Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Identity Manager 9.1.1 - Administration Guide for Connecting to Active Directory

Table of Contents

Managing Active Directory environments

Architecture overview One Identity Manager users for managing Active Directory Configuration parameters for managing Active Directory environments

Synchronizing an Active Directory environment

Setting up initial synchronization with an Active Directory domain

Users and permissions for synchronizing with Active Directory Communications ports and firewall configuration Setting up the Active Directory synchronization server

System requirements for the Active Directory synchronization server Installing One Identity Manager Service with an Active Directory connector

Creating a synchronization project for initial synchronization of an Active Directory domain

Information required to set up a synchronization project Creating an initial synchronization project for Active Directory domains

Configuring the synchronization log

Adjusting the synchronization configuration for Active Directory environments

Configuring synchronization in Active Directory domains Configuring synchronization of several Active Directory domains Changing system connection settings of Active Directory domains

Editing connection parameters in the variable set Editing target system connection properties

Updating schemas Speeding up synchronization with revision filtering Configuring the provisioning of memberships Configuring single object synchronization Accelerating provisioning and single object synchronization

Running synchronization

Starting synchronization Deactivating synchronization Displaying synchronization results Synchronizing single objects

Tasks following synchronization

Post-processing outstanding objects Adding custom tables to the target system synchronization Managing Active Directory user accounts and Active Directory contacts through account definitions

Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)

Managing Active Directory user accounts and employees

Account definitions for Active Directory user accounts and Active Directory contacts

Creating account definitions Editing account definitions Main data for account definitions Editing manage levels Creating manage levels Assigning manage levels to account definitions Main data for manage levels Creating mapping rules for IT operating data Entering IT operating data Modify IT operating data Assigning account definitions to employees

Assigning account definitions to departments, cost centers, and locations Assigning account definitions to business roles Assigning account definitions to all employees Assigning account definitions directly to employees Assigning account definitions to system roles Adding account definitions in the IT Shop

Assigning account definitions to Active Directory domains Deleting account definitions

Assigning employees automatically to Active Directory user accounts

Editing search criteria for automatic employee assignment Finding employees and directly assigning them to user accounts Changing manage levels for Active Directory user accounts Changing manage levels for Active Directory contacts

Supported user account types

Default user accounts Administrative user accounts

Providing an administrative user account for one employee Providing an administrative user account for multiple employees

Privileged user accounts

Updating employees when Active Directory user account are modified Automatic creation of departments and locations based on user account information Specifying deferred deletion for Active Directory user accounts and Active Directory contacts

Managing memberships in Active Directory groups

Assigning Active Directory groups to Active Directory user accounts, Active Directory contacts, and Active Directory computers

Prerequisites for indirect assignment of Active Directory groups Assigning Active Directory groups to departments, cost centers and locations Assigning Active Directory groups to business roles Adding Active Directory groups to system roles Adding Active Directory groups to the IT Shop Adding Active Directory groups automatically to the IT Shop Assigning Active Directory user accounts directly to Active Directory groups Assigning Active Directory groups directly to Active Directory user accounts Assigning Active Directory contacts directly to Active Directory groups Active Directory Assign groups directly to Active Directory Contacts Assigning Active Directory computers directly to Active Directory groups Assigning Active Directory groups directly to Active Directory computers

Effectiveness of membership in Active Directory user groups Active Directory group inheritance based on categories Overview of all assignments

Login information for Active Directory user accounts

Password policies for Active Directory user accounts

Predefined password policies Using password policies Creating password policies Using password policies General main data of password policies Policy settings Character classes for passwords Custom scripts for password requirements

Script for checking passwords Script for generating a password

Editing the excluded list for passwords Verifying passwords Testing password generation

Initial password for new Active Directory user accounts Email notifications about login data

Mapping of Active Directory objects in One Identity Manager

Active Directory domains

General main data for Active Directory domains Global account policies for Active Directory domains Active Directory specific main data for Active Directory domains Defining categories for the inheritance of Active Directory groups Displaying information about the Active Directory forest Entering and testing trusted Active Directory domains Active Directory account policies for Active Directory domains

Creating and editing Active Directory account policies General main data for an Active Directory account policy Guidelines for Active Directory account guidelines Assigning Active Directory account policies to Active Directory user account and Active Directory groups

Editing the synchronization project for an Active Directory domain Monitoring the number of memberships in Active Directory groups and Active Directory containers

Active Directory container structures

Creating and editing Active Directory containers Main data for Active Directory containers Deleting Active Directory containers Moving an Active Directory container Displaying the Active Directory container overview

Active Directory user accounts

Creating and editing Active Directory user accounts General main data of Active Directory user accounts Password data for Active Directory user accounts Active Directory user account home directory and profile directory Login credentials for Active Directory user accounts Dial-in access using Remote Access Service (RAS) for Active Directory user accounts Terminal server connection data for Active Directory user accounts Extension data for Active Directory user accounts Further data for identifying Active Directory user accounts Contact information for Active Directory user accounts Assigning Active Directory account policies to Active Directory user accounts Assigning secretaries to Active Directory user accounts Assigning extended properties to Active Directory user accounts Disabling Active Directory user accounts Deleting and restoring Active Directory user accounts

Procedure for deleting Active Directory user account in One Identity Manager Handling of user directories when deleting Active Directory user accounts

Unlocking Active Directory user accounts Moving Active Directory user accounts Displaying the Active Directory user account overview Displaying Azure Active Directory user accounts for Active Directory user accounts

Active Directory contacts

Creating and editing Active Directory contacts General main data for Active Directory contacts Contact data for Active Directory contacts Further data for identifying Active Directory contact Extension data for Active Directory contacts Assigning secretaries to Active Directory contacts Assigning extended properties to Active Directory contacts Deleting and restoring Active Directory contacts Moving Active Directory contacts Displaying the Active Directory contact overview

Active Directory groups

Creating and editing Active Directory groups General main data of Active Directory groups Extension data for Active Directory groups Validity of group memberships Adding Active Directory groups to Active Directory groups Assigning Active Directory account policies to Active Directory groups Assigning secretaries to Active Directory groups Assigning extended properties to Active Directory groups Deleting Active Directory groups Moving Active Directory groups Displaying the Active Directory group overview Displaying Azure Active Directory groups for Active Directory groups

Active Directory computers

Main data for Active Directory computers Performing computer diagnostics Moving an Active Directory computer Displaying the Active Directory computer overview

Active Directory security IDs Active Directory printers Active Directory sites Reports about Active Directory objects

Handling of Active Directory objects in the Web Portal

Default solutions for requesting Active Directory groups and group memberships

Adding Active Directory groups Changing Active Directory groups Deleting Active Directory groups Active DirectoryRequesting Groups Memberships

Basic data for managing an Active Directory environment

User account names Target system managers Job server for Active Directory-specific process handling

General main data of Job servers Specifying server functions Preparing a home server and profile server for creating user directories

Creating home directories using batch files Supporting multiple profile directories Home and profile directory access permissions

Configuration parameters for managing an Active Directory environment Default project template for Active Directory Processing methods of Active Directory system objects Active Directory connector settings

Extension data for Active Directory groups

On the Extensions tab, you enter the user-defined Active Directory schema extensions for the group.

Table 48: Extension data
Property	Description
Attribute extension 01 - attribute extension 15	Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

Validity of group memberships

There are different assignments to groups possible depending on the construction of the domain structure and the domain trusts. You can find more exact information about permitted group memberships in the documentation for your Windows Server.

Ensure the following if you want to map group memberships using forests:

The trusted domains are known.
The name of the forest is entered in the domain.

In the following tables, the groups, user accounts, contacts, and computers permitted in One Identity Manager listed in groups.

Legend for the tables:

G = Global
U = Universal
L = Local

Table 49: Group memberships permitted within a domain
Target Group		Member in target group
		Group						User account	Contact	Computer
		Distribution			Security
		G	U	L	G	U	L
Distribution	Global	x			x			x	x	x
	Universal	x	x		x	x		x	x	x
	Local	x	x	x	x	x	x	x	x	x
Security	Global	x			x			x	x	x
	Universal	x	x		x	x		x	x	x
	Local	x	x	x	x	x	x	x	x	x

Table 50: Group memberships permitted within a hierarchical domain structure
Target Group		Member in target group
		Group						User account	Contact	Computer
		Distribution			Security
		G	U	L	G	U	L
Distribution	Global								x
	Universal	x	x		x	x		x	x	x
	Local	x	x		x	x		x	x	x
Security	Global
	Universal	x	x		x	x		x	x	x
	Local	x	x		x	x		x	x	x

Table 51: Group memberships permitted within a forest
Target Group		Member in target group
		Group						User account	Contact	Computer
		Distribution			Security
		G	U	L	G	U	L
Distribution	Global
	Universal
	Local	x	x		x	x		x		x
Security	Global
	Universal
	Local	x	x		x	x		x		x

Table 52: Group memberships permitted between forests
Target Group		Member in target group
		Group						User account	Contact	Computer
		Distribution			Security
		G	U	L	G	U	L
Distribution	Global
	Universal
	Local	x	x		x	x		x		x
Security	Global
	Universal
	Local	x	x		x	x		x		x

Related topics

Adding Active Directory groups to Active Directory groups

Use this task to add a group to another group. This means that the groups can be hierarchically structured.

To assign groups directly to a group as members

In the Manager, select the Active Directory > Groups category.
Select the group in the result list.
Select the Assign groups category.
Select the Has members tab.
Assign child groups in Add assignments.
TIP: In the Remove assignments pane, you can remove the assignment of groups.

To remove an assignment
- Select the group and double-click .
Save the changes.

To add a group as a member of other groups

In the Manager, select the Active Directory > Groups category.
Select the group in the result list.
Select the Assign groups task.
Select the Is member of tab.
In the Add assignments pane, assign parent groups.
TIP: In the Remove assignments pane, you can remove the assignment of groups.

To remove an assignment
- Select the group and double-click .
Save the changes.

Related topics

Validity of group memberships

Assigning Active Directory account policies to Active Directory groups

For domains from the functional level Windows Server 2008 R2 and above, it is possible to define additional password policies in addition to the default password policies. This allows individual users and groups to be subjected to stricter account policies as intended for global groups.

To specify account policies for a group

In the Manager, select the Active Directory > Groups category.
Select the group in the result list.
Select the Assign account policies task.
In the Add assignments pane, assign account policies.
TIP: In the Remove assignments pane, you can remove account policy assignments.

To remove an assignment
- Select the account policy and double-click .
Save the changes.

Related topics

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center