Chat now with support
Chat with Support

Identity Manager 8.0.1 - Administration Guide for Connecting to Active Directory

Managing Active Directory Environments Setting up Active Directory Synchronization Base Data for Managing Active Directory Active Directory Domains Active Directory User Accounts Active Directory Contacts Active Directory groups Active Directory Security IDs Active Directory Container Structures Active Directory computer Active Directory Printers Active Directory Locations Reports about Active Directory Objects Appendix: Configuration Parameters for Managing Active Directory Appendix: Default Project Template for Active Directory Appendix: Authentication Modules for Logging into the One Identity Manager

How to Edit a Synchronization Project

How to Edit a Synchronization Project

Synchronization projects, in which a domain is already used as a base object, can also be opened using the Manager. You can, for example, check the configuration or view the synchronization log in this mode. The Synchronization Editor is not started with its full functionality. You cannot run certain functions, such as, running synchronization or simulation, starting the target system browser and others.

NOTE: The Manager is locked for editing throughout. To edit objects in the Manager, close the Synchronization Editor.

To open an existing synchronization project in the Synchronization Editor

  1. Select the category Active Directory | Domains.
  2. Select the domain in the result list. Select Change master data in the task view.
  3. Select Edit synchronization project... from the task view.
Related Topics

Monitoring the Number of Memberships in Active Directory Groups and Active Directory Containers

Monitoring the Number of Memberships in Active Directory Groups and Active Directory Containers

Table 37: Effective Configuration Parameters
Configuration parameter Meaning

TargetSystem\ADS\MemberShipRestriction\Container

This configuration parameter contains the number of Active Directory objects allowed per container before warning email is sent.

TargetSystem\ADS\MemberShipRestriction\Group

This configuration parameter contains the number of Active Directory objects allowed per group before warning email is sent.

TargetSystem\ADS\MemberShipRestriction\MailNotification

This configuration parameter contain the default email address for sending warnings by email.

A mechanism to monitor user account memberships to limit the number of members in groups and containers,

  • The tables ADSAccountInADSGroup and ADSAccount are monitored with respect to the number of user account memberships in a group and the number of user accounts in a container.
  • The tables ADSContactInADSGroup and ADSContact are monitored with respect to the number of contact memberships in a group and the number of contacts in a container.
  • The tables ADSGrouInADSGroup and ADSGroup are monitored with respect to the number of contact memberships in a group and the number of groups in a container.
  • The tables ADSMachineInADSGroup and ADSMachine are monitored with respect to the number of computer memberships in a group and the number of computers in a container.

NOTE: Primary groups of Active Directory objects are not taken into account when membership per group is calculated.

Thresholds are set using configuration parameters. If the values in the parameters are exceeded, a warning message is sent to a defined mail address. The warning is only generated the first time the threshold is exceeded. This prevents warnings being send to the given address each time the threshold is exceeded, which could occur during synchronization for example.

Example of monitoring

The threshold for the number of objects in a group "Members" is set to ten members (TargetSystem\ADS\MemberShipRestriction\Group=10). There are currently 10 user accounts in the group, "members". When an eleventh user account is added, a warning is generated and sent by email to the given address. When further user accounts are added, however, no more warning emails are sent.

Active Directory User Accounts

Active Directory User Accounts

You manage user account in Active Directory with One Identity Manager. A user account is a security principal in Active Directory. That means a user account can log in to the domain. A user receives access to network resources through group membership and access permission.

The managed service accounts introduced in Windows Server 2008 R2 and the group managed service accounts introduced with Windows Server 2012 are not supported in One Identity Manager.

Related Topics

Linking User Accounts to Employees

Linking User Accounts to Employees

The central component of the One Identity Manager is to map employees and their master data with permissions through which they have control over different target systems. For this purpose, information about user accounts and permissions can be read from the target system into the One Identity Manager database and linked to employees. This gives an overview of the permissions for each employees in all of the connected target systems. One Identity Manager provides the possibility to manage user accounts and their permissions. You can provision modifications in the target systems. Employees are supplied with the necessary permissions in the connected target systems according to their function in the company. Regular synchronization keeps data consistent between target systems and the One Identity Manager database.

Because requirements vary between companies, the One Identity Manager offers different methods for supplying user accounts to employees. One Identity Manager supports the following method for linking employees and their user accounts.

  • Employees and user accounts can be entered manually and assigned to each other.
  • Employees can automatically obtain their account definitions using user account resources. If an employee does not have a user account in an Active Directory domain, a new user account is created. This is done by assigning account definitions to an employee using the integrated inheritance mechanism followed by process handling.

    When you manage account definitions through user accounts, you can specify the way user accounts behave when employees are enabled or deleted.

    NOTE: If employees obtain their user accounts through account definitions, they have to have a central user account and obtain their company IT data through assignment to a primary department, primary location or a primary cost center.
  • An existing employee is automatically assigned when a user account is added or a new employee is created if necessary. In this case, employee master data is created on the basis of the existing user account master data. This mechanism can be implemented if a new user account is created manually or by synchronization. This method, however, is not the One Identity Manager default method. Define criteria for finding employees for automatic employee assignment.
Related Topics
Related Documents