Chat now with support
Chat with Support

Identity Manager 8.1.4 - Administration Guide for Connecting to Active Directory

Managing Active Directory environments Setting up Active Directory synchronization Basic data for managing an Active Directory environment
Account definitions for Active Directory user accounts Password policies for Active Directory user accounts Initial password for new Active Directory user accounts Email notifications about login data User account names Target system managers Editing a server
Active Directory domains Active Directory user accounts
Linking user accounts to employees Supported user account types Entering master data for Active Directory user accounts Additional tasks for managing Active Directory user accounts Automatic assignment of employees to Active Directory user accounts Updating employees when Active Directory user account are modified Automatic creation of departments and locations based on user account information Disabling Active Directory user accounts Deleting and restoring Active Directory user accounts
Active Directory contacts Active Directory groups
Entering master data for Active Directory groups Validity of group memberships Assigning Active Directory groups to Active Directory user accounts, Active Directory contacts, and Active Directory computers Additional tasks for managing Active Directory groups Deleting Active Directory groups Default solutions for requesting Active Directory groups and group memberships
Active Directory security IDs Active Directory container structures Active Directory computers Active Directory printers Active Directory locations Reports about Active Directory objects Configuration parameters for managing an Active Directory environment Default project template for Active Directory

General master data for Active Directory groupS

Enter the following data on the General tab.

Table 54: General master data
Property Description

Name

Name of the group. The group identifier is used to form the group name for previous group name (pre Win2000) versions.

Domain

Domain in which to create the group.

Container

Container in which to create the group.

Distinguished name

Distinguished name of the group. The distinguished name is determined by template from the name of the group and the container and cannot be edited.

Display name

The display name is used to display the group in the One Identity Manager tools user interface.

Group name (pre Win2000)

Name of the group for the previous versions. The group name is taken from the group identifier.

Structural object class

Structural object class representing the object type. By default, you set up groups in One Identity Manager with the object class GROUP.

Object class

List of classes defining the attributes for this object. The object classes listed are read in from the database during synchronization with the Active Directory environment. However, in the input field, you can add object classes and auxiliary classes that are used by other LDAP and X.500 directory services.

Account manager

Manager responsible for the group.

To specify an account manager

  1. Click next to the field.
  2. In the Table menu, select the table that maps the account manager.
  3. In the Account manager menu, select the manager.
  4. Click OK.

Group manager can update members list.

Specifies whether the account manager can change memberships for these groups.

Email address

Group's email address

Risk index

Value for evaluating the risk of assigning the group to user accounts. Enter a value between 0 and 1. This input field is only visible if the QER | CalculateRiskIndex configuration parameter is activated.

For more detailed information, see the One Identity Manager Risk Assessment Administration Guide.

Category

 Categories for group inheritance. Groups can be selectively inherited by user accounts and contacts. To do this, groups and user accounts or contacts are divided into categories. Select one or more categories from the menu.

Description

Text field for additional explanation.

Remark

Text field for additional explanation. Abbreviations for combinations of group type and group area are added in the comment and should not be changed.

Security group

Group type. Authorizations are issued through security groups. User accounts, computers, and other groups are added to security groups and which makes administration easier. Security groups are also used for email distribution groups.

Distribution group

Group type. Distribution groups can be used as email distribution groups. Distribution groups do not have any security.

Universal group

Group scope. Universal groups can be used to make cross-domain authorizations available. Universal group members can be user accounts and groups from all domains in one domain structure.

Local group

Group scope. Local groups are used when authorizations are issued within the same domain. Members of a domain local group can be user accounts, computers, or groups in any domain.

Global group

Group scope. Global groups can be used to make cross-domain authorizations available. Members of a global group are only user accounts, computers, and groups belonging to the global group’s domain.

IT Shop

Specifies whether the group can be requested through the IT Shop. If this option is set, the group can be requested by the employees through the Web Portal and distributed with a defined approval process. The group can still be assigned directly to hierarchical roles.

Only for use in IT Shop

Specifies whether the group can only be requested through the IT Shop. If this option is set, the group can be requested by the employees through the Web Portal and distributed with a defined approval process. Direct assignment of the group to hierarchical roles or user accounts is not permitted.

Service item

Service item data for requesting the group through the IT Shop.

Related topics

Extensions data for Active Directory groups

On the Extensions tab, you enter the user-defined Active Directory schema extensions for the group.

Table 55: Extensions data
Property Description
Attribute extension 01 - attribute extension 15

Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

Validity of group memberships

There are different assignments to groups possible depending on the construction of the domain structure and the domain trusts. You can find more exact information about permitted group memberships in the documentation for your Windows Server.

Ensure the following if you want to map group memberships using forests:

  • The trusted domains are known.
  • The name of the forest is entered in the domain.

In the following tables, the groups, user accounts, contacts, and computers permitted in One Identity Manager listed in groups.

Legend for the tables:

  • G = Global
  • U = Universal
  • L = Local
Table 56: Group memberships permitted within a domain

Target Group

 

Member in target group

Group

 

User account

 

Contact

 

Computer
Distribution Security
G U L G U L
Distribution Global x     x     x x x
Universal x x   x x   x x x
Local x x x x x x x x x
Security Global x     x     x x x
Universal x x   x x   x x x
Local x x x x x x x x x
Table 57: Group memberships permitted within a hierarchical domain structure

Target Group

 

Member in target group

Group

 

User account

 

Contact

 

Computer
Distribution Security
G U L G U L
Distribution Global               x  
Universal x x   x x   x x x
Local x x   x x   x x x
Security Global                  
Universal x x   x x   x x x
Local x x   x x   x x x
Table 58: Group memberships permitted within a forest

Target Group

 

Member in target group

Group

 

User account

 

Contact

 

Computer
Distribution Security
G U L G U L
Distribution Global                  
Universal                  
Local x x   x x   x   x
Security Global                  
Universal                  
Local x x   x x   x   x
Table 59: Group memberships permitted between forests

Target Group

 

Member in target group

Group

 

User account

 

Contact

 

Computer
Distribution Security
G U L G U L
Distribution Global                  
Universal                  
Local x x   x x   x   x
Security Global                  
Universal                  
Local x x   x x   x   x
Related topics

Assigning Active Directory groups to Active Directory user accounts, Active Directory contacts, and Active Directory computers

You can assign groups directly and indirectly to user account, workdesks, and devices. Employees (workdesks, devices) and groups are grouped into hierarchical roles in the case of indirect assignment. The number of groups assigned to an employee (workdesk or device) From the position within the hierarchy and is calculated from the position within the hierarchy and inheritance direction.

If you add an employee to roles and that employee owns a user account or a contact, the user account or contact is added to the group. Prerequisites for the indirect assignment of employees to user accounts:

  • Assignment of employees and groups is permitted for role classes (departments, cost centers, locations, or business roles).
  • User accounts and contacts are labeled with the Groups can be inherited option.

If you add a device to roles, the computer that references the device is added to the group. Prerequisites for indirect assignment to computers are:

  • Assignment of devices and groups is permitted for role classes (departments, cost centers, locations, or business roles).
  • The computer is connected to a device labeled as PC or server.
  • The TargetSystem | ADS | HardwareInGroupFromOrg configuration parameter is set.

If a device owns a workdesk and you add the workdesk to roles, the computer, which references this device, is also added to all groups of the workdesk's roles. Prerequisites for indirect assignment to computers through workdesks are:

  • Assignment of workdesks and groups is permitted for role classes (departments, cost centers, locations, or business roles).
  • The computer is connected to a device labeled as PC or server. This device owns a workdesk.

Groups can also be requested in the Web Portal. To do this, add employees to a shop as customers. All groups are assigned to this shop can be requested by the customers. Requested groups are assigned to the employees after approval is granted.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating