Chat now with support
Chat with Support

Identity Manager 9.2 - Administration Guide for Connecting to Active Directory

Managing Active Directory environments Synchronizing an Active Directory environment
Setting up initial synchronization with an Active Directory domain Adjusting the synchronization configuration for Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Active Directory user accounts and identities
Account definitions for Active Directory user accounts and Active Directory contacts Assigning identities automatically to Active Directory user accounts Supported user account types Updating identities when Active Directory user account are modified Automatic creation of departments and locations based on user account information Specifying deferred deletion for Active Directory user accounts and Active Directory contacts
Managing memberships in Active Directory groups Login credentials for Active Directory user accounts Mapping Active Directory objects in One Identity Manager
Active Directory domains Active Directory container structures Active Directory user accounts Active Directory contacts Active Directory groups Active Directory computers Active Directory security IDs Active Directory printers Active Directory sites Reports about Active Directory objects
Handling of Active Directory objects in the Web Portal Basic data for managing an Active Directory environment Configuration parameters for managing an Active Directory environment Default project template for Active Directory Processing methods of Active Directory system objects Active Directory connector settings

Active Directory account policies for Active Directory domains

Set up global account policies for a domain. This information is declared in the domain as default settings. For domains from the functional levels Windows Server 2008 R2 and above, it is possible to define multiple account policies. This allows individual users and groups to be subjected to stricter account policies as intended for global groups. Refer to your Active Directory documentation for more information about the concept of fine-grained password policies under Windows Server.

You can also define password policies in One Identity Manager that you can apply to the user account passwords.

NOTE: One Identity Manager password policies, global account policy settings for the Active Directory domain, and Active Directory account policies are all taken into account when verifying user passwords.

Detailed information about this topic
Related topics

Creating and editing Active Directory account policies

Account policies are loaded into the One Identity Manager database during synchronization. You have the option to edit existing account policies and add new ones.

To enter main data of an account policy

  1. In the Manager, select the Active Directory > Account policies category.

  2. Select the account policy in the result list and run the Change main data task.

    - OR -

    Click in the result list.

  3. Edit the account policy's main data.

  4. Save the changes.
Detailed information about this topic

General main data for an Active Directory account policy

Enter the following general main data.

Table 26: General main data of an account policy
Property Description

Name

Account policy name

Domain

Active Directory domain for which the account policy is available.

Distinguished name

Distinguished name of the account policy. The distinguished name is formed based on rules and is made up of the name of the account policy, the system container for password policies Password Settings Container, and the domain.

Display name

Display name to display in the One Identity Manager tools.

Simple display

Display name for systems that cannot interpret all the characters of normal display names.

Description

Text field for additional explanation.

Related topics

Guidelines for Active Directory account guidelines

Enter the following settings for the policy.

Table 27: Main data for a policy definition
Property Description

Lock duration [min]

Lock duration in minutes. Enter the time period the account should be locked for before it is automatically reset.

Reset account [min]

Duration in minutes of account reset. Enter the time period that can elapse between two invalid attempts to enter a password before a user account is locked.

Max. errors

Maximum number of errors. Set the number of invalid passwords. If the user has reached this number the user account is locked.

Max. password age

Maximum age of the password. Enter the length of time a password can be used before it expires.

Minimum password lifetime

Minimum age of the password. Enter the length of time a password has to be used before the user is allowed to change it.

Minimum password length

Minimum length of the password. Use this option to specify that a password has to be complex.

Password history

Enter the number of passwords to be saved. For example, if you enter the value 5, the last 5 passwords for the user are saved.

Ranking

Ranking for password settings. If several account polices are assigned to a user account or a group, the account policy is used that has the lowest value.

Complex passwords

Specifies how complicated the password has to be. Complex passwords must fulfill certain minimum prerequisites. For more information, see the documentation for implementing Windows Server.

Save passwords with reversible encryption

Details for encrypting passwords. By default, passwords that are saved in Active Directory are encrypted. When you use this option, passwords are saved in plain text and can be restored again.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating