Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Identity Manager 8.1.4 - Administration Guide for Connecting to Active Directory

Table of Contents

Managing Active Directory environments

Architecture overview One Identity Manager users for managing Active Directory

Setting up Active Directory synchronization

Users and permissions for synchronizing with Active Directory Communications ports and firewall configuration Setting up the synchronization server Creating a synchronization project for initial synchronization of an Active Directory domain Displaying synchronization results Customizing the synchronization configuration

Configuring synchronization in Active Directory domains Configuring synchronization of different Active Directory domains Updating schemas

Speeding up synchronization with revision filtering Post-processing outstanding objects Configuring the provisioning of memberships Accelerating provisioning and single object synchronization Help for the analysis of synchronization issues Disabling synchronization

Basic data for managing an Active Directory environment

Account definitions for Active Directory user accounts

Creating an account definition

Master data for an account definition

Setting up manage levels

Master data for manage levels

Creating a formatting rule for IT operating data Collecting IT operating data Modify IT operating data Assigning account definitions to employees

Assigning account definitions to departments, cost centers, and locations Assigning an account definition to business roles Assigning account definitions to all employees Assigning account definitions directly to employees Assigning account definitions to system roles Adding account definitions in the IT Shop

Assigning account definitions to a target system Deleting an account definition

Password policies for Active Directory user accounts

Predefined password policies Using password policies Editing password policies

General master data for password policies Policy settings Character classes for passwords

Custom scripts for password requirements

Script for checking passwords Script for generating a password

Password exclusion list Checking a password Testing password generation

Initial password for new Active Directory user accounts Email notifications about login data User account names Target system managers Editing a server

Master data for a Job server Specifying server functions Preparing a home server and profile server for creating user directories

Creating home directories using batch files Supporting multiple profile directories Home and profile directory access permissions

Active Directory domains

General master data for Active Directory domains Global account policies for an Active Directory domain Active Directory specific master data for Active Directory domains Specifying categories for inheriting Active Directory groups Information about the Active Directory forest

Trusted Active Directory domains

Active Directory account policies for Active Directory domains

Entering Active Directory account policies

General master data for an Active Directory account policy How to define a policy

Assigning Active Directory account policies to Active Directory user accounts and Active Directory groups

How to edit a synchronization project Monitoring the number of memberships in Active Directory groups and Active Directory containers

Active Directory user accounts

Linking user accounts to employees Supported user account types

Default user accounts Administrative user accounts

Providing an administrative user account for one employee Providing an administrative user account for multiple employees

Privileged user accounts

Entering master data for Active Directory user accounts

General master data of Active Directory user accounts Password data for Active Directory user accounts Profile and home directories Active Directory user account login data Remote access service dial-in permissions Connection data for terminal servers Extensions data for an Active Directory user account Further identification data Contact data for an Active Directory user account

Additional tasks for managing Active Directory user accounts

Overview of Active Directory user accounts Changing the manage level of Active Directory user accounts Unlocking Active Directory user accounts Assigning Active Directory account policies to an Active Directory user account Assigning Active Directory groups directly to an Active Directory user account Assigning secretaries to an Active Directory user account Moving an Active Directory user account Assigning extended properties to Active Directory user accounts

Automatic assignment of employees to Active Directory user accounts

Editing search criteria for automatic employee assignment

Updating employees when Active Directory user account are modified Automatic creation of departments and locations based on user account information Disabling Active Directory user accounts Deleting and restoring Active Directory user accounts

Active Directory contacts

Entering master data for Active Directory contacts

General master data for Active Directory contacts Contact data for Active Directory contacts Further identification data Extensions data for Active Directory contacts

Additional tasks for managing Active Directory contacts

Overview of Active Directory contacts Changing the manage level of Active Directory contacts Assigning Active Directory groups directly to an Active Directory contact Assigning secretary to an Active Directory contact Moving an Active Directory contact Assigning extended properties to Active Directory contacts

Deleting and restoring Active Directory contacts

Active Directory groups

Entering master data for Active Directory groups

General master data for Active Directory groupS Extensions data for Active Directory groups

Validity of group memberships Assigning Active Directory groups to Active Directory user accounts, Active Directory contacts, and Active Directory computers

Assigning Active Directory groups to departments, cost centers and locations Assigning Active Directory groups to business roles Assigning Active Directory user accounts directly to Active Directory groups Assigning Active Directory contacts directly to an Active Directory group Assigning Active Directory computers directly to an Active Directory group Adding Active Directory groups to system roles Adding Active Directory groups to the IT Shop Adding Active Directory groups automatically to the IT Shop

Additional tasks for managing Active Directory groups

Overview of Active Directory groups Adding Active Directory groups to Active Directory groups Effectiveness of group memberships Active Directory group inheritance based on categories Assigning Active Directory account policies directly to an Active Directory group Assigning secretaries to an Active Directory group Moving an Active Directory group Assigning extended properties to Active Directory groups

Deleting Active Directory groups Default solutions for requesting Active Directory groups and group memberships

Adding Active Directory groups Changing Active Directory groups Deleting Active Directory groups Active DirectoryRequesting Groups Memberships

Active Directory security IDs Active Directory container structures

Setting up Active Directory containers

Master data for an Active Directory container

Additional tasks for managing Active Directory containers

Overview of Active Directory containers Moving an Active Directory container

Active Directory computers

Master data for an Active Directory computer Additional tasks for managing Active Directory computers

Overview of Active Directory computers Moving an Active Directory computer Assigning Active Directory computers directly to Active Directory groups Performing computer diagnostics

Active Directory printers Active Directory locations Reports about Active Directory objects

Overview of all assignments

Configuration parameters for managing an Active Directory environment Default project template for Active Directory

Active Directory group inheritance based on categories

Groups and be selectively inherited by user accounts and contacts in One Identity Manager. The groups and user accounts (contacts) are divided into categories in the process. The categories can be freely selected and are specified using a mapping rule. Each category is given a specific position within the template. The mapping rule contains tables that map the user accounts (contact) and the groups. Specify your categories for user account (contacts) in the table for user accounts (contacts). Enter your categories for groups in the group table. Each table contains the Position 1 to Position 31 category positions.

Every user account (contact) can be assigned to one or more categories. Each group can also be assigned to one or more categories. If at least one user account (contact) category position matches an assigned structural profile, the structural profile is inherited by the user account (contact). If the group or user account (contact) is not in classified into categories, the group is also inherited by the user account (contact).

NOTE: Inheritance through categories is only taken into account when groups are assigned indirectly through hierarchical roles. Categories are not taken into account when assigning groups to user accounts and contacts.

Table 65: Category examples
Category position	Categories for user accounts	Categories for groups
1	Default user	Default entitlements
2	System users	System user entitlements
3	System administrator	System administrator entitlements

Figure 2: Example of inheriting through categories.

To use inheritance through categories

Define categories in the domain.
Assign categories to user accounts and contacts through their master data.
Assign categories to groups through their master data.

Related topics

Assigning Active Directory account policies directly to an Active Directory group

For domains from the functional level Windows Server 2008 R2 and above, it is possible to define additional password policies in addition to the default password policies. This allows individual users and groups to be subjected to stricter account policies as intended for global groups.

To specify account policies for a group

Select Active Directory | Groups.
Select the group in the result list.
Select the Assign account policies task.
In the Add assignments pane, assign the account policies.
- OR -

In the Remove assignments pane, remove the account policies.
Save the changes.

Related topics

Assigning secretaries to an Active Directory group

Assign a secretary to the group. The secretary is displayed in the email recipient’s properties in Microsoft Outlook.

To assign a secretary to a group

Select the Active Directory | Groups category.
Select the group in the result list.
Select the Assign secretaries task.
Select the table which contains the user from the menu Table at the top of the form. You have the following options:
- Active Directory user accounts
- Active Directory contacts
- Active Directory groups
In the Add assignments pane, assign secretaries.

- OR -

In the Remove assignments pane, remove secretaries.
Save the changes.

Moving an Active Directory group

NOTE: You can only move groups within a domain.

To move a group

Select the Active Directory | Groups category.
Select the group in the result list.

Select the Change master data task.
Select the Change Active Directory container task.
Confirm the security prompt with Yes.
Select the new container from the Containers menu on the General tab.
Save the changes.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center