Chat now with support
Chat with Support

Active Roles 8.2 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Configuring rule-based autoprovisioning and deprovisioning
Configuring Provisioning Policy Objects
User Logon Name Generation E-mail Alias Generation Exchange Mailbox AutoProvisioning Group Membership AutoProvisioning Home Folder AutoProvisioning Property Generation and Validation Script Execution O365 and Azure Tenant Selection AutoProvisioning in SaaS products
Configuring Deprovisioning Policy Objects
User Account Deprovisioning Group Membership Removal User Account Relocation Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Permanent Deletion Office 365 Licenses Retention Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Script Execution Notification Distribution Report Distribution
Configuring entry types Configuring a Container Deletion Prevention policy Configuring picture management rules Managing Policy Objects Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Configuring policy extensions
Using rule-based and role-based tools for granular administration Workflows
About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Azure tenant types and environment types supported by Active Roles Using Active Roles to manage Azure AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports and URLs used by Active Roles Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Converting a user mailbox to a linked mailbox

Once Exchange Resource Forest Management (ERFM) is set up for your organization, you can convert the existing user mailboxes of your users to linked mailboxes. This is typically required if your organization had already contained users with regular Exchange user mailboxes before configuring linked mailboxes with ERFM.

To convert a user mailbox to a linked mailbox

  1. In the Active Roles Web Interface, under Directory Management > Tree > Active Directory, navigate to your resource forest containing the Exchange server and the shadow accounts.

  2. In the container of your users, select the user whose mailbox you want to convert.

  3. To start the mailbox conversion, in the list of actions available for the selected mailbox, click Convert to Linked Mailbox.

  4. Under Linked master account, click Change and select the user in the account forest whose mailbox you are converting. To do so, specify the account forest in the Search in field, then enter the name of the user in the Search field. Once the Select Object window lists the user, select it and click OK.

  5. To apply your changes, click Finish.

Active Roles then performs the following actions:

  1. It changes the specified user mailbox to a linked mailbox.

  2. It specifies the user selected in the account forest as the master user account.

  3. It changes the user associated with the mailbox in the resource forest to a shadow account.

Converting a linked mailbox to a user mailbox

You can convert existing linked mailboxes configured with Exchange Resource Forest Management (ERFM) to user mailboxes. This is typically required during organizational changes or IT infrastructure migrations.

When you convert an existing linked mailbox to a user mailbox, Active Roles performs the following changes:

  1. The former master user account in the account forest becomes an external user, and can no longer access the mailbox.

  2. The former shadow account becomes the new user account associated with the mailbox in the resource forest.

To convert a linked mailbox to a user mailbox

  1. In the Active Roles Web Interface, under Directory Management > Tree > Active Directory, navigate to your resource forest containing the Exchange server and the shadow accounts.

  2. In the container of your users, select the user whose mailbox you want to convert.

  3. To start the mailbox conversion, in the list of actions available for the selected mailbox, click Convert to User Mailbox.

  4. To apply your changes, click OK.

  5. Following the mailbox conversion, the user mailbox will be in a disabled state. To enable it, in the list of actions available for the selected mailbox, click Enable Account.

  6. After the account is enabled, you must also reset the account password. To do so, in the list of actions available for the selected mailbox, click Reset Password.

  7. In the Reset Password window, configure the following settings:

    Figure 141: Active Roles Web Interface – Resetting the password of a converted user mailbox

    • Password and Confirm password: The initial password of the user and the corresponding password confirmation field. You can specify the password either manually, or Generate one with Active Roles that follows the password policy requirements of your organization.

      To clear the specified password, click Clear. To spell out each character of the password for clarification, click Spell out.

      Figure 142: Active Roles Web Interface – Spelling out the characters of the generated or specified password

    • Account options: Use these options to specify additional security settings for the user (for example, to have them change the configured password during their next login attempt, or have the configured password expire after some time).

  8. To apply your changes, click Finish.

Deprovisioning a user with a linked mailbox

You can deprovision users with linked mailboxes by using the Deprovision action of the Active Roles Web Interface. When doing so, Active Roles, by default:

  • Disables the user account, and resets the user password to a random value.

  • Removes the user from all assigned security and distribution groups.

  • Disables the linked mailbox.

  • Disables the home folder of the user.

Optionally, deprovisioning also lets you relocate deprovisioned users to a specific folder, and even schedule them for deletion after some time.

One Identity typically recommends deprovisioning users instead of deleting them and their mailboxes, if the user is affected by an organizational change, suspension, or longer periods of time off work. You can undo the effects of deprovisioning later and reinstate the user with the Undo Deprovisioning action of the Active Roles Web Interface.

When a user with a linked mailbox configured via Exchange Resource Forest Management (ERFM) is deprovisioned, Active Roles runs all deprovisioning policies applied to the Active Directory (AD) container holding the shadow account, including any mailbox deprovisioning policies in effect in your organization.

TIP: Besides deprovisioning, you can also disable users by using the Disable Account action. Disabling a user account with a linked mailbox prevents the user from logging in and accessing their resources, but it does not remove the user from their groups, and does not disable the mailbox and the user home folder. One Identity recommends disabling user accounts instead of completely deprovisioning them if the organization still needs to access the user resources (such as the home folder or the mailbox).

To disable a user account, in the Active Roles Web Interface, navigate to the OU where your user is stored in the Directory Management > Tree > Active Directory node, select the user, and in the list of actions available for the selected user, click Disable Account.

Prerequisites

To deprovision users with linked mailboxes configured via ERFM, make sure that the mailbox deprovisioning policies of your organization (for example, the built-in Exchange Mailbox Deprovisioning policy) are applied to the container that holds the shadow accounts in the resource forest, instead of the container of the master user accounts in the account forest. By default, the deprovisioning workflow runs the following built-in policies for users with linked mailboxes:

  • Built-in policy - User Default Deprovisioning

  • Built-in policy - ERFM - Mailbox Management

For more information on deprovisioning policies, see Configuring Deprovisioning Policy Objects.

To deprovision a user with a linked mailbox

  1. In the Active Roles Web Interface, under Directory Management > Tree > Active Directory, navigate to the OU for which ERFM is configured.

    Figure 143: Active Roles Web Interface – Navigating to the OU supporting linked mailboxes

  2. Select the master user account that you want to deprovision, and in the list of available actions, click Deprovision.

  3. To confirm deprovisioning, click OK.

Active Roles then performs deprovisioning of the master user account and its associated shadow account. After the process is completed, it displays the operation summary of deprovisioning.

TIP: To verify that Active Roles also deprovisioned the shadow account, in the Active Roles Web Interface, navigate to the user container of your shadow accounts in the Directory Management > Tree > Active Directory node of the resource forest, select the shadow account, and from the list of actions available for the shadow account, click Deprovisioning Results.

Undo deprovisioning for a user with a linked mailbox (re-provisioning)

You can undo the deprovisioning of users with linked mailboxes by using the Undo Deprovisioning action of the Active Roles Web Interface. When re-provisioning a user, Active Roles rolls back the changes of the deprovisioning policies in effect in your organization by:

  • Restoring access to the user account.

  • Reassigning the user to all security and distribution groups it was originally a member of.

  • Re-enabling the linked mailbox.

  • Re-enabling the home folder of the user.

Re-provisioning a deprovisioned user is typically required if the person is reinstated in your organization: for example, their suspension is lifted or they are returning to work from an extended leave.

When re-provisioning a user with a linked mailbox, Active Roles first re-provisions the master account, then re-provisions the shadow account. After the shadow account is re-provisioned, the linked mailbox also returns to its original provisioned state.

Prerequisites

Active Roles can perform the Undo Deprovisioning action on the shadow account of a re-provisioned master account only if the Active Directory (AD) container holding the deprovisioned master accounts is in the scope of the Built-in Policy - ERFM - Mailbox Management policy, or a copy of that policy.

Therefore, if the deprovisioning workflow of your organization moves deprovisioned master accounts to a container separate from provisioned master accounts, make sure that the Built-in Policy - ERFM - Mailbox Management policy is also applied to the container where the deprovisioned master accounts are stored. For more information on configuring the policy, see Applying the ERFM Mailbox Management policy to an OU.

To undo the deprovisioning of a user with a linked mailbox

  1. In the Active Roles Web Interface, under Directory Management > Tree > Active Directory, navigate to the OU for which ERFM is configured.

    Figure 144: Active Roles Web Interface – Navigating to the OU supporting linked mailboxes

  2. Select the deprovisioned master user account for which you want to undo deprovisioning. Then, in the list of available actions, click Undo Deprovisioning.

  3. To confirm the restoration of the user account, click OK.

  4. In the Password Options dialog, configure the password settings of the restored user:

    • Leave the password unchanged: The user account will be re-provisioned with its original password. Select this option if the user password will be reset by an organizational workflow outside the scope of Active Roles (for example by helpdesk, or another password management solution).

    • Reset the password: Select this option to immediately change the password of the re-provisioned user in Active Roles, either by specifying a new password manually, or generating one that meets the password policy requirements of your organization.

      To clear the specified password, click Clear. To spell out each character of the password for clarification, click Spell out.

      Figure 145: Active Roles Web Interface – Spelling out the characters of the generated or specified password

    • Account options: Use these options to specify additional security settings for the user (for example, to have them change the configured password during their next login attempt, or have the configured password expire after some time).

  5. To apply your changes, click OK.

Active Roles then re-provisions the master user account, the shadow user account and the linked mailbox.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating