Chat now with support
Chat with Support

Identity Manager 8.0.1 - Administration Guide for Connecting to Active Directory

Managing Active Directory Environments Setting up Active Directory Synchronization Base Data for Managing Active Directory Active Directory Domains Active Directory User Accounts Active Directory Contacts Active Directory groups Active Directory Security IDs Active Directory Container Structures Active Directory computer Active Directory Printers Active Directory Locations Reports about Active Directory Objects Appendix: Configuration Parameters for Managing Active Directory Appendix: Default Project Template for Active Directory Appendix: Authentication Modules for Logging into the One Identity Manager

Reports about Active Directory Objects

Reports about Active Directory Objects

One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. The following reports are available for Active Directory.

NOTE: Other sections may be available depending on the which modules are installed.
Table 82: Reports for the Target System

Report

Description

Overview of all assignments (domain)

This report finds all roles containing employees with at least one user account in the selected domain.

Overview of all assignments (container)

This report finds all roles containing employees with at least one user account in the selected container.

Overview of all assignments (group)

This report finds all roles containing employees with the selected group.

Show orphaned user accounts

This report shows all user accounts in the domain, which are not assigned to an employee. The report contains group memberships and risk assessment.

Show employees with multiple user accounts

This report shows all employees with more than one user account in the domain. The report is a risk assessment.

Show unused user accounts

This report shows all user accounts in the domain, which have not been used in the last few months. The report contains group memberships and risk assessment.

Show entitlement drifts

This report shows all groups in the domain that are the result of manual operations in the target system rather than using the One Identity Manager.

Show user accounts with an above average number of system entitlements

This report contains all user accounts in the domain with an above average number of group memberships.

Active Directory user account and group administration

This report contains a summary of user account and group distribution in all domains. You can find this report in the category My One Identity Manager.

Data quality summary for Active Directory user accounts

This report contains different evaluations of user account data quality in all domains. You can find this report in the category My One Identity Manager.

Related Topics

Overview of all Assignments

Overview of all Assignments

The report "Overview of all Assignments" is displayed for certain objects, for example, permissions, compliance rules or roles. The report finds all the roles, for example, departments, cost centers, locations, business roles and IT Shop structures in which there are employee who own the selected base object. In this case, direct as well as indirect base object assignments are included.

Example
  • If the report is created for a resource, all roles are determined in which there are employees with this resource.
  • If the report is created for a group, all roles are determined in which there are employees with this group.
  • If the report is created for a compliance rule, all roles are determined in which there are employees with this compliance rule.
  • If the report is created for a department, all roles are determined in which employees of the selected department are also members.
  • If the report is created for a business role, all roles are determined in which employees of the selected business role are also members.

To display detailed information about assignments

  • To display the report, select the base object from the navigation or the result list and select the report Overview of all assignments.
  • Use the Used by button in the report's toolbar to select the role class (department, location, business role or IT Shop structure) for which you determine if roles exist in which there are employees with the selected base object.

    All the roles of the selected role class are shown. The color coding of elements identifies the role in which there are employees with the selected base object. The meaning of the report control elements is explained in a separate legend. In the report's toolbar, click to open the legend.

  • Double-click a control to show all child roles belonging to the selected role.
  • By clicking the button in a role's control, you display all employees in the role with the base object.
  • Use the small arrow next to to start a wizard that allows you to bookmark this list of employee for tracking. This creates a new business role to which the employees are assigned.

Figure 3: Toolbar for Report "Overview of all assignments"

Table 83: Meaning of Icons in the Report Toolbar
Icon Meaning
Show the legend with the meaning of the report control elements
Saves the current report view as a graphic.
Selects the role class used to generate the report.

Displays all roles or only the affected roles.

Appendix: Configuration Parameters for Managing Active Directory

Appendix: Configuration Parameters for Managing Active Directory

The following configuration parameters are additionally available in One Identity Manager after the module has been installed.

Table 84: Configuration parameter
Configuration parameter Description
QER\ITShop\GroupAutoPublish

Preprocessor relevant configuration parameter for automatically adding groups to the IT Shop. This configuration parameter specifies whether all Active Directory and SharePoint target system groups are automatically added to the IT Shop. Changes to the parameter require recompiling the database.

QER\ITShop\GroupAutoPublish\ADSGroupExcludeList

This configuration parameter contains a list of all groups for which automatic IT Shop assignment should not take place. Names given in a pipe (|) delimited list that is handled as a regular search pattern.

Example:

.*Administrator.*|Exchange.*|.*Admins|.*Operators|IIS_IUSRS

TargetSystem\ADS

Preprocessor relevant configuration parameter for controlling the database model components for the administration of the target system Active Directory. If the parameter is set, the target system components are available. Changes to the parameter require recompiling the database.

TargetSystem\ADS\Accounts

This configuration parameter permits configuration of user account data.

TargetSystem\ADS\Accounts
\InitialRandomPassword

This configuration parameter specifies whether a random generated password is issued when a new user account is added. The password must contain at least those character sets that are defined in the password policy.

TargetSystem\ADS\Accounts\
InitialRandomPassword\SendTo

This configuration parameter specifies to which employee the email with the random generated password should be sent (manager cost center/department/location/business role, employee’s manager or XUserInserted). If no recipient can be found, the password is sent to the address stored in the configuration parameter "TargetSystem\ADS\DefaultAddress".

TargetSystem\ADS\Accounts\
InitialRandomPassword\SendTo\
MailTemplateAccountName

This configuration parameter contains the name of the mail template sent to inform users about their initial login data (name of the user account). Use the mail template "Employee - new account created".

TargetSystem\ADS\Accounts\
InitialRandomPassword\SendTo\
MailTemplatePassword

This configuration parameter contains the name of the mail template sent to inform users about their initial login data (initial password). Use the mail template "Employee - initial password for new user account".

TargetSystem\ADS\Accounts\
MailTemplateDefaultValues

This configuration parameter contains the mail template used to send notifications if default IT operating data mapping values are used for automatically creating a user account. Use the mail template "Employee - new user account with default properties created".

TargetSystem\ADS\Accounts\
NotRequirePassword

This configuration parameter specifies whether the option "No password necessary" is set for new user accounts in Active Directory.

TargetSystem\ADS\Accounts\
PrivilegedAccount
This configuration parameter allows configuration of settings for privileged Active Directory user accounts.

TargetSystem\ADS\Accounts\
PrivilegedAccount\
SAMAccountName_Postfix

This configuration parameter contains the postfix for formatting login names for privileged user accounts.

TargetSystem\ADS\Accounts\
PrivilegedAccount\
SAMAccountName_Prefix

This configuration parameter contains the prefix for formatting login names for privileged user accounts.

TargetSystem\ADS\Accounts\
ProfileFixedString

This configuration parameter contain a fixed character string, which is appended to the user profile's default profile path.

TargetSystem\ADS\Accounts\
TransferJPegPhoto

This configuration parameter specifies whether changes to the employee's picture are published in existing user accounts. The picture is not part of default synchronization. It is only published when employee data is changed.

TargetSystem\ADS\Accounts\
TransferSIDHistory

This configuration parameter specifies whether the history of an SID is loaded from the target system.

TargetSystem\ADS\Accounts\

TSProfileFixedString

This configuration parameter contain a fixed character string, which is appended to the user profile's default profile path on a terminal server.

TargetSystem\ADS\Accounts\
UserMustChangePassword

This configuration parameter specifies whether the option "Change password the next time you log in" is set.

TargetSystem\ADS\AuthenticationDomains

This configuration parameter contains a pipe (|) delimited list of domains to be used by the manual Active Directory authentication module to authenticate users. The list is processed in the given order. This list should only contain domains to be synchronized.

Example:

MyDomain|MyOtherDomain

TargetSystem\ADS\AutoCreateDepartment

This configuration parameter specifies whether departments are automatically created when user accounts are modified or synchronized.

TargetSystem\ADS\AutoCreateLocality

This configuration parameter specifies whether locations are automatically created when user accounts are modified or synchronized.

TargetSystem\ADS\
AutoCreateHardwaretype

This configuration parameter specifies whether corresponding device types are created automatically in the database for imported printer objects.

TargetSystem\ADS\
AutoCreateServers

This configuration parameter specifies whether missing entries for home and profile servers are automatically created during user account synchronization.

TargetSystem\ADS\
AutoCreateServers\
PreferredLanguage

This configuration parameter contains the referred language for automatically created servers.

TargetSystem\ADS\DefaultAddress

The configuration parameter contains the recipient's default email address for sending notifications about actions in the target system.

TargetSystem\ADS\
HardwareInGroupFromOrg

The configuration parameter specifies whether computers are added to groups on the basis of group assignment to roles.

TargetSystem\ADS\
MaxFullsyncDuration

This configuration parameter contains the maximum runtime for synchronization. No recalculation of group memberships by the DBQueue Processor can take place during this time. If the maximum runtime is exceeded, group membership are recalculated.

TargetSystem\ADS\
MembershipAssignCheck

This configuration parameter specifies whether permissibility of this membership is verified the moment group membership assignments are saved in the One Identity Manager database.

Disable this configuration parameter if several trusted domains with access across memberships are managed in the database.

TargetSystem\ADS\
MemberShipRestriction

General configuration parameter for restricting membership in Active Directory.

TargetSystem\ADS\
MemberShipRestriction\
container

This configuration parameter contains the number of Active Directory objects allowed per container before warning email is sent.

TargetSystem\ADS\
MemberShipRestriction\
Group

This configuration parameter contains the number of Active Directory objects allowed per group before warning email is sent.

TargetSystem\ADS\
MemberShipRestriction\
MailNotification

This configuration parameter contain the default email address for sending warnings by email.

TargetSystem\ADS\
PersonAutoDefault

This configuration parameter specifies the mode for automatic employee assignment for user accounts added to the database outside synchronization.

TargetSystem\ADS\
PersonAutoDisabledAccounts

This configuration parameters specifies whether employees are automatically assigned to disable user accounts. User accounts do not obtain an account definition.

TargetSystem\ADS\
PersonAutoFullSync

This configuration parameter specifies the mode for automatic employee assignment for user accounts added to or updated in the database through synchronization.

TargetSystem\ADS\
PersonExcludeList

List of all user accounts for which automatic employee assignment should not take place. Names given in a pipe (|) delimited list that is handled as a regular search pattern.

Example:

ADMINISTRATOR|GUEST|KRBTGT|TSINTERNETUSER|IUSR_.*|IWAM_.*|SUPPORT_.*|.*\$

TargetSystem\ADS\PersonUpdate

This configuration parameter specifies whether employees are updated if their user accounts are changed. This configuration parameter is set to allow ongoing update of employee objects from associated user accounts.

TargetSystem\ADS\
ReplicateImmediately

This configuration parameter is used to speed up synchronization of modifications between two domain controllers. When set, the accumulated modifications in Active Directory are immediately replicated between domain controllers.

TargetSystem\ADS\VerifyUpdates

This configuration parameter specifies whether modified properties are checked by updating. If this parameter is set, the objects in the target system are verified after every update.

Appendix: Default Project Template for Active Directory

Appendix: Default Project Template for Active Directory

A default project template ensures that all required information is added in the One Identity Manager. This includes mappings, workflows and the synchronization base object. If you do not use a default project template you must declare the synchronization base object in One Identity Manager yourself.

Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the .Synchronization Editor

The template uses mappings for the following schema types.

Table 85: Mapping Active Directory schema types to tables in the One Identity Manager schema.
Schema type in Active Directory Table in the One Identity Manager schema
builtInDomain ADSContainer
Computer ADSMachine
contact ADSContact
container ADSContainer
domainDNS ADSDomain
forest (virtual schema type) ADSForest
GROUP ADSGroup
inetOrgPerson ADSAccount
msDS-PasswordSettings ADSPolicy
organizationalUnit ADSContainer
printQueue ADSPrinter

serverInSite

ADSMachineInADSSite

Site

ADSSite

trustedDomain DomainTrustsDomain
USER ADSAccount
Related Documents