Chat now with support
Chat with Support

Active Roles 8.2.1 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Configuring rule-based autoprovisioning and deprovisioning
Configuring Provisioning Policy Objects
User Logon Name Generation E-mail Alias Generation Exchange Mailbox AutoProvisioning Group Membership AutoProvisioning Home Folder AutoProvisioning Property Generation and Validation Script Execution O365 and Azure Tenant Selection AutoProvisioning in SaaS products
Configuring Deprovisioning Policy Objects
User Account Deprovisioning Group Membership Removal User Account Relocation Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Permanent Deletion Office 365 Licenses Retention Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Script Execution Notification Distribution Report Distribution
Configuring entry types Configuring a Container Deletion Prevention policy Configuring picture management rules Managing Policy Objects Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Configuring policy extensions
Using rule-based and role-based tools for granular administration Workflows
About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Azure tenant types and environment types supported by Active Roles Using Active Roles to manage Azure AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports and URLs used by Active Roles Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Example: Using multiple rules with a User Logon Name Generation Policy Object

The policy that is described in this scenario uses multiple rules to generate the pre-Windows 2000 user login name for users with the same name, to avoid the need for relying on a uniqueness number. These rules are as follows:

  1. The user name is generated from the first character of the user's first name, followed by the user's last name.

  2. If a user with the same name already exists, the user name is generated from the first two characters of the user's first name, followed by the user's last name.

  3. If two users with the same name already exist, the user name is generated from the first three characters of the user's first name, followed by the user's last name.

  4. The length of the generated name cannot be longer than 8 characters under any circumstances. If the name is longer than 8 characters, the trailing characters are truncated as needed.

The policy that is following these naming rules generates names as follows for users named "Jordan Smithson":

  • JSmithso, if the name is unique within the scope of the Policy Object.

  • JoSmiths, if JSmithso already exists.

  • JorSmit, if JSmithso and JoSmiths already exist.

For the steps of creating this policy, see Configuring a User Logon Name Generation Policy Object with multiple rules. When ready, the Active Roles user interface displays a Generate button to create login names that meet the configured policy rule. In case of a naming conflict, clicking Generate causes the policy to apply a subsequent rule.

Configuring a User Logon Name Generation Policy Object with multiple rules

You can create the User Logon Name Generation policy described in Example: Using multiple rules with a User Logon Name Generation Policy Object with the New Provisioning Policy Object Wizard.

To create and configure a User Logon Name Generation Policy Object to use multiple rules

  1. In the Console tree, navigate to Configuration > Policies > Administration.

  2. To open the New Provisioning Policy Object Wizard dialog, right-click Administration, then select New > Provisioning Policy.

  3. On the Name and Description page, provide a unique Name for the new Policy Object. Optionally, also provide a Description. To continue, click Next.

  4. Select the User Logon Name Generation policy type for configuration. Click Next.

    For more information, see Configuring a User Logon Name Generation policy.

  5. In the User Logon Name (pre-Windows 2000) Generation Rules step, click Add.

  6. To configure the policy so that it includes the first character of the user's first name, set the Configure Value dialog with the following steps:

    1. To open the Add Entry window, click Add.

    2. Under Entry type, click User Property, then click Select.

    3. In the Select Object Property window, in the Object property list, click First Name, then click OK.

    4. Under Entry properties, select The first, and in the field enter 1.

    5. To apply the value setting for the entry, click OK.

  7. To configure the policy so that it includes the user's last name, set the Configure Value dialog with the following steps:

    1. Under Entry type, click User Property.

    2. Under Entry properties, click Select.

    3. In the Select Object Property window, in the Object property list click Last Name, then click OK.

    4. To apply the value setting for the entry, click OK.

  8. To close the Configure Value dialog, click OK.

  9. To configure the policy so that will include the first two characters of the user's first name, set the Configure Value dialog with the following steps:

    1. To open the Add Entry window, click Add.

    2. Under Entry type, click User property.

    3. Under Entry properties, click Select.

    4. In the Select Object Property window, in the Object property list click First Name, then click OK.

    5. Under Entry properties, select The first, and in the field enter 2.

    6. To apply the value setting for the entry, click OK.

  10. To configure the policy so that it includes the user's last name, set the Configure Value dialog with the following steps:

    1. Under Entry type, click User Property.

    2. Under Entry properties, click Select.

    3. In the Select Object Property window, in the Object property list click Last Name, then click OK.

    4. To apply the value setting for the entry, click OK.

  11. To close the Configure Value dialog, click OK.

  12. Repeat the previous three steps and their substeps, with the difference of setting The first entry property to 3 instead of 2. This will include the first three characters of the user's first name, respectively.

    After you complete these steps, the list of entries in the Configure Value dialog must look like as the following image.

    Figure 25: Generation rules

  13. Click Next, then follow the instructions in the wizard to create (and optionally, immediately apply) the Policy Object.

  14. To apply the Policy Object:

    • Use the Enforce Policy page in the New Policy Object Wizard.

    • Alternatively, complete the New Policy Object Wizard, then use the Enforce Policy command on the domain, OU, or Managed Unit where you want to apply the policy.

    For more information on how to apply a Policy Object, see Linking Policy Objects to directory objects.

E-mail Alias Generation

E-mail Alias Generation policies automate the assignment of the email alias when designating a user as mailbox-enabled on Microsoft Exchange Server. By default, Microsoft Exchange Server provides the following recipient email address format: <email-alias>@<domain-name>.

For a detailed description of this policy, see Concept: E-mail Alias Generation in the Active Roles Feature Guide.

Configuring an E-mail Alias Generation policy

You can configure a new E-mail Alias Generation policy with the Active Roles Console.

To configure an E-mail Alias Generation policy

  1. On the Policy to Configure page, select E-mail Alias Generation, and click Next.

  2. On the E-mail Alias Generation Rule page, do the following:

    • Select one of the preconfigured generation rules, or create a custom alias-generation rule. To create a custom rule, click Other combination of user properties, click Configure, and complete the Configure Value dialog as described later in the procedure.

    • If you want the email alias to be allowed for manual edit, select Allow manual edits of e-mail alias. Then, do one the following:

      • Click Always to authorize the operator who creates or updates the user account to modify the email alias.

      • Click Only if a unique alias cannot be generated by this policy to allow manual changes only in the situation where a policy-generated alias is already assigned to a different user account.

    Click Next.

  3. On the Enforce Policy page, you can specify objects to which this Policy Object is to be applied:

    • Click Add, and use the Select Objects dialog to locate and select the objects you want.

  4. Click Next, then click Finish.

To complete the Configure Value dialog

  1. Click Add.

  2. Configure an entry to include in the value. For more information, see Configuring entry types.

  3. In the Configure Value dialog, add more entries, delete or edit existing ones, and click OK.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating