Chat now with support
Chat with Support

Active Roles 8.1.3 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Example: Transferring an Active Roles configuration

This example scenario explains how to use the ARSconfig command-line tool to transfer a set of configuration objects from a test Active Roles instance to a production instance.

Suppose you need to transfer the following configuration objects from a test Active Roles instance to a production Active Roles instance:

  • The Configuration/Access Templates/Common container, including all child objects stored in this container.

  • The Configuration/Managed Units/Development container, excluding the child objects stored in this container.

  • All child objects stored in the Script Modules/Corporate Policy/Priority Access container, but excluding the container itself.

Also, assume that the names of the domains managed by the test (source) Active Roles instance are test1.company.com and test2.company.com, and the two corresponding domains managed by the production (target) Active Roles instance are prod1.company.com and prod2.company.com.

To implement this scenario, complete the following steps:

  1. Create a list of the configuration objects to collect

  2. Create configuration data package

  3. Add domain mapping

  4. Deploy the configuration data package

Creating a list of the configuration objects to package

In this step, you create a list of the configuration objects that you want to collect into the configuration package, and define how you want to collect their child objects.

To do that, create the selection.xml file, and save that file to the solution installation folder: <Active Roles installation folder>\Configuration Transfer Wizard\Scripts.

To clarify the file format, consider the following sample file that illustrates how to collect Access Templates, Managed Units, and Script Modules residing within specified containers:

<?xml version="1.0" encoding="utf-8"?>

<Configuration>

<include DN="CN=Common,CN=Access Templates,CN=Configuration" collectSelf="True" collectChildren="True"/>>

<include DN="CN=Development,CN=Managed Units,CN=Configuration" collectSelf="True" collectChildren="False"/>

<include DN="CN=Priority Access,CN=Corporate Policy,CN=Script Modules,CN=Configuration" collectSelf="False" collectChildren="True"/>

</Configuration>

Creating configuration data package file

In this step, you use the ARSconfig command-line tool to create a configuration data package file using the data from the selection.xml file created in Step 1.

To create the configuration data package file

  1. Open the Windows Command Prompt.

  2. In the command prompt, navigate to the Configuration Transfer Wizard installation folder, and enter the following syntax:

    Cscript.exe arsconfig.wsf /task:collect /selection:selection.xml

As the result, the package.xml configuration data package file will be created in the following default location:

\Active Roles\Configuration Transfer Wizard\Scripts

Configuring domain mapping

If the names of the managed domains are different in the test and production environments, you must add domain mapping that defines the correspondence between the domain names. When the configuration package is deployed in the target environment, the domain names specified as a part of the objects' attributes are replaced with the names of the production domains, according to the name mapping entries.

In this step, you create the CSV domain name mapping file (mapping.csv), then save that file to the installation folder of the Configuration Transfer Wizard:

\Active Roles\Configuration Transfer Wizard\Scripts

In this scenario, the mapping.csv file contains the following lines:

"DC=test1,DC=company,DC=com","DC=prod1,DC=company,DC=com"

"DC=test2,DC=company,DC=com","DC=prod2,DC=company,DC=com"

Deploying the configuration data package

In this step, you use the ARSconfig command-line tool to deploy the package.xml configuration package in the production Active Roles environment. When running the arsconfig.wsf script, specify the package file to deploy (package.xml), and the domain name mapping file (mapping.csv) you have created in the previous step.

To deploy the configuration data package

  1. Open the Windows Command Prompt.

  2. Navigate to the Configuration Transfer Wizard installation folder, and enter the following syntax:

    Cscript.exe arsconfig.wsf /task:deploy /package:package.xml /map:mapping.csv

Example: Rolling back the configuration changes

You may need to roll back the configuration changes if you encounter any errors when deploying a configuration package to the production environment. By rolling back changes in the target configuration, you bring it to the state it was in before the package was deployed.

To roll back configuration changes

  1. Open the Windows Command Prompt.

  2. Navigate to the Configuration Transfer Wizard installation folder, and enter the following syntax:

    Cscript.exe arsconfig.wsf /task:rollback /package:package.xml

Managing Skype for Business Server with Active Roles

The Skype for Business Server User Management feature allows you to administer Skype for Business Server user accounts via the Active Roles Web Interface by providing built-in policies to synchronize user account information between Active Roles and Skype for Business Server.

About Skype for Business Server User Management

With Skype for Business Server User Management, you can use Active Roles to perform the following tasks:

  • Add and enable new Skype for Business Server users.

  • View or change Skype for Business Server user properties and policy assignments.

  • Move Skype for Business Server users from one Skype for Business Server pool to another.

  • Disable or re-enable user accounts forSkype for Business Server.

  • Remove users from Skype for Business Server.

Skype for Business Server User Management adds the following elements to Active Roles:

  • Built-in Policy Object that enables Active Roles to perform user management tasks on Skype for Business Server.

  • Built-in Policy Object that enables Active Roles to administer Skype for Business Server users in environments that involve multiple Active Directory forests.

  • Commands and pages for managing Skype for Business Server users in the Active Roles Web Interface.

  • Access Templates to delegate Skype for Business Server user management tasks.

The Skype for Business Server User Management policy allows you to control the following factors of creating and managing Skype for Business Server users:

  • Rule for generating the SIP user name. When adding and enabling a new Skype for Business Server user, Active Roles can generate a SIP user name based on other properties of the user account.

  • Rule for selecting a SIP domain. When configuring the SIP address for a Skype for Business Server user, Active Roles can restrict the list of selectable SIP domains and suggest which SIP domain to select by default.

  • Rule for selecting a Telephony option. When configuring Telephony for a Skype for Business Server user, Active Roles can restrict the list of selectable Telephony options and suggest which option to select by default.

  • Rule for selecting a Skype for Business Server pool. When adding and enabling a new Skype for Business Server user, Active Roles can restrict the list of selectable registrar pools and suggest which pool to select by default. This rule also applies to selection of the destination pool when moving a Skype for Business Server user from one pool to another.

The Skype for Business Server User Management feature provides a number of Access Templates allowing you to delegate the following tasks in Active Roles:

  • Add and enable new Skype for BusinessSkype for Business Server users.

  • View existing Skype for Business Server users.

  • View or change the SIP address for Skype for Business Server users.

  • View or change the Telephony option and related settings for Skype for Business users.

  • View or change Skype for Business Server user policy assignments.

  • Disable or re-enable user accounts for Skype for Business Server.

  • Move users from one Skype for Business Server pool to another.

  • Remove users from Skype for Business Server.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating