Identity Manager 8.0.1 - Administration Guide for Connecting to Active Directory

Managing Active Directory Environments Setting up Active Directory Synchronization Base Data for Managing Active Directory Active Directory Domains Active Directory User Accounts Active Directory Contacts Active Directory groups Active Directory Security IDs Active Directory Container Structures Active Directory computer Active Directory Printers Active Directory Locations Reports about Active Directory Objects Appendix: Configuration Parameters for Managing Active Directory Appendix: Default Project Template for Active Directory Appendix: Authentication Modules for Logging into the One Identity Manager

Supported User Account Types

Supported User Account Types

Different types of user accounts, such as default user accounts, administrative user accounts or service accounts, can be mapped in One Identity Manager.

The following properties are used for mapping different user account types.

  • Identity (column IdentityType)

    The identity describes the type of user account.

    Table 38: Identities of User Accounts
    Identity Description Value of the column "IdentityType"
    Primary identity Employee's default user account. Primary
    Organizational identity Secondary user account used for various roles within the organization, f. ex. In sub-agreements with other functional areas. Organizational
    Personalized admin identity User account with administration rights used by one person. Admin
    Sponsored identity User account used for example for training purposes. Sponsored
    Shared identity User account with administration rights used by several people. Shared
    Service identity Service account. Service
  • Privileged user account (column IsPrivilegedAccount)

    Use this option to flag user accounts with special, privileged permissions. This includes administrative user accounts or service accounts, for example. This option is not used to flag default user accounts.

Default User Accounts

Normally, each employee obtains a default user account, which has the permissions they require for their regular work. The user accounts are linked to the employee. The effect of the link and the scope of the employee’s inherited properties on the user accounts can be configured through an account definition and its manage levels.

To create default user accounts through account definitions

  1. Create an account definition and assign the manage level "Unmanaged" or "Full managed" to it.
  2. Specify the effect of temporarily or permanently disabling, deleting or the security risk of an employee on its user accounts and group memberships for each manage level.
  3. Create a formatting rule for IT operating data.

    An account definition specifies which rules are used to generate the IT operating data for example, whether the container for a user account is made up of the employee's department, cost center, location or business role and which default values will be used if no IT operating data can be found through the employee's primary roles.

    Which IT operating data is required, depends on the target system. The following setting are recommended for default user accounts:

    • Use the default value "1" in the formatting rule for the column IsGroupAccount and set the option Always use default value.
    • Use the default value "primary" in the formatting rule for the column IdentityType and set the option Always use default value.
  4. Enter the effective IT operating data for the target system. Select the concrete target system under Effects on.

    Specify in the departments, cost centers, locations or business roles, which IT operating data should apply when you set up a user account.

  5. Assign the account definition to employees.

    When the account definition is assigned to an employee, a new user account is created through the inheritance mechanism and subsequent processing.

Administrative User Accounts

An administrative user account must be used for certain administrative tasks. Administrative user accounts are normally predefined in the target system and have fixed identifiers and login names, for example, "Administrator".

Administrative user accounts are loaded through synchronization into the One Identity Manager. To assign a manager to administrative user accounts, assign an employee to the user account in One Identity Manager.

NOTE: You can automatically label administrative user accounts as privileged user accounts. To do this, set the schedule "Mark selected user accounts as privileged" in the Designer.

Privileged User Accounts

Privileged user accounts are used to provide employees with additional privileges. This includes administrative user accounts or service accounts, for example. The user accounts are marked with the property Privileged user account (IsPrivilegedAccount).

NOTE: The criteria used to label user accounts automatically as privileged, are defined as extensions to the view definition (ViewAddOn) on the table TSBVAccountIsPrivDetectRule (table type "Union"). The evaluation is done in the script TSB_SetIsPrivilegedAccount.

To create privileged users through account definitions

  1. Create an account definition. Create a new manage level for privileged user accounts and assign this manage level to the account definition.
  2. If you want to prevent properties for privileged user accounts being overwritten, set the property IT operating data overwrites for the manage level, to the value "Only initially". In this case, the properties are populated just once when the user accounts is created.
  3. Specify the effect of temporarily or permanently disabling, deleting or the security risk of an employee on its user accounts and group memberships for each manage level.
  4. Create a formatting rule for IT operating data.

    An account definition specifies which rules are used to generate the IT operating data for example, whether the container for a user account is made up of the employee's department, cost center, location or business role and which default values will be used if no IT operating data can be found through the employee's primary roles.

    Which IT operating data is required, depends on the target system. The following settings are recommended for privileged user accounts:

    • Use the default value "1" in the formatting rule for the column IsPrivilegedAccount and set the option Always use default value.
    • You can also specify a formatting rule for the column IdentityType. The column owns different permitted values, which represent user accounts.
    • To prevent privileged user accounts inheriting default user groups, define a template for the column IsGroupAccount with the default value "0" and set the option Always use default value.
  5. Enter the effective IT operating data for the target system.

    Specify in the departments, cost centers, locations or business roles, which IT operating data should apply when you set up a user account.

  6. Assign the account definition directly to employees who work with privileged user accounts.

    When the account definition is assigned to an employee, a new user account is created through the inheritance mechanism and subsequent processing.

NOTE: Specify a formatting rule for a naming schema if it is required by the company for privileged user account login names.

To use a prefix with a login name, set the configuration parameter "TargetSystem\ADS\Accounts\PrivilegedAccount\SAMAccountName_Prefix" in the Designer. To use a postfix with a login name, set the configuration parameter "TargetSystem\ADS\Accounts\PrivilegedAccount\SAMAccountName_Postfix" in the Designer.

These configuration parameters are evaluated in the default installation, if a user account is marked with the property Privileged user account (IsPrivilegedAccount). The user account login names are renamed according to the formatting rules. This also takes place if the user accounts are labeled as privileged by the schedule "Mark selected user accounts as privileged".

Entering Master Data for Active Directory User Accounts

Entering Master Data for Active Directory User Accounts

A user account can be linked to an employee in the One Identity Manager. You can also manage user accounts separately from employees.

NOTE: It is recommended to use account definitions to set up user accounts for company employees. In this case, some of the master data described in the following is mapped through templates from employee master data.

NOTE: If employees obtain their user accounts through account definitions, they have to have a central user account and obtain their company IT data through assignment to a primary department, primary location or a primary cost center.

To edit master data for a user account

  1. Select the category Active Directory | User accounts.
  2. Select the user account in the result list and run the task Change master data.

    - OR-

    Click in the result list toolbar.

  3. Edit the user account's resource data.
  4. Save the changes.

To manually assign or create a user account for an employee

  1. Select the Employees | Employees.
  2. Select the employee in the result list and run Assign Active Directory user accounts from the task view.
  3. Assign a user account.
  4. Save the changes.
Detailed information about this topic
Related Topics

General Master Data for an Active Directory User Account

General Master Data for an Active Directory User Account

Table 39: Configuration Parameters for Setting up User Accounts
Configuration parameter Meaning

TargetSystem\ADS\Accounts\TransferJPegPhoto

This configuration parameter specifies whether changes to the employee's picture are published in existing user accounts. The picture is not part of default synchronization. It is only published when employee data is changed.

Enter the following data on the General tab:

Table 40: Additional Master Data for a User Account
Property Description

Employee

Employee that uses this user account. An employee is already entered if the user account was generated by an account definition. If you create the user account manually, you can select an employee in the menu. If you use automatic employee assignment, an associated employee is created and entered into the user account when the user account is saved.

Account definition

Account definition through which the user account was created.

Use the account definition to automatically fill user account master data and to specify a manage level for the user account. The One Identity Manager finds the IT operating data of the assigned employee and enters it in the corresponding fields in the user account.

NOTE: The account definition cannot be changed once the user account has been saved.

Manage level

User account's manage level. Select a manage level from the menu. You can only specify the manage level can if you have also entered an account definition. All manage levels of the selected account definition are available in the menu.

First name

The user’s first name. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Last name

The user’s last name. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Initials

The user’s initials. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Title

The user’s academic title. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Name

User account identifier. The identifier is made up of the user‘s first and last names.

Distinguished name

User account's distinguished name. The distinguished name is formatted from the user account's identifier and the container and cannot be changed.

Domain

Domain in which the user account is created.

Container

Container in which to create the user account. If you have assigned an account definition, the container is determined from the company IT data for the assigned employee depending on the manage level of the user account. When the container is selected, the defined name for the user is created using a formatting rule.

Primary group

User account's primary group. Synchronization with the Active Directory environment assigns the user to the group "Domain users" by default. Only groups that are assigned to the user account are available as primary groups.

Login name (pre Win2000)

Login name for the previous version of Active Directory. If you assigned an account definition, the login name (pre Win2000) is made up of the employee’s central user account depending on the manage level of the user account.

User login name

User account login name. User login names that are formatted like this correspond to the User Principal Name (UPN) in Active Directory.

If you have already established the container and entered the login name (pre Win2000), the user login name is created following the formatting rule as shown:

Logon name (pre Win2000)@ADS Domain name

Email address

User account email address. If you assigned an account definition, the email address is made up of the employee’s default email address depending on the manage level of the user account.

Account expiry date

Account expiry date. Specifying an expiry data for the account has the effect that the logon for this user account is blocked as soon as the given date is exceeded. If you assigned an account definition, the employee’s last day of work it is automatically taken as the expiry date depending on the manage level. Any existing account expiry date is overwritten in this case.

Structural object class

Structural object class representing the object type. By default, set up the user accounts in the One Identity Manager with the object class "USER". The object class "INETORGPERSON" is also supported, which is used by other LDAP and X500 directory services for mapping user accounts.

Risk index (calculated)

Maximum risk index values for all assigned groups. This property is only visible if the configuration parameter "QER\CalculateRiskIndex" is set. For more detailed information, see the One Identity Manager Risk Assessment Administration Guide.

Category

Categories for the inheritance of groups by the user account. Select one or more categories from the menu. Groups can be selectively inherited by user accounts. To do this, groups and user accounts or contacts are divided into categories.

Description

Spare text box for additional explanation.

Identity

User account's identity type

Table 41: Permitted values for the identity.
Value Description
Primary identity Employee's default user account.
Organizational identity Secondary user account used for different roles in the organization, for example for subcontracts with other functional areas.
Personalized admin identity User account with administrative permissions, used by one employee.
Sponsored identity User account that is used for training purposes, for example.
Shared identity User account with administrative permissions, used by several employees.
Service identity Service account.

Privileged user account

Specifies whether this is a privileged user account.

Groups can be inherited

Specifies whether the user account groups can inherit through the employee. If this option is set, the user account inherits groups through hierarchical roles or IT Shop requests.

  • If you add an employee with a user account to a department, for example, and you have assigned groups to this department, the user account inherits these groups.
  • If an employee has requested group membership in the IT Shop and the request is granted approval, the employee's user account only inherits the group if the option is set.

Preferred user account

Preferred user account when an employee has several user accounts in Active Directory.

User account is disabled

Specifies whether the user account is disable. If a user account is not required for a period of time, you can temporarily disable the user account by using the option <User account is deactivated>.

Account locked

Specifies that the user account is locked. If the password is entered wrongly several times (configuration dependent), the user account is locked in the Active Directory. You can lock the user account again in the Manager using Unlock user account.

Related Topics

Password Data for Active Directory User Accounts

Password Data for Active Directory User Accounts

Table 42: Configuration Parameters for Setting Up Password Data
Configuration parameter Meaning

TargetSystem\ADS\Accounts\
NotRequirePassword

This configuration parameter specifies whether the option "No password necessary" is set for new user accounts in Active Directory.

TargetSystem\ADS\Accounts\
UserMustChangePassword

This configuration parameter specifies whether the option "Change password the next time you log in" is set.

NOTE: The One Identity Manager password policies, global account policy settings for the Active Directory domain and Active Directory account policies are taken into account when verifying user passwords.

Enter the following master data on the Password tab.

Table 43: Password Data for a User Account

Property

Description

Password

Password for the user account. Depending on the configuration parameter "Person\UseCentralPassword" the employee’s central password can be mapped to the user account‘s password. If you use an initial password for the user accounts, it is automatically entered when a user account is created.

Password confirmation

Reconfirm password.

Password last changed

Data of last password change. The date is read in from the Active Directory system and cannot be changed.

Password never expires

Specifies whether the password expires. This option is usually used for service accounts. It overwrites the maximum lifetime of a password and the option Change password at next logon.

Cannot change password

Specifies whether the password can be changed. This option is normally set for user accounts that are used by several users.

Change password the next time you log in

Specifies whether the user must change their password the next time they log in.

TIP: Set the configuration parameter "TargetSystem\ADS\Accounts\UserMustChangePassword" to ensure this option is set when new user accounts are added.

Save passwords with reversible encryption

Details for encrypting the password. By default, passwords that are saved in Active Directory are encrypted. When you use this option, passwords are saved in plain text and can be restored again.

SmartCard required to log on

Data required for logging in with a SmartCard. Set this option to save public and private keys, passwords and other personal information for this Active Directory user account. In order to log into the network the user’s computer needs to be equipped with a Smartcard reader and the user needs to have a PIN (Personal Identification Number).

Account trusted for delegation purposes

Data required for delegation. Set this option so that a user can delegate the responsibility for administration and management of a partial domain to another Active Directory user account or another group.

Cannot delegate account

Data required for delegation. Set this option when this user account may not be assigned for delegation purposes from another user account.

Account uses DES encryption

Data required for encryption. Set this option when you want to activate DES (Data Encryption Standard).

Kerberos preauthentication not required

Specifies whether Kerberos pre-authentication is required. Set this option when the user account uses a different implementation of the Kerberos protocol.

Related Topics
Related Documents