Chat now with support
Chat with Support

Identity Manager 8.0.1 - Administration Guide for Connecting to Active Directory

Managing Active Directory Environments Setting up Active Directory Synchronization Base Data for Managing Active Directory Active Directory Domains Active Directory User Accounts Active Directory Contacts Active Directory groups Active Directory Security IDs Active Directory Container Structures Active Directory computer Active Directory Printers Active Directory Locations Reports about Active Directory Objects Appendix: Configuration Parameters for Managing Active Directory Appendix: Default Project Template for Active Directory Appendix: Authentication Modules for Logging into the One Identity Manager

Validity of Group Memberships

There are different assignments to groups possible depending on the construction of the domain structure and the domain trusts. You can find more exact information about permitted group memberships in the documentation for your Windows Server.

Ensure the following if you want to map group memberships using forests:

  • The trusted domains are known.
  • The name of the forest is entered in the domain.

In the following tables, the groups, user accounts, contacts and computers permitted in One Identity Manager listed in groups.

Legend for the tables:

  • G = Global
  • U = Universal
  • L = Lokal
Table 67: Group Memberships Permitted within a Domain

Target Group

 

Member in target group

Group

 

User account

 

Contact

 

Computer
Distribution Security
G U L G U L
Distribution Global x     x     x x x
Universal x x   x x   x x x
Local x x x x x x x x x
Security Global x     x     x x x
Universal x x   x x   x x x
Local x x x x x x x x x
Table 68: Group Memberships Permitted within a Hierarchical Domain Structure

Target Group

 

Member in target group

Group

 

User account

 

Contact

 

Computer
Distribution Security
G U L G U L
Distribution Global               x  
Universal x x   x x   x x x
Local x x   x x   x x x
Security Global                  
Universal x x   x x   x x x
Local x x   x x   x x x
Table 69: Group Memberships Permitted within a Forest

Target Group

 

Member in target group

Group

 

User account

 

Contact

 

Computer
Distribution Security
G U L G U L
Distribution Global                  
Universal                  
Local x x   x x   x   x
Security Global                  
Universal                  
Local x x   x x   x   x
Table 70: Group Memberships Permitted between Forests

Target Group

 

Member in target group

Group

 

User account

 

Contact

 

Computer
Distribution Security
G U L G U L
Distribution Global                  
Universal                  
Local x x   x x   x   x
Security Global                  
Universal                  
Local x x   x x   x   x
Related Topics

Assigning Active Directory Groups to Active Directory User Accounts, Active Directory Contacts and Active Directory Computers

Assigning Active Directory Groups to Active Directory User Accounts, Active Directory Contacts and Active Directory Computers

You can assign groups directly and indirectly to user account, workdesks and devices. Employees (workdesks, devices) and groups are grouped into hierarchical roles in the case of indirect assignment. The number of groups assigned to an employee (workdesk or device) From the position within the hierarchy and is calculated from the position within the hierarchy and inheritance direction.

If you add an employee to roles and that employee owns a user account or a contact, the user account or contact is added to the group. Prerequisites for indirect assignment of employees to user accounts:

  • Assignment of employees and groups is permitted for role classes (department, cost center, location or business role).
  • User accounts and contacts are labeled with the option Groups can be inherited.

If you add a device to roles, the computer, which references the device, is added to the group. Prerequisites for indirect assignment to computers are:

  • Assignment of devices and groups is permitted for role classes (department, cost center, location or business role).
  • The computer is connected to a device labeled as PC or server.
  • The configuration parameter "TargetSystem\ADS\HardwareInGroupFromOrg" is set.

If a device owns a workdesk and you add the workdesk to roles, the computer, which references this device, is also added to all groups of the workdesk's roles. Prerequisites for indirect assignment to computers through workdesks are:

  • Assignment of workdesks and groups is permitted for role classes (department, cost center, location or business role).
  • The computer is connected to a device labeled as PC or server. This device owns a workdesk.

Furthermore, groups can be assigned to employees through IT Shop requests. Add employees to a shop as customers so that groups can be assigned through IT Shop requests. All groups are assigned to this shop can be requested by the customers. Requested groups are assigned to the employees after approval is granted.

Detailed information about this topic

Assigning Active Directory Groups to Departments, Cost Centers and Locations

Assigning Active Directory Groups to Departments, Cost Centers and Locations

Assign the group to departments, cost centers and locations so that the group can be assigned to user accounts, contacts and computers through these organizations.

To assign a group to departments, cost centers or locations (non role-based login)

  1. Select the category Active Directory | Groups.
  2. Select the group in the result list.
  3. Select Assign organizations.
  4. Assign organizations in Add assignments.

    • Assign departments on the Departments tab.
    • Assign locations on the Locations tab.
    • Assign cost centers on the Cost center tab.

    - OR -

    Remove the organizations from Remove assignments.

  5. Save the changes.

To assign groups to a department, cost center or location (role-based login)

  1. Select the category Organizations | Departments.

    - OR -

    Select the category Organizations | Cost centers.

    - OR -

    Select the category Organizations | Locations.

  2. Select the department, cost center or location in the result list.
  3. Select Assign Active Directory groups.
  4. Assign groups in Add assignments.

    - OR -

    Remove assignments to groups in Remove assignments.

  5. Save the changes.
Related Topics

Assigning Active Directory Groups to Business Roles

Assigning Active Directory Groups to Business Roles

Installed Modules: Business Roles Module

Assign the group to business roles so that it is assigned to user accounts, contacts and computers through this business role.

To assign a group to a business role (non role-based login)

  1. Select the category Active Directory | Groups.
  2. Select the group in the result list.
  3. Select Assign business roles in the task view.
  4. Assign business roles in Add assignments.

    - OR -

    Remove business roles from Remove assignments.

  5. Save the changes.

To assign groups to a business role (non role-based login)

  1. Select the category Business roles | <Role class>.
  2. Select the business role in the result list.
  3. Select Assign Active Directory groups.
  4. Assign groups in Add assignments.

    - OR -

    Remove assignments to groups in Remove assignments.

  5. Save the changes.
Related Topics
Related Documents