Chat now with support
Chat with Support

Identity Manager 9.2 - Administration Guide for Connecting to Active Directory

Managing Active Directory environments Synchronizing an Active Directory environment
Setting up initial synchronization with an Active Directory domain Adjusting the synchronization configuration for Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Active Directory user accounts and identities
Account definitions for Active Directory user accounts and Active Directory contacts Assigning identities automatically to Active Directory user accounts Supported user account types Updating identities when Active Directory user account are modified Automatic creation of departments and locations based on user account information Specifying deferred deletion for Active Directory user accounts and Active Directory contacts
Managing memberships in Active Directory groups Login credentials for Active Directory user accounts Mapping Active Directory objects in One Identity Manager
Active Directory domains Active Directory container structures Active Directory user accounts Active Directory contacts Active Directory groups Active Directory computers Active Directory security IDs Active Directory printers Active Directory sites Reports about Active Directory objects
Handling of Active Directory objects in the Web Portal Basic data for managing an Active Directory environment Configuration parameters for managing an Active Directory environment Default project template for Active Directory Processing methods of Active Directory system objects Active Directory connector settings

Prerequisites for indirect assignment of Active Directory groups

Identities (workdesks or devices) and Active Directory groups are grouped into hierarchical roles in the case of indirect assignment. When assigning Active Directory groups indirectly, check the following settings and modify them if necessary.

Prerequisites for indirect assignment of Active Directory groups to identities' Active Directory user accounts and Active Directory contacts

  1. Assignment of identities and Active Directory groups is permitted for role classes (departments, cost centers, locations, or business roles).

  2. The Active Directory user accounts and Active Directory contacts are linked to identities.

  3. Active Directory user accounts and Active Directory contacts are labeled with the Groups can be inherited option.

Prerequisites for indirect assignment of Active Directory groups to Active Directory computers

  1. Assignment of devices and Active Directory groups is permitted for role classes (departments, cost centers, locations, or business roles).

  2. The Active Directory computer is connected to a device.

  3. The device is labeled as a PC or server.

  4. The TargetSystem | ADS | HardwareInGroupFromOrg configuration parameter is set.

Prerequisites for indirect assignment to Active Directory groups to Active Directory computers through workdesks

  1. Assignment of workdesks and groups is permitted for the role class (department, cost center, location, or business role).

  2. The computer is connected to a device labeled as PC or server. This device owns a workdesk.

ClosedAllow assignments to role classes of departments, cost centers, locations, or roles

NOTE: There are other configuration settings that play a role when company resources are inherited through departments, cost centers, locations, and business roles. For example, role inheritance might be blocked or inheritance of identities, devices or workdesks not allowed. For more detailed information about the basic principles for assigning company resources, see the One Identity Manager Identity Management Base Module Administration Guide.

Related topics

Assigning Active Directory groups to departments, cost centers and locations

Assign the group to departments, cost centers and locations so that the group can be assigned to user accounts, contacts, and computers through these organizations.

To assign a group to departments, cost centers, or locations (non role-based login)

  1. In the Manager, select the Active Directory > Groups category.

  2. Select the group in the result list.

  3. Select the Assign organizations task.

  4. In the Add assignments pane, assign the organizations:

    • On the Departments tab, assign departments.

    • On the Locations tab, assign locations.

    • On the Cost centers tab, assign cost centers.

    TIP: In the Remove assignments pane, you can remove assigned organizations.

    To remove an assignment

    • Select the organization and double-click .

  5. Save the changes.

To assign groups to a department, a cost center, or a location (non role-based login or role-based login)

  1. In the Manager, select the Organizations > Departments category.

    - OR -

    In the Manager, select the Organizations > Cost centers category.

    - OR -

    In the Manager, select the Organizations > Locations category.

  2. Select the department, cost center, or location in the result list.

  3. Select the Assign Active Directory groups task.

  4. In the Add assignments pane, assign groups.

    TIP: In the Remove assignments pane, you can remove the assignment of groups.

    To remove an assignment

    • Select the group and double-click .

  5. Save the changes.
Related topics

Assigning Active Directory groups to business roles

NOTE: This function is only available if the Business Roles Module is installed.

Assign the group to business roles so that it is assigned to user accounts, contacts, and computers through this business role.

To assign a group to a business role (non role-based login)

  1. In the Manager, select the Active Directory > Groups category.

  2. Select the group in the result list.

  3. Select the Assign business roles task.

  4. In the Add assignments pane, select the role class and assign business roles.

    TIP: In the Remove assignments pane, you can remove assigned business roles.

    To remove an assignment

    • Select the business role and double-click .

  5. Save the changes.

To assign groups to a business role (non role-based login or role-based login)

  1. In the Manager, select the Business roles > <role class> category.

  2. Select the business role in the result list.

  3. Select the Assign Active Directory groups task.

  4. In the Add assignments pane, assign the groups.

    TIP: In the Remove assignments pane, you can remove the assignment of groups.

    To remove an assignment

    • Select the group and double-click .

  5. Save the changes.
Related topics

Adding Active Directory groups to system roles

NOTE: This function is only available if the System Roles Module is installed.

Use this task to add a group to system roles.

If you assign a system role to identities, all Active Directory user accounts owned by these identities inherit the group.

If you assign a system role to workdesks, all Active Directory computers associated with this workdesk inherit the group.

NOTE: Groups with Only use in IT Shop set can only be assigned to system roles that also have this option set. For more information, see the One Identity Manager System Roles Administration Guide.

To assign a group to system roles

  1. In the Manager, select the Active Directory > Groups category.

  2. Select the group in the result list.

  3. Select the Assign system roles task.

  4. In the Add assignments pane, assign system roles.

    TIP: In the Remove assignments pane, you can remove assigned system roles.

    To remove an assignment

    • Select the system role and double-click .

  5. Save the changes.
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating