Chat now with support
Chat with Support

Active Roles 8.2.1 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Configuring rule-based autoprovisioning and deprovisioning
Configuring Provisioning Policy Objects
User Logon Name Generation E-mail Alias Generation Exchange Mailbox AutoProvisioning Group Membership AutoProvisioning Home Folder AutoProvisioning Property Generation and Validation Script Execution O365 and Azure Tenant Selection AutoProvisioning in SaaS products
Configuring Deprovisioning Policy Objects
User Account Deprovisioning Group Membership Removal User Account Relocation Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Permanent Deletion Office 365 Licenses Retention Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Script Execution Notification Distribution Report Distribution
Configuring entry types Configuring a Container Deletion Prevention policy Configuring picture management rules Managing Policy Objects Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Configuring policy extensions
Using rule-based and role-based tools for granular administration Workflows
About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Azure tenant types and environment types supported by Active Roles Using Active Roles to manage Azure AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports and URLs used by Active Roles Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Minimum required permissions for the Active Roles service account

To properly perform operations on objects on behalf of delegated users, the Active Roles service account requires a number of permissions. One Identity recommends that you give the Active Roles proxy account the Domain Admin membership to ensure that Active Roles has all the required access.

You can separate the tasks managed by the Active Roles service account by using domain management to specify different accounts for the Active Roles service and for managing the domain.

The service account credential has five main roles:

  • Accessing local resources on the Active RolesAdministration Service host. This requires the Active Roles service account to be a member of the Administrators group on the computer running the Administration Service.

  • Creating the Service Connection Point in Active Directory.

    After configured, the Administration Service attempts to publish itself in Active Directory, so that Active Roles clients can automatically discover the Administration Service instance.

    NOTE: While this functionality is not critical, if the service publication permissions are not provided, Active Roles clients will not be able to automatically discover the Active Roles Administration Service instance. However, they can still connect to the Administration Service if they specify in Active Roles Console either the service name or the IP address of the computer running the instance.

    For more information, see Service publication in Active Directory in the Active Roles Installation Guide.

  • Running all script modules under the security context of the Active Roles service account. The permissions that custom scripts require will vary according to the needs of the scripts, so review them on a case-by-case basis as a best practice security model.

  • (Optional) Connecting to the Microsoft SQL database. This step might also require specifying an SQL authentication credential.

    In some configurations, assigning these permissions to the service account is optional, as it requires specifying an SQL authentication credential and assigning the necessary permissions to that SQL authentication credential.

    For more information on the required SQL Server permissions, see SQL Server Permissions in the Active Roles Installation Guide.

  • (Optional) Synchronizing native permissions to Active Directory. Perform this step only if Active Roles is configured to do so.

    The Active Roles service account must have the Read Permissions and Modify Permissions rights on the Active Directory objects and containers where it is needed to use the Active Roles security synchronization feature.

NOTE: If you use the service account for domain management, you must also give the service account the permissions for domain management accounts.

NOTE: Due to a known issue (275523), in the Active Roles Console, in Active Directory > <domain-name> - Deleted Objects, opening the Advanced Properties of a deleted object and selecting the Show all possible attributes check box results in an error message and stops the Active Roles Service.

As a workaround, One Identity recommends adding your service account as a member of the Domain Admins group.

Table 1: Permissions required by the Active Roles service account and the group Managed Service (gMSA) account used as service account

 

Permissions

Requirement reason

Affected features

SQL Server

db_owner

Required to use the Configuration and Management History databases.

All Active Roles features that rely on the database (for example, virtual attributes, workflows, policies, Management History, and so on).

db_creator

Required by the Active Roles Service to create the Configuration and Management History databases. You can omit this permission if you pre-create the database.

Creating the database with the Active Roles Installer during initial configuration.

db_datareader

Required by the source database when importing databases.

Database import

Active Roles Server Local Computer (lusrmgr.msc)

Member of Administrators group on local computer

Required by the Administration Service account to access local resources on the computer.

Active Roles requires this permission to function properly.

Table 2: Permissions required by the domain management account (service or override account)

 

Permissions

Requirement reason

Affected features

ADSI Edit (adsiedit.msc)

In the System/Aelita sub-container:

  • Create Container objects

  • Create serviceConnectionPoint objects

In the System container:

  • Delete the serviceConnectionPoint objects

Required by the Active Roles Service to publish itself to Active Directory. These permissions are not mandatory, but they help clients automatically discover the Active Roles Service.

Service publication

Replicating directory changes on the following AD partitions:

  • Domain (Default Naming Context)

  • Configuration

  • Schema

Active Roles Service monitors the AD partitions with directory synchronization (DirSync), and requires this permission to enable domain management capabilities.

Domain management capabilities

For the Microsoft Exchange container:

  • List contents

  • Read all properties

You can set this permission in the Configuration/Services/Microsoft Exchange container via ADSI Edit. It is required for Exchange management. You do not need to set this permission if the service account is a member of the Domain Admins or the Organization Management group.

Exchange management tasks

For AD:

  • Read permissions

  • Modify permissions

Required to modify system-provided AD permissions.

Synchronizing system-provided permissions to AD.

Access to managed AD LDS instances

Commands running under the Active Roles service account's context (for example, scheduled tasks or script modules) are limited by the service account's permissions. Set these permissions based on your needs for the tasks that Active Roles must perform.

Managed AD LDS instance

Active Directory Users And Computers (dsa.msc)

Full Control on msFVE-RecoveryInformation objects

Required to access BitLocker recovery.

BitLocker recovery

Permissions to managed domain

Commands running under the Active Roles service account's context (for example, scheduled tasks or script modules) are limited by the service accounts permissions. Set these permissions based on your needs for the tasks that Active Roles must perform. The permissions of the domain management account can also limit Active Roles capabilities.

Managed domain

Account Operators security group

Required for account management.

Account management tasks

Exchange Server

Recipient Management role group

Required for Exchange management. For more information, see Manage role group members in Exchange Server in the Microsoft Exchange Server documentation.

Exchange management tasks

Enable to use remote Exchange Management Shell

Required for Exchange management. For more information, see Enable Remote Exchange Management Shell for a User in the Microsoft Exchange Server PowerShell documentation.

NOTE: This permission does not work with gMSA accounts.

Exchange management tasks

CMD (Dsacls)

View/Write permission for the Deleted objects container

For view permission only, run the following command:

dsacls "CN=Deleted Objects,DC=Domain,DC=com" /g DOMAIN\YourUser:LCRP

For write permission, run the following commands:

dsacls "CN=Deleted Objects,DC=Domain,DC=com" /g DOMAIN\YourUser:WPCC

dsacls dc=Domain,dc=com /g "YourUser:ca;Reanimate Tombstones"

Deleted objects container view

File Servers

Server Operators or Administrator group membership on file servers hosting home folders.

Required to manage home folders within Active Roles.

Home folder operations (for example, autoprovisioning or deprovisioning).

Configuring rule-based administrative views

To provide additional flexibility beyond the default Active Directory and Azure AD capabilities in managing directory resources, Active Roles supports creating, editing and deleting securable, flexible, rule-based administrative views, known as Managed Units (MUs).

With MUs, administrators can configure distributed administration units independent of the OU hierarchy. As such, MUs are dynamic virtual collections of AD or Azure AD directory objects, and may include them regardless of their location in the organization network.

TIP: For more information on Managed Units and their main features, see Managed Units in the Active Roles Feature Guide.

Administering Managed Units

This section guides you through the Active Roles Console to administer Managed Units.

Creating a Managed Unit

You can create a new Managed Unit (MU) in the Active Roles Console.

Prerequisites

To create MUs in the Active Roles Console, you must use an Active Roles Administration Service account. For more information, see Configuring the Administration Service account in the Active Roles Installation Guide.

To create a new Managed Unit (MU) in the Active Roles Console

  1. In the Active Roles Console, on the Console tree, navigate to Configuration > Managed Units.

  2. To open the New Object - Managed Unit wizard, right-click the Managed Units node, then click New > Managed Units.

    TIP: If you need to manage a large number of MUs in your organization, One Identity recommends creating separate MU containers for your specific MUs.

    To create a new container for the configured MU, right-click on the Managed Units node, then click New > Managed Unit Container.

    Figure 1: Active Roles Console – Launching the Managed Unit Container dialog

    Once the new container is created, right-click it in the Console tree and select New > Managed Unit to create a new MU in the container. To move an existing, non built-in MU to the container, right-click the MU, and select Move.

  3. In the Name step, specify a Name and optionally, a Description for the new MU. This name and description will appear in the Active Roles details pane when selecting the MU.

    Figure 2: New Object - Managed Unit wizard – Specifying the Name and Description

    To continue, click Next.

  4. To specify a new membership rule for the MU, in the Membership rule step, click Add.

    Membership rules define which directory objects get assigned to the MU. Active Roles populates the MU dynamically based on the configured rules, adding objects that match their criteria and removing those later that no longer do.

    Figure 3: New Object - Managed Unit wizard – Membership rule list

  5. In the Membership Rule Type dialog, select the rule type used to populate the MU. A membership rule can be a search query, a static object inclusion or exclusion rule, or group membership inclusion and exclusion rule.

    Figure 4: New Object - Managed Unit wizard – Membership rule type selection

    Active Roles supports the following membership rule types:

    Table 3: Managed Unit membership rules
    Rule name Description
    Include Explicitly

    Includes the Active Directory (AD) or Azure Active Directory (Azure AD) objects you select in the wizard.

    Once selected, Active Roles will keep the objects included in the MU even if they are updated, renamed, or moved elsewhere within your organization directory.

    Include by Query

    Lets you define a custom query that the AD or Azure AD objects must match to be included in the MU. The query editor dialog lets you select the object type and location (such as AD domain or Azure tenant), then dynamically populates the dialog with settings according to the object type you selected.

    The dialog also offers Advanced query settings to configure queries by specifying the following elements to check:

    • Object types and properties

    • Logical conditions

    • Specified values

    Once you configure a query, you can test it with the Preview Rule button.

    NOTE: Consider the following when configuring a custom query:

    • The contents of the Condition drop-down list are static, and may contain logical conditions that do not work with the selected object attribute (for example, selecting Greater or equal for the edsaAzureManager Azure AD attribute returns no results). Always make sure to select a logical condition against which Active Roles can enumerate the value of the selected Azure attribute.

    • When querying Azure object attributes, the Ends with condition returns results only if you specify whole words. The only exceptions to this behavior are the mail, otherMails, userPrincipalName and proxyAddresses attributes, where Ends with can properly query the values that end with your specified string.

    • Due to Graph API limitations, you cannot query Azure objects with the following condition operators:

      • Contains

      • Present

      For more information, see Support for filter by properties of Microsoft Entra ID (directory) objects in the Microsoft Graph documentation.

    • You can query the edsaAzureManager attribute with the Is not condition only if the query rule is used in an AND relationship with another query rule. Querying the edsaAzureManager attribute with the Is not condition returns no results if the query rule is used alone or in an OR relationship.

    • When creating a Managed Unit for Azure objects, the Select Object Property dialog lists only the Azure attributes that Active Roles can query via Graph API.

    Include Group Members

    Includes the members of the selected AD or Azure AD groups.

    Once selected, Active Roles will keep the MU membership dynamically up-to-date: if new members are added to the selected groups, Active Roles will also include them in the MU; and likewise, members removed from the included groups will also be removed from the MU.

    Exclude Explicitly

    Excludes the AD or Azure AD object you select in the MU.

    Once selected, Active Roles will keep the objects excluded from the MU even if they are updated, renamed, or moved elsewhere within your organization directory.

    NOTE: Consider the following when selecting this membership rule:

    • The Exclude Explicitly rule takes precedence over all other membership rule types. Because of this, Active Roles will exclude the objects specified with this rule, even if another rule specifies that Active Roles must include them in the MU.

    • This rule excludes only objects that match one of the inclusion rules of the MU.

    Exclude by Query

    Lets you define a custom query that the AD or Azure AD objects must match to be excluded from the MU. Once configured, Active Roles will automatically exclude objects that meet the query conditions.

    The query editor works and functions the same way as it does when configuring an Include by Query rule, and also shares the same limitations listed there.

    NOTE: This rule excludes only objects that match one of the inclusion rules of the MU.

    Exclude Group Members

    Excludes the members of the selected AD or Azure AD groups.

    Once selected, Active Roles will keep the MU membership dynamically up-to-date: if new members are added to any of the selected groups, Active Roles will exclude them from the MU. Likewise, if a member is removed from all specified groups, Active Roles will add them to the MU, provided that the member meets a configured inclusion rule.

    NOTE: This rule excludes only objects that match one of the inclusion rules of the MU.

    Retain Deprovisioned

    Configures the MU to also include and keep deprovisioned objects that meet the membership rules.

    If this rule is not selected, Active Roles automatically removes deprovisioned objects from the MU.

    NOTE: The exclusion rules affect only objects that match one of the inclusion rules configured for the MU.

    For example, if a container is explicitly included in an MU, then all objects held in that container are also included in the MU. However, you cannot exclude any of those objects themselves with exclusion rules, as it is their container that meets the inclusion rules in this case. To exclude the objects of the container, you must configure an exclusion rule for the container instead.

  6. Configure the selected membership rule:

    • If you selected the Include Explicitly or Exclude Explicitly rule type, the Select Objects dialog appears. Select the objects you want to include or exclude from the MU, click Add, then click OK.

    • If you selected the Include Group Members or Exclude Group Members rule type, the Select Objects dialog appears, listing the available groups. Select the AD or Azure AD groups you want to include, click Add, then click OK. All members of the selected groups will be included or excluded from the MU.

    • If you selected the Include by Query or Exclude by Query rule type, the Create Membership Rule dialog appears. Use the dialog to configure your inclusion or exclusion rule.

  7. (Optional) To configure additional rules, click Add again.

    NOTE: If you add several membership rules to an MU, Active Roles runs them in the order you configured them. If some of the configured rules conflict with each other, Active Roles resolves the conflict by prioritizing the configured Exclude rules over the configured Include rules.

  8. Once you finished adding all membership rules, click Next.

  9. (Optional) In the Object Security / Policy Objects step, specify the permissions and policy objects related to the configured MU.

    Figure 5: New Object - Managed Unit wizard – Access Template and Policy Object links

  10. To finish configuring the MU, click Next and Finish.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating