder on the network file share specified. If you specify the name in the form \\<Server>\<Share>\<PathtoFolder>, home folders can be created in any sub-folder of the folder.

Scenario: Creating and assigning home folders

In this scenario, you configure a policy to create home folders when creating user accounts. The policy assigns home folders to newly created accounts and grants the users change access to their home folders.

To implement this scenario, you must perform the following actions:

  1. Verify that the network file share on which you want the policy to create home folders is listed in the Home Folder Location Restriction policy.
  2. Create and configure a Policy Object that defines the appropriate policy.
  3. Apply the Policy Object to a domain, OU, or Managed Unit.

As a result, when creating a user account in the container you selected in Step 3, Active Roles creates the user home folder and assigns that folder to the user account.

The following sub-sections elaborate on the steps to implement this scenario.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating