Chat now with support
Chat with Support

Active Roles 8.2.1 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Configuring rule-based autoprovisioning and deprovisioning
Configuring Provisioning Policy Objects
User Logon Name Generation E-mail Alias Generation Exchange Mailbox AutoProvisioning Group Membership AutoProvisioning Home Folder AutoProvisioning Property Generation and Validation Script Execution O365 and Azure Tenant Selection AutoProvisioning in SaaS products
Configuring Deprovisioning Policy Objects
User Account Deprovisioning Group Membership Removal User Account Relocation Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Permanent Deletion Office 365 Licenses Retention Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Script Execution Notification Distribution Report Distribution
Configuring entry types Configuring a Container Deletion Prevention policy Configuring picture management rules Managing Policy Objects Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Configuring policy extensions
Using rule-based and role-based tools for granular administration Workflows
About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Azure tenant types and environment types supported by Active Roles Using Active Roles to manage Azure AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports and URLs used by Active Roles Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Group Object Deprovisioning

Group Object Deprovisioning policies specify the changes within an organization that make group objects in Active Directory deprovisioned, preventing their use. When initiated, this policy deprovisions the affected group(s) by:

  • Hiding the group(s) in the Global Address List (GAL) to prevent access to the group from Exchange Server client applications, such as Microsoft Outlook.

  • Changing the type of the group(s) from Security to Distribution to revoke access rights from the group.

  • Renaming the group(s) to clearly differentiate them from non-deprovisioned groups.

  • Removing members from the group(s) to revoke user access to resources controlled by the group(s). However, you can also specify members who will not be removed from the group(s).

In addition, you can also configure the policy to change or clear any properties of a group, such as its pre-Windows 2000 name, email address(es), or description.

For a detailed description of this policy, see Concept: Group Object Deprovisioning in the Active Roles Feature Guide.

Configuring a Group Object Deprovisioning policy

You can configure a new Group Object Deprovisioning policy with the Active Roles Console.

To configure a Group Object Deprovisioning policy

  1. On the Policy to Configure page, select Group Object Deprovisioning, then click Next.

    Figure 52: Disable Group

  2. On the Disable Group page, select the options you want the policy to apply when deprovisioning a group. You can select any combination of these options to prevent the use of the group:

    • Change the group type from Security to Distribution: Revokes access rights from deprovisioned groups. This option is applicable only to security groups.

    • Hide the group from the Global Address List (GAL): Prevents access to deprovisioned groups from Exchange Server client applications. This option is applicable to distribution groups or mail-enabled security groups.

    • Rename the group to: Changes the name of the group.

  3. If you selected Rename the group to, specify how you want the policy to update the group name when deprovisioning a group. To do so, click Configure and complete the Configure Value dialog by using the procedure outlined later in this topic. For more information, see Configuring a property update rule.

  4. Click Next.

    Figure 53: Remove members

  5. On the Remove Members page, do one of the following:

    • Click Do not remove members from the group for the policy not to make changes to the membership list of the group.

    • Click Remove all members, with optional exceptions for the policy to remove the members from the group.

  6. If you selected Remove all members, with optional exceptions, specify whether you want the policy not to remove certain objects from deprovisioned groups. Do the following:

    • Select the Keep these objects in the group check box and set up the list of the objects you want the policy not to remove from deprovisioned groups.

    • Leave the check box cleared if you want the policy to remove all members from deprovisioned groups.

  7. Click Next.

    Figure 54: Change Properties

  8. On this page, you can set up a list of group properties you want the policy to update. Each entry in the list includes the following information:

    • Property: When deprovisioning a group, Active Roles will update this property of the group object in Active Directory.

    • LDAP Display Name: Uniquely identifies the property to be updated.

    • Value to Assign: After the deprovisioning operation is completed, the property has the value defined by the rule specified.

    Specify how you want the policy to update properties of the group object when deprovisioning a group:

    • Click Add, then add property rules by completing the Select Object Property dialog.

    • Use View/Edit to modify existing rules.

    • Use Remove to delete existing rules.

  9. Click Next.

  10. On the Enforce Policy page, you can specify objects to which this Policy Object is to be applied:

    • Click Add, and use the Select Objects dialog to locate and select the objects you want.

  11. Click Next, then click Finish.

To complete the Configure Value dialog

  1. Click Add.

  2. Configure an entry to include in the value. For more information, see Configuring entry types.

  3. In the Configure Value dialog, add more entries, delete or edit existing ones, then click OK.

To complete the Select Object Property dialog

  1. From the Object property list, select an object property, then click OK. The Add Value dialog appears.

    If you select multiple properties, the Add Value dialog is not displayed. The properties you have selected are added to the list on the Change Properties page, with the update rule configured to clear those properties, that is, to assign them the empty value.

    Figure 55: Add value

  2. In the Add Value dialog, do one of the following:

    • Select Clear value if you want the update rule to assign the empty value to the property.

    • Select Configure value if you want the update rule to assign a certain, non-empty value to the property. Then, click Configure and complete the Configure Value dialog.

  3. When you are done configuring a value, click OK to close the Add Value dialog. The property name along with the property update rule is added to the wizard page. If necessary, you can modify the update rule by clicking View/Edit beneath the list of properties. This displays a dialog, similar to the Add Value dialog, allowing you to choose a different update option or set up a different value for the ‘property’ must be condition.

Scenario 1: Disabling and renaming the group upon deprovisioning

The policy described in this scenario performs the following functions during the group deprovisioning process:

  • When deprovisioning a security group, change the type of the group to Distribution.

  • When deprovisioning a distribution group, remove the group from the Global Address List.

  • Append this suffix to the group name: - Deprovisioned, followed by the date when the group was deprovisioned.

For example, the policy changes the group name of Partner Marketing to Partner Marketing - Deprovisioned 12/11/2013.

To implement this scenario, you must perform the following actions:

  1. Create and configure the Policy Object that defines the appropriate policy.

  2. Apply the Policy Object to a domain, OU, or Managed Unit.

As a result, when deprovisioning a group, Active Roles disables and renames the group as prescribed by this policy.

Configuring the Group Object Deprovisioning Policy Object

You can create and configure the Policy Object you need by using the New Deprovisioning Policy Object Wizard.

To configure the policy, click Group Object Deprovisioning on the Select Policy Type page of the wizard. Then, click Next.

On the Disable Group page, select these check boxes:

  • Change the group type from Security to Distribution

  • Hide the group from the Global Address List (GAL)

  • Rename the group to

Then, if empty, enter the following name under Rename the group to:

%<name> - Deprovisioned {@date(M/d/yyyy)}

Click Next and follow the instructions in the wizard to create the Policy Object.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating