Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Identity Manager 9.3 - Administration Guide for Connecting to Active Directory

Table of Contents

Managing Active Directory environments

Architecture overview One Identity Manager users for managing Active Directory Configuration parameters for managing Active Directory environments

Synchronizing an Active Directory environment

Setting up initial synchronization with an Active Directory domain

Users and permissions for synchronizing with Active Directory Communications ports and firewall configuration Setting up the Active Directory synchronization server

System requirements for the Active Directory synchronization server Installing One Identity Manager Service with an Active Directory connector

Creating a synchronization project for initial synchronization of an Active Directory domain

Information required to set up a synchronization project Creating an initial synchronization project for Active Directory domains

Configuring the synchronization log

Adjusting the synchronization configuration for Active Directory environments

Configuring synchronization in Active Directory domains Configuring synchronization of several Active Directory domains Supporting POSIX extensions Changing system connection settings of Active Directory domains

Editing connection parameters in the variable set Editing target system connection properties

Updating schemas Speeding up synchronization with revision filtering Configuring the provisioning of memberships Configuring single object synchronization Accelerating provisioning and single object synchronization

Running synchronization

Starting synchronization Deactivating synchronization Displaying synchronization results Synchronizing single objects

Tasks following synchronization

Post-processing outstanding objects Adding custom tables to the target system synchronization Managing Active Directory user accounts and Active Directory contacts through account definitions

Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)

Managing Active Directory user accounts and identities

Account definitions for Active Directory user accounts and Active Directory contacts

Creating account definitions Editing account definitions Main data for account definitions Editing manage levels Creating manage levels Assigning manage levels to account definitions Main data for manage levels Creating mapping rules for IT operating data Entering IT operating data Modify IT operating data Assigning account definitions to identities

Assigning account definitions to departments, cost centers, and locations Assigning account definitions to business roles Assigning account definitions to all identities Assigning account definitions directly to identities Assigning account definitions to system roles Adding account definitions in the IT Shop

Assigning account definitions to Active Directory domains Deleting account definitions

Assigning identities automatically to Active Directory user accounts

Editing search criteria for automatic identity assignment Finding identities and directly assigning them to user accounts Changing manage levels for Active Directory user accounts Changing manage levels for Active Directory contacts

Supported user account types

Default user accounts Administrative user accounts

Providing an administrative user account for one identity Providing an administrative user account for multiple identities

Privileged user accounts

Updating identities when Active Directory user account are modified Automatic creation of departments and locations based on user account information Specifying deferred deletion for Active Directory user accounts and Active Directory contacts

Managing memberships in Active Directory groups

Assigning Active Directory groups to Active Directory user accounts, Active Directory contacts, and Active Directory computers

Prerequisites for indirect assignment of Active Directory groups Assigning Active Directory groups to departments, cost centers and locations Assigning Active Directory groups to business roles Adding Active Directory groups to system roles Adding Active Directory groups to the IT Shop Adding Active Directory groups automatically to the IT Shop Assigning Active Directory user accounts directly to Active Directory groups Assigning Active Directory groups directly to Active Directory user accounts Assigning Active Directory contacts directly to Active Directory groups Active Directory Assign groups directly to Active Directory Contacts Assigning Active Directory computers directly to Active Directory groups Assigning Active Directory groups directly to Active Directory computers

Effectiveness of membership in Active Directory user groups Active Directory group inheritance based on categories Overview of all assignments

Login credentials for Active Directory user accounts

Password policies for Active Directory user accounts

Predefined password policies Using password policies Creating password policies Using password policies General main data of password policies Policy settings Character classes for passwords Custom scripts for password requirements

Script for checking passwords Script for generating a password

Editing the excluded list for passwords Verifying passwords Testing password generation

Initial password for new Active Directory user accounts Email notifications about login data

Mapping Active Directory objects in One Identity Manager

Active Directory domains

General main data for Active Directory domains Global account policies for Active Directory domains Active Directory specific main data for Active Directory domains Defining categories for the inheritance of Active Directory groups Displaying information about the Active Directory forest Entering and testing trusted Active Directory domains Active Directory account policies for Active Directory domains

Creating and editing Active Directory account policies General main data for an Active Directory account policy Guidelines for Active Directory account guidelines Assigning Active Directory account policies to Active Directory user account and Active Directory groups

Editing the synchronization project for an Active Directory domain Monitoring the number of memberships in Active Directory groups and Active Directory containers

Active Directory container structures

Creating and editing Active Directory containers Main data for Active Directory containers Assigning extended properties to Active Directory containers Deleting Active Directory containers Moving an Active Directory container Displaying the Active Directory container overview

Active Directory user accounts

Creating and editing Active Directory user accounts General main data of Active Directory user accounts Password data for Active Directory user accounts Active Directory user account home directory and profile directory Login credentials for Active Directory user accounts Dial-in access using Remote Access Service (RAS) for Active Directory user accounts Terminal server connection data for Active Directory user accounts Extension data for Active Directory user accounts Further data for identifying Active Directory user accounts Contact information for Active Directory user accounts POSIX properties for Active Directory user accounts Assigning Active Directory account policies to Active Directory user accounts Assigning secretaries to Active Directory user accounts Assigning extended properties to Active Directory user accounts Disabling Active Directory user accounts Deleting and restoring Active Directory user accounts

Procedure for deleting Active Directory user account in One Identity Manager Handling of user directories when deleting Active Directory user accounts

Unlocking Active Directory user accounts Moving Active Directory user accounts Displaying the Active Directory user account overview Displaying Microsoft Entra ID user accounts for Active Directory user accounts

Active Directory contacts

Creating and editing Active Directory contacts General main data for Active Directory contacts Contact data for Active Directory contacts Further data for identifying Active Directory contact Extension data for Active Directory contacts POSIX properties for Active Directory contacts Assigning secretaries to Active Directory contacts Assigning extended properties to Active Directory contacts Deleting and restoring Active Directory contacts Moving Active Directory contacts Displaying the Active Directory contact overview

Active Directory groups

Creating and editing Active Directory groups General main data of Active Directory groups Extension data for Active Directory groups POSIX properties for Active Directory groups Validity of group memberships Adding Active Directory groups to Active Directory groups Assigning Active Directory account policies to Active Directory groups Assigning secretaries to Active Directory groups Assigning extended properties to Active Directory groups Deleting Active Directory groups Moving Active Directory groups Displaying the Active Directory group overview Displaying Microsoft Entra ID groups for Active Directory groups

Active Directory computers

Main data for Active Directory computers Performing computer diagnostics Moving an Active Directory computer Displaying the Active Directory computer overview

Active Directory security IDs Active Directory printers Active Directory sites Reports about Active Directory objects

Handling of Active Directory objects in the Web Portal

Default solutions for requesting Active Directory groups and group memberships

Adding Active Directory groups Changing Active Directory groups Deleting Active Directory groups Active DirectoryRequesting Groups Memberships

Basic data for managing an Active Directory environment

User account names Target system managers for Active Directory Job server for Active Directory-specific process handling

General main data of Job servers Specifying server functions Preparing a home server and profile server for creating user directories

Creating home directories using batch files Supporting multiple profile directories Home and profile directory access permissions

Configuration parameters for managing an Active Directory environment Default project template for Active Directory Processing methods of Active Directory system objects Active Directory connector settings

Assigning Active Directory account policies to Active Directory groups

For domains from the functional level Windows Server 2008 R2 and above, it is possible to define additional password policies in addition to the default password policies. This allows individual users and groups to be subjected to stricter account policies as intended for global groups.

To specify account policies for a group

In the Manager, select the Active Directory > Groups category.
Select the group in the result list.
Select the Assign account policies task.
In the Add assignments pane, assign account policies.
TIP: In the Remove assignments pane, you can remove account policy assignments.

To remove an assignment
- Select the account policy and double-click .
Save the changes.

Related topics

Assigning secretaries to Active Directory groups

Assign a secretary to the group. The secretary is displayed in the email recipient’s properties in Microsoft Outlook.

To assign a secretary to a group

In the Manager, select the Active Directory > Groups category.
Select the group in the result list.
Select the Assign secretaries task.
Select the table which contains the user from the Table drop-down at the top of the form. You have the following options:
- Active Directory user accounts
- Active Directory contacts
- Active Directory groups
In the Add assignments pane, assign secretaries.
TIP: In the Remove assignments pane, you can remove assigned secretaries.

To remove an assignment
- Select the secretaries and double-click .
Save the changes.

Assigning extended properties to Active Directory groups

Extended properties are meta objects, such as operating codes, cost codes, or cost accounting areas that cannot be mapped directly in One Identity Manager.

For more information about using extended properties, see the One Identity Manager Compliance Rules Administration Guide.

To specify extended properties for a group

In the Manager, select the Active Directory > Groups category.
Select the group in the result list.
Select Assign extended properties.
In the Add assignments pane, assign extended properties.
TIP: In the Remove assignments pane, you can remove assigned extended properties.

To remove an assignment
- Select the extended property and double-click .
Save the changes.

Deleting Active Directory groups

Groups are deleted permanently from the One Identity Manager database and from Active Directory. When a group is deleted, an entry is created in One Identity Manager for the Active Directory SID.

NOTE:

Groups with the Protected from accidental deletion option set, cannot be deleted.
When a group is deleted, an entry is created in One Identity Manager for the Active Directory SID.

To delete an Active Directory group

In the Manager, select the Active Directory > Groups category.
Select the group in the result list.
Click in the result list.
Confirm the security prompt with Yes.

Related topics

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center