Identity Manager 8.0.1 - Administration Guide for Connecting to Active Directory

Managing Active Directory Environments Setting up Active Directory Synchronization Base Data for Managing Active Directory Active Directory Domains Active Directory User Accounts Active Directory Contacts Active Directory groups Active Directory Security IDs Active Directory Container Structures Active Directory computer Active Directory Printers Active Directory Locations Reports about Active Directory Objects Appendix: Configuration Parameters for Managing Active Directory Appendix: Default Project Template for Active Directory Appendix: Authentication Modules for Logging into the One Identity Manager

Active Directory Domains

Active Directory Domains

Note: The Synchronization Editor sets up the domains in the One Identity Manager database.

To edit master data for an Active Directory domain

  1. Select the category Active Directory | Domains.
  2. Select the domain in the result list.
  3. Select Change master data in the task view.
  4. Edit the domain's master data.
  5. Save the changes.

General Master Data for a Active Directory Domain

General Master Data for an Active Directory Domain

Enter the following data on the General tab:

Table 31: Domain Master Data

Property

Description

Domain

NetBIOS domain name. This corresponds to the pre-Windows 2000 domain names. The domain name cannot be changed later.

Parent domain

Parent domain for mapping a hierarchical domain structure. The full name and the defined name are automatically updated through templates.

Domain subtype

Active Directory functional level. There are several features available in Active Directory at functional level. Refer to the documentation for the appropriate Windows Server to find out which functional levels are supported by the domain controller's Windows operating system to be implemented. Following functional levels are supported in One Identity Manager:

  • Windows Server 2000 (Win2000)
  • Windows Server 2003 native (Win2003 native)
  • Windows Server 2003 mixed (Win2003 mixed)
  • Windows Server 2008 (Win2008)
  • Windows Server 2008 R2 (Win2008 R2)
  • Windows Server 2012 (Win2012)
  • Windows Server 2012 R2 (Win2012 R2)
  • Windows Server 2016 (Win2016)

Display Name

The display name is used to display the domain in the user interface. This is preset with the domain NetBIOS name; however, the display name can be changed.

Account definition (initial)

Initial account definition for creating user accounts. These account definitions are used if automatic assignment of employees to user account is used for this domain resulting in administered user accounts (state "Linked configured"). The account definition's default manage level is applied.

User accounts are only linked to the employee (state "Linked") if no account definition is given. This is the case on initial synchronization, for example.

Contact definition (initial)

Initial account definition for creating contacts. These account definitions are used if automatic assignment of employees to contacts is used for this domain, resulting in administered user accounts (state "Linked configured"). The account definition's default manage level is applied.

Contacts are only linked to the employee (state "Linked") if no account definition is given. This is the case on initial synchronization, for example.

Target system managers

Application role in which target system managers are specified for the domain. Target system managers only edit the objects from domains that are assigned to them. Therefore, each domain can have a different target system manager assigned to it.

Select the One Identity Manager application role whose members are responsible for administration of this domain. Use the button to add a new application role.

Synchronized by

NOTE: You can only specify the synchronization type when adding a new domain. No changes can be made after saving.

"One Identity Manager" is used when you create a domain with the Synchronization Editor.

Type of synchronization through which the data is synchronized between the domain and One Identity Manager.

Table 32: Permitted Values
Value Synchronization by Provisioned by

One Identity Manager

Active Directory connector

Active Directory connector

No synchronization

none

none

NOTE: If you select "No synchronization" you can define custom processes to exchange data between One Identity Manager and the target system.

Description

Spare text box for additional explanation.

Related Topics

Global Account Policies for an Active Directory Domain

Global Account Policies for an Active Directory Domain

When you set up a user account, globally defined account policies and data are applicable for issuing passwords. You can enter these setting against the domain. Account policies apply when user accounts are newly added.

Enter the following master data on the Account policies tab.

Table 33: Account Policies for Domains
Property Description

Min. password length

Minimum length of the password. Use this option to specify that a password has to be complex.

Min. password age

Minimum age of the password. Enter the length of time a password has to be used before the user is allowed to change it.

Max. password age

Maximum age of the password. Enter the length of time a password can be used before it expires.

Max. errors

Maximum number of errors. Set the number of invalid passwords. If the user has reached this number the user account is blocked.

Password history

  • Enter the number of passwords to be saved. If the value '5' is entered, for example, the last 5 passwords of the user are saved.

  • Block duration [min]

    Block duration in minutes. Enter the time period the account should be locked for before it is automatically reset.

    Reset account [min]

    Duration in minutes of account reset. Enter the time period that can elapse between two invalid attempts to enter a password before a user account is locked.

    You can define more policies for domains with the functional level "Windows Server Server 2008 R2" or higher. You can also define password policies in the One Identity Manager that you can apply to the user account passwords.

    NOTE: The One Identity Manager password policies, global account policy settings for the Active Directory domain and Active Directory account policies are taken into account when verifying user passwords.
    Related Topics

    Active Directory Specific Master Data for an Active Directory Domain

    Active Directory Specific Master Data for an Active Directory Domain

    Enter the following data on the Active Directory tab:

    Table 34: Active Directory Data
    Property Description

    Domain name (pre Win2000)

    Pre-Windows 2000 computer name.

    Full domain name

    Name of the domain confirming to DNS syntax.

    Name of this domain.name of parent domain.name of default domain

    Example

    Docu.Testlab.dd

    Account manager

    Manager responsible for the domain.

    To specify an account manager

    1. Click next to the text box.
    2. Under Table, select the table which maps the account manager.
    3. Select the manager under Account manager.
    4. Click OK.

    Distinguished name

    Distinguished name of the domain. The distinguished name is determined using a template from the full domain name and cannot be edited.

    Forest

    The name of the forest to which the domain belongs. This name should be given if group memberships are mapped cross-domain.

    Enable recycling bin

    Specifies whether the recycling bin is enabled (functional level "Windows Server 2008 R2" or later). The property is loaded by synchronization and cannot be edited in the One Identity Manager.

    Retention period

    Retention period of objects in the recycling bin (functional level "Windows Server 2008 R2" or later). The property is loaded by synchronization and cannot be edited in the One Identity Manager.

    Complex passwords

    Specifies whether complex passwords are implemented in the domain. Complex passwords must fulfill certain minimum prerequisites. For more information, see the documentation for implementing Windows Server.

    You have the option to define this setting using account policies for domains with functional levels "Windows Server 2008 R2" or later.

    Default home drive

    Default home drive to be connected when a user logs in.

    Structural object class

    Structural object class representing the object type. By default, containers in One Identity Manager are added with the object class "GROUPOFNAMES".

    Object class List of classes defining the attributes for this object. The object classes listed are read in from the database during synchronization with the Active Directory environment. You can also enter object classes in to the input field.
    Related Topics
    Related Documents