Chat now with support
Chat with Support

Identity Manager 9.1.1 - Administration Guide for Connecting to Active Directory

Managing Active Directory environments Synchronizing an Active Directory environment
Setting up initial synchronization with an Active Directory domain Adjusting the synchronization configuration for Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Active Directory user accounts and employees
Account definitions for Active Directory user accounts and Active Directory contacts Assigning employees automatically to Active Directory user accounts Supported user account types Updating employees when Active Directory user account are modified Automatic creation of departments and locations based on user account information Specifying deferred deletion for Active Directory user accounts and Active Directory contacts
Managing memberships in Active Directory groups Login information for Active Directory user accounts Mapping of Active Directory objects in One Identity Manager
Active Directory domains Active Directory container structures Active Directory user accounts Active Directory contacts Active Directory groups Active Directory computers Active Directory security IDs Active Directory printers Active Directory sites Reports about Active Directory objects
Handling of Active Directory objects in the Web Portal Basic data for managing an Active Directory environment Configuration parameters for managing an Active Directory environment Default project template for Active Directory Processing methods of Active Directory system objects Active Directory connector settings

Synchronizing an Active Directory environment

One Identity Manager supports synchronization with Active Directory, shipped with Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022.

The One Identity Manager Service is responsible for synchronizing data between the One Identity Manager database and the Active Directory directory.

This sections explains how to:

  • Set up synchronization to import initial data from Active Directory domains to the One Identity Manager database.

  • Adjust a synchronization configuration, for example, to synchronize different Active Directory domains with the same synchronization project.

  • Start and deactivate the synchronization.

  • Evaluate the synchronization results.

TIP: Before you set up synchronization with an Active Directory domain, familiarize yourself with the Synchronization Editor. For more information about this tool, see the One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic

Setting up initial synchronization with an Active Directory domain

The Synchronization Editor provides a project template that can be used to set up the synchronization of user accounts and permissions for the Active Directory environment. You use these project templates to create synchronization projects with which you import the data from an Active Directory domain into your One Identity Manager database. In addition, the required processes are created that are used for the provisioning of changes to target system objects from the One Identity Manager database into the target system.

To load Active Directory objects into the One Identity Manager database for the first time

  1. Prepare a user account with sufficient permissions for synchronizing in Active Directory.

  2. One Identity Manager components for managing Active Directory environments are available if the TargetSystem | ADS configuration parameter is enabled.

    • In the Designer, check if the configuration parameter is set. Otherwise, set the configuration parameter and compile the database.

      NOTE: If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

    • Other configuration parameters are installed when the module is installed. Check the configuration parameters and modify them as necessary to suit your requirements.

  3. Install and configure a synchronization server and declare the server as a Job server in One Identity Manager.
  4. Create a synchronization project with the Synchronization Editor.
Detailed information about this topic

Users and permissions for synchronizing with Active Directory

The following users are involved in synchronizing One Identity Manager with Active Directory.

Table 2: Users for synchronization
User Permissions

User for accessing Active Directory

You must provide a user account with the following permissions for full synchronization of Active Directory objects with the supplied One Identity Manager default configuration.

  • Member of the Domain Admins Active Directory group

NOTE: In a hierarchical domain structure, the One Identity Manager Service's user account of a child domain is member of the Enterprise Admins group.

There is no recommended practical minimum configuration whose permissions in terms of user administration effectiveness, differ from a member of the Domain admins group.

One Identity Manager Service user account

The user account for the One Identity Manager Service requires user permissions to carry out operations at file level (adding and editing directories and files).

The user account must belong to the Domain users group.

The user account must have the Login as a service extended user permissions.

The user account requires permissions for the internal web service.

NOTE: If the One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can grant permissions for the internal web service with the following command line call:

netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

The user account needs full access to the One Identity Manager Service installation directory in order to automatically update One Identity Manager.

In the default installation, One Identity Manager is installed under:

  • %ProgramFiles(x86)%\One Identity (on 32-bit operating systems)

  • %ProgramFiles%\One Identity (on 64-bit operating systems)

Setting Remote Access Service (RAS) properties requires Remote Procedure Calls (RPC) which are run in the context of the One Identity Manager Service user account. To read or write these properties, the One Identity Manager Service user account must have the necessary permissions.

User for accessing the One Identity Manager database

The Synchronization default system user is provided to run synchronization using an application server.

Necessary access permissions explained

The synchronization base object in Active Directory requires the following access permissions:

  • Read

  • Write

If the base object is the domain object, these permissions are needed to allow reading and setting domain properties such as password policies.

The following permissions are required for working unrestricted below the base object:

  • Create All Child Objects

  • Delete All Child Objects

To be able editing of specific properties in a user object that result in a change to the permission list of an Active Directory object (for example, the Password cannot be changed property), the following permissions are required:

  • Read Permissions

  • Modify Permissions

Prerequisite for further privileges:

  • Modify Owner

Normally only group administrators have this privilege. If the One Identity Manager Service user account is not a member of this group or any equivalent group, it must put in a position to cope with accounts without any permissions.

The following permissions are required because all an object's values can, in principle, be modified through One Identity Manager:

  • Read All Properties

  • Write All Properties

  • All Extended Rights

  • DeleteSubTree

Essential user account functionality is partially stored as an entry in the permissions list of an Active Directory object. The One Identity Manager Service user account must be able to modify this permissions list. Example of properties maintained over the permissions list are UserCanNotChangePassword for the user account, or AllowWriteMembers for the group.

Modifying a permissions list assumes a wide range of permissions. If a user account that does not have the Full Control permissions for the corresponding Active Directory object is used for changing a permissions list, the change is only accepted under the following conditions.

  • The user account is the owner of the object.

    – OR –

  • The user account is member of the same primary group as the object owner. This is usually the Domain administrators group.

Otherwise the modifications are rejected.

If the Take Ownership permission is assigned to the user account, it is possible to initiate a change of owner and to change the permissions list accordingly. However, this falsifies the permissions state of the Active Directory object and is not recommended.

Furthermore, you require domain administrator permissions to use the delete and restore functions of the Active Directory recycling bin and for dealing with specially protected user account and groups.

NOTE: In theory, the part of the synchronization with the Active Directory that imports the Active Directory objects into the One Identity Manager database also functions if only Read permissions and not Write permissions are assigned to the structure.

The following problems may occur:

  • To include a user account for which only Read permissions exist in a group that is not the primary group of the user account, the One Identity Manager Service must have at least Write permissions for the group object.

  • Error states between the One Identity Manager database and Active Directory data occur, if One Identity Manager administration tools or database imports result in the creation of, or changes to objects in the Active Directory for which only Read permissions exist. These cases can be excluded with the suitable menu navigation in the administration tools, One Identity Manager object permissions, and by taking appropriate precautions when importing.

NOTE: For the One Identity Manager Active Directory edition, full read permissions are required, as well as permissions for creating, changing, and deleting groups.

Communications ports and firewall configuration

One Identity Manager is made up of several components that can run in different network segments. In addition, One Identity Manager requires access to various network services, which can also be installed in different network segments. You must open various ports depending on which components and services you want to install behind the firewall.

The following ports are required:

Table 3: Communications port
Default port Description

1433

1880

Port for the HTTP protocol of One Identity Manager Service.

2880

Port for access tests with the Synchronization Editor, such as in the target system browser or for simulating synchronization.

Default port for the RemoteConnectPlugin.

80

Port for accessing web applications.

88

Kerberos authentication system (if Kerberos authentication is implemented). Required for authentication against Active Directory.

135

Microsoft End Point Mapper (EPMAP) (also, DCE/RPC Locator Service).

137

NetBIOS Name Service.

139

NetBIOS Session Service.

389

Lightweight Directory Access Protocol (LDAP Standard). Target system server communications port.

445

Microsoft-DS Active Directory, Windows shares. Required for synchronization (TCP/UDP)

53

Domain Name System (DNS), mainly through UDP. Required for access to the Active Directory total structure.

636

Lightweight Directory Access Protocol using TLS/SSL (LDAP S). Required for access to the Active Directory total structure.

3268

Global catalog. Required for searching in the global catalog. Either port 3268 or 3269 should be open depending on the connection settings.

3269

Global catalog over SSL. Required for searching in the global catalog. Either port 3268 or 3269 should be open depending on the connection settings.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating