Chat now with support
Chat with Support

Active Roles 8.2 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Configuring rule-based autoprovisioning and deprovisioning
Configuring Provisioning Policy Objects
User Logon Name Generation E-mail Alias Generation Exchange Mailbox AutoProvisioning Group Membership AutoProvisioning Home Folder AutoProvisioning Property Generation and Validation Script Execution O365 and Azure Tenant Selection AutoProvisioning in SaaS products
Configuring Deprovisioning Policy Objects
User Account Deprovisioning Group Membership Removal User Account Relocation Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Permanent Deletion Office 365 Licenses Retention Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Script Execution Notification Distribution Report Distribution
Configuring entry types Configuring a Container Deletion Prevention policy Configuring picture management rules Managing Policy Objects Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Configuring policy extensions
Using rule-based and role-based tools for granular administration Workflows
About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Azure tenant types and environment types supported by Active Roles Using Active Roles to manage Azure AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports and URLs used by Active Roles Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Predefined specifiers

Active Roles comes with a collection of predefined specifiers that determine the default resource profile configuration. The pre-defined specifiers are located in the Configuration > Server Configuration > Entitlement Profile Specifiers > Builtin container, and can be administered using the Active Roles Console. You can make changes to a predefined specifier (see Changing entitlement profile specifiers) or you can apply the Disable command for the specifier to have no effect.

NOTE: Predefined specifiers cannot be deleted.

The predefined specifiers have a lower priority than customer-created specifiers. This means the entitlement rules of customer-created specifiers are evaluated first, so that if a given entitlement target object matches the entitlement rules of both a predefined specifier and a customer-created specifier, the latter specifier is applied. The priority of specifiers is governed by the edsaPriority attribute setting. For more information, see About entitlement profile build process.

The following table provides information about the predefined specifiers. For each specifier, the table lists the specifier’s name, description, entitlement type and rules, and resource display settings.

Table 55: Predefined specifiers

Name and Description

Type and Rules

Resource Display Settings

Name: Self - Exchange Mailbox

Description: Specifies user entitlement to Exchange mailbox.

Type: Personal resource entitlement

Rules: Entitlement target object is an Exchange mailbox enabled user account.

Resource type name: Exchange Mailbox

Resource naming attribute: mail

Other resource-related attributes:

  • mail

  • homeMDB

  • displayName

Name: Self - Home Folder

Description: Specifies user entitlement to home folder.

Type: Personal resource entitlement

Rules: Entitlement target object has the homeDirectory attribute set.

Resource type name: Home Folder

Resource naming attribute: homeDirectory

Other resource-related attributes:

  • homeDirectory

  • homeDrive

Name: Self - Unix Account

Description: Specifies user entitlement to Unix-enabled account.

Type: Personal resource entitlement

Rules: Entitlement target object has the uidNumber attribute set AND has a loginShell attribute value other than /bin/false.

Resource type name: Unix-enabled Account

Resource naming attribute: userPrincipalName

Other resource-related attributes:

  • userPrincipalName

  • uidNumber

  • gidNumber

  • unixHomeDirectory

  • loginShell

Name: Self - OCS Account

Description: Specifies user entitlement to Office Communications Server enabled account.

Type: Personal resource entitlement

Rules: Entitlement target object has the msRTCSIP-UserEnabled attribute set to TRUE.

Resource type name: Enabled for Office Communications Server

Resource naming attribute: msRTCSIP-PrimaryUserAddress

Other resource-related attributes:

  • msRTCSIP-PrimaryUserAddress

  • edsva-OCS-Pool

Name: Membership - Member of Security Group

Description: Specifies entitlement to a resource via membership in a security group.

Type: Shared resource entitlement

Rules: Entitlement target object is a security group.

This specifier has the lowest priority as per the edsaPriority attribute setting, so the entitlement rules of any other specifier of the shared resource entitlement type are evaluated prior to the rules of this specifier.

Resource type name: Member of Security Group

Resource naming attribute: name

Other resource-related attributes:

  • name

  • displayName

  • description

  • info

  • edsvaResourceURL

  • managedBy

  • edsvaPublished

  • edsvaApprovalByPrimaryOwnerRequired

  • edsvaParentCanonicalName

Name: Membership - Access to SharePoint Site

Description: Specifies entitlement to a SharePoint site via membership in a certain security group.

Type: Shared resource entitlement

Rules: Entitlement target object is a security group that has the edsva-SP-MirrorType attribute set.

Resource type name: Access to SharePoint Site

Resource naming attribute: name

Other resource-related attributes:

  • name

  • edsva-SP-SiteName

  • edsva-SP-SiteURL

  • managedBy

  • edsvaPublished

  • edsvaApprovalByPrimaryOwnerRequired

  • edsvaParentCanonicalName

Name: Managed By - Owner of Security Group

Description: Specifies entitlement to the manager or owner role for a security group.

Type: Managed resource entitlement

Rules: Entitlement target object is a security group.

Resource type name: Owner of Security Group

Resource naming attribute: name

Other resource-related attributes:

  • name

  • displayName

  • description

  • info

  • edsvaResourceURL

  • managedBy

  • edsvaPublished

  • edsvaApprovalByPrimaryOwnerRequired

  • edsvaParentCanonicalName

Name: Managed By - Owner of Distribution List

Description: Specifies entitlement to the manager or owner role for a distribution group.

Type: Managed resource entitlement

Rules: Entitlement target object is an Exchange mail enabled (distribution) group.

Resource type name: Owner of Distribution List

Resource naming attribute: displayName

Other resource-related attributes:

  • displayName

  • mail

  • description

  • info

  • managedBy

  • edsvaPublished

  • edsvaApprovalByPrimaryOwnerRequired

  • edsvaParentCanonicalName

Name: Managed By - Owner of Resource Exchange Mailbox

Description: Specifies entitlement to the owner role for a room, equipment, or shared mailbox.

Type: Managed resource entitlement

Rules: Entitlement target object is a user account associated with a room, equipment or shared mailbox.

Resource type name: Owner of Resource Exchange Mailbox

Resource naming attribute: displayName

Other resource-related attributes:

  • displayName

  • edsva-MsExch-MailboxTypeDescription

  • mail

  • description

  • homeMDB

  • edsvaParentCanonicalName

Name: Managed By - Owner of Exchange Contact

Description: Specifies entitlement to the owner role for an Exchange mail contact.

Type: Managed resource entitlement

Rules: Entitlement target object is an Exchange mail contact.

Resource type name: Owner of Exchange Contact

Resource naming attribute: displayName

Other resource-related attributes:

  • displayName

  • givenName

  • sn

  • mail

  • telephoneNumber

  • company

  • edsvaParentCanonicalName

Name: Managed By - Owner of Computer

Description: Specifies entitlement to the manager or owner role for a computer.

Type: Managed resource entitlement

Rules: Entitlement target object is a computer account.

Resource type name: Owner of Computer

Resource naming attribute: name

Other resource-related attributes:

  • name

  • dNSHostName

  • description

  • operatingSystem

  • edsvaParentCanonicalName

Name: Managed By - Default

Description: Default specifier for entitlement to the manager or owner role.

Type: Managed resource entitlement

Rules: No rules specified, which means that any object is regarded as matching the entitlement rules of this specifier.

This specifier has the lowest priority as per the edsaPriority attribute setting, so the entitlement rules of any other specifier of the managed resource entitlement type are evaluated prior to the rules of this specifier.

Resource type name: Owner of <target object class display name>

Resource naming attribute: name

Other resource-related attributes:

  • name

  • description

  • edsvaParentCanonicalName

Viewing entitlement profile

A user’s entitlement profile can be accessed from the Active Roles Console or Web Interface, allowing you to quickly examine resources to which the user is entitled:

  • In the Console, right-click the user and click Entitlement Profile. Alternatively, click Entitlement Profile on the Managed Resources tab in the Properties dialog for the user account.

  • In the Web Interface, click the user, and then choose Entitlement Profile from the list of commands.

This opens the Entitlement Profile page that lists the user’s resources grouped in expandable blocks by resource type. Each block may be a section that represents a single resource, or it may comprise a number of sections each of which represents a single resource. The grouping of sections occurs for resources of the same type. For example, the security groups in which the user has membership may be grouped together in a single block, with each group being represented by a separate section.

Initially, each block or section displays only a heading that includes the following items:

  • Resource icon: Graphics that helps distinguish the type of the resource.

  • Resource type: Text string that identifies the type of the resource.

  • Resource name: Text string that identifies the name of the resource, or indicates that the block comprises multiple resource-specific sections.

To view resource details, click the heading of a block or section.

Out of the box, Active Roles is configured so that a user’s entitlement profile displays the user’s entitlements to the resources listed in the table that follows. Active Roles administrators can configure the entitlement profile to display information about additional resources. If a user is not entitled to any resources of a particular type, then the user’s entitlement profile does not contain the sections specific to that resource type. For example, if a user does not have an Exchange mailbox, then the user’s entitlement profile does not contain information about the user’s mailbox.

Table 56: User resources

Resource Type

Resource Name

Resource Details

Exchange Mailbox

E-mail address of mailbox

  • E-mail address

  • Mailbox store or database location

  • Mailbox user’s display name

Home Folder

Path and name of home folder

  • Path and name of home folder

  • Drive letter assigned to home folder

Unix-enabled Account

User principal name

  • User principal name

  • Unix user ID (UID)

  • Unix primary group ID (GID)

  • Unix home directory

  • Unix login shell

Enabled for Office Communications Server

Live communications address

  • Live communications address

  • Office Communications server or pool

Member of Security Group

Group name

  • Group name

  • Group display name

  • Group description

  • Group notes

  • Resource address (URL)

  • Group’s "Managed By" setting

  • Group’s "Is Published" setting

  • Group’s "Approval by Primary Owner Required" setting

  • Group location ("In Folder" setting)

Access to SharePoint Site

Group name

  • Group name

  • SharePoint site name

  • SharePoint site address (URL)

  • Group’s "Managed By" setting

  • Group’s "Is Published" setting

  • Group’s "Approval by Primary Owner Required" setting

  • Group location (group’s "In Folder" setting)

Owner of Security Group

Group name

  • Group name

  • Group display name

  • Group description

  • Group notes

  • Resource address (URL)

  • Group’s "Managed By" setting

  • Group’s "Is Published" setting

  • Group’s "Approval by Primary Owner Required" setting

  • Group location ("In Folder" setting)

Owner of Distribution List

Group display name

  • Group display name

  • Group e-mail address

  • Group description

  • Group notes

  • Group’s "Managed By" setting

  • Group’s "Is Published" setting

  • Group’s "Approval by Primary Owner Required" setting

  • Group location ("In Folder" setting)

Owner of Resource Exchange Mailbox

Mailbox display name

  • Mailbox display name

  • Mailbox type

  • E-mail address

  • Mailbox store or database location

  • Mailbox description

  • Mailbox location ("In Folder" setting)

Owner of Exchange Contact

Contact display name

  • Display name

  • First name

  • Last name

  • E-mail address

  • Telephone number

  • Company

  • Location ("In Folder" setting)

Owner of Computer

Computer name

  • Computer name

  • Computer DNS name

  • Computer description

  • Operating system

  • Location ("In Folder" setting)

Owner of Resource (default)

Managed object’s name

  • Managed object’s name

  • Managed object’s description

  • Managed object’s location ("In Folder" setting)

Authorizing access to entitlement profile

By default, permission to view the entitlement profile is given to Active Roles Admin, the administrative account or group specified during Active Roles installation. Other users or groups can also be permitted to view the entitlement profile. A dedicated Access Template is provided for this purpose so that you can allow the use of the Entitlement Profile command by designated users or user groups.

To permit particular users or groups to view the entitlement profile of the users held in a certain container, such as an Organizational Unit or a Managed Unit, apply the Access Template as follows.

To authorize access to the entitlement profile

  1. In the Active Roles Console, right-click the container and click Delegate Control to display the Active Roles Security window.

  2. In the Active Roles Security window, click Add to start the Delegation of Control Wizard.

  3. In the wizard, click Next.

  4. On the Users or Groups page, click Add, and then select the desired users or groups.

  5. Click Next.

  6. On the Access Templates page, expand the Active Directory > Advanced folder, and then select the check box next to Users - View Entitlement Profile (Extended Right).

  7. Click Next and follow the instructions in the wizard, accepting the default settings.

After you complete these steps, the users and groups you selected in Step 4 are authorized to view the entitlement profile of the users held in the container you selected in Step 1, as well as in any sub-container of that container.

Recycle Bin

Active Roles builds on Active Directory Recycle Bin, a feature of Active Directory Domain Services introduced in Microsoft Windows Server 2008 R2, to facilitate the restoration of deleted objects. When Recycle Bin is enabled, Active Roles makes it easy to undo accidental deletions, reducing the time, costs, and user impact associated with the recovery of deleted objects in Active Directory.

The use of Active Roles in conjunction with Active Directory Recycle Bin helps minimize directory service downtime caused by accidental deletions of directory data. Recycle Bin provides the ability to restore deleted objects without using backups or restarting domain controllers and a user interface featured by Active Roles expedites locating and recovering deleted objects from Recycle Bin. Flexible and powerful mechanisms provided by Active Roles for administrative tasks delegation, enforcement of policy rules and approvals, and change tracking ensure tight control of the recovery processes.

To undo deletions, Active Roles relies on the ability of Active Directory Recycle Bin to preserve all attributes, including the link-valued attributes, of the deleted objects. This makes it possible to restore deleted objects to the same state they were in immediately before deletion. For example, restored user accounts regain all group memberships that they had at the time of deletion.

Active Roles can be used to restore deleted objects in any managed domain that has Active Directory Recycle Bin enabled. This requires the forest functional level of Windows Server 2012, so all the forest domain controllers must be running Windows Server 2012. In a forest that meets these requirements, an administrator can enable Recycle Bin by using the Active Directory module for Windows PowerShell in Windows Server 2012. For more information about Active Directory Recycle Bin, see What’s New in AD DS: Active Directory Recycle Bin in the Microsoft Windows Server 2008 documentation.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating