Chat now with support
Chat with Support

We are currently experiencing a OneLogin Outage within the US region, please consult https://www.onelogin.com/status for further details.

Identity Manager 9.1.2 - Administration Guide for Connecting to Active Directory

Managing Active Directory environments Synchronizing an Active Directory environment
Setting up initial synchronization with an Active Directory domain Adjusting the synchronization configuration for Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Active Directory user accounts and employees
Account definitions for Active Directory user accounts and Active Directory contacts Assigning employees automatically to Active Directory user accounts Supported user account types Updating employees when Active Directory user account are modified Automatic creation of departments and locations based on user account information Specifying deferred deletion for Active Directory user accounts and Active Directory contacts
Managing memberships in Active Directory groups Login information for Active Directory user accounts Mapping of Active Directory objects in One Identity Manager
Active Directory domains Active Directory container structures Active Directory user accounts Active Directory contacts Active Directory groups Active Directory computers Active Directory security IDs Active Directory printers Active Directory sites Reports about Active Directory objects
Handling of Active Directory objects in the Web Portal Basic data for managing an Active Directory environment Configuration parameters for managing an Active Directory environment Default project template for Active Directory Processing methods of Active Directory system objects Active Directory connector settings

Active Directory user accounts

You manage user account in One Identity Manager with Active Directory. A user account is a security principal in Active Directory. That means a user account can log in to the domain. A user account receives access to network resources through its group memberships and permissions.

The managed service accounts introduced in Windows Server 2008 R2 and the group managed service accounts introduced with Windows Server 2012 are not supported in One Identity Manager.

Related topics

Creating and editing Active Directory user accounts

A user account can be linked to an employee in One Identity Manager. You can also manage user accounts separately from employees.

NOTE: It is recommended to use account definitions to set up user accounts for company employees. In this case, some of the main data described in the following is mapped through templates from employee main data.

NOTE: If employees are to obtain their user accounts through account definitions, the employees must own a central user account and obtain their IT operating data through assignment to a primary department, a primary location, or a primary cost center.

To create a user account

  1. In the Manager, select the Active Directory > User accounts category.

  2. Click in the result list.

  3. On the main data form, edit the main data of the user account.

  4. Save the changes.

To edit main data of a user account

  1. In the Manager, select the Active Directory > User accounts category.

  2. Select the user account in the result list.

  3. Select the Change main data task.

  4. Edit the user account's resource data.

  5. Save the changes.

To manually assign a user account for an employee

  1. In the Manager, select the Employees > Employees category.

  2. Select the employee in the result list.

  3. Select the Assign Active Directory user accounts task.

  4. Assign a user account.

  5. Save the changes.
Detailed information about this topic
Related topics

General main data of Active Directory user accounts

Table 31: Configuration parameters for setting up user accounts
Configuration parameter Meaning

TargetSystem | ADS | Accounts | TransferJPegPhoto

Specifies whether changes to the employee's picture are published in existing user accounts. The picture is not part of default synchronization. It is only published when employee data is changed.

Enter the following data on the General tab.

Table 32: General main data of a user account
Property Description

Employee

Employee that uses this user account. An employee is already entered if the user account was generated by an account definition. If you create the user account manually, you can select an employee in the menu. If you are using automatic employee assignment, an associated employee is found and added to the user account when you save the user account.

You can create a new employee for a user account with an identity of type Organizational identity, Personalized administrator identity, Sponsored identity, Shared identity, or Service identity. To do this, click next to the input field and enter the required employee main data. Which login data is required depends on the selected identity type.

No link to an employee required

Specifies whether the user account is intentionally not assigned an employee. The option is automatically set if a user account is included in the exclusion list for automatic employee assignment or a corresponding attestation is carried out. You can set the option manually. Enable the option if the user account does not need to be linked with an employee (for example, if several employees use the user account).

If attestation approves these user accounts, these user accounts will not be submitted for attestation in the future. In the Web Portal, user accounts that are not linked to an employee can be filtered according to various criteria.

Not linked to an employee

Indicates why the No link to an employee required option is enabled for this user account. Possible values:

  • By administrator: The option was set manually by the administrator.

  • By attestation: The user account was attested.

  • By exclusion criterion: The user account is not associated with an employee due to an exclusion criterion. For example, the user account is included in the exclude list for automatic employee assignment (configuration parameter PersonExcludeList).

Account definition

Account definition through which the user account was created.

Use the account definition to automatically fill user account main data and to specify a manage level for the user account. One Identity Manager finds the IT operating data of the assigned employee and enters it in the corresponding fields in the user account.

NOTE: The account definition cannot be changed once the user account has been saved.

NOTE: Use the user account's Remove account definition task to reset the user account to Linked status. This removes the account definition from both the user account and the employee. The user account remains but is not managed by the account definition anymore. The task only removes account definitions that are directly assigned (XOrigin=1).

Manage level

Manage level of the user account. Select a manage level from the menu. You can only specify the manage level can if you have also entered an account definition. All manage levels of the selected account definition are available in the menu.

First name

The user’s first name. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Middle name

User's middle name. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Last name

The user’s last name. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Initials

The user’s initials. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Title

The user’s academic title. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Name

User account identifier. The identifier is made up of the user’s first and last names.

Distinguished name

User account's distinguished name. The distinguished name is formatted from the user account's identifier and the container and cannot be changed.

Domain

Domain in which the user account is created.

Container

Container in which to create the user account. If you have assigned an account definition, the container is determined from the company IT data for the assigned employee depending on the manage level of the user account. When the container is selected, the defined name for the user is created using a formatting rule.

Primary group

User account's primary group. Synchronization with the Active Directory environment assigns the user account to the Domain Users group by default. Only groups that are assigned to the user account are available as primary groups.

Login name (pre Win2000)

Login name for the previous version of Active Directory. If you assigned an account definition, the login name (pre Win2000) is made up of the employee’s central user account depending on the manage level of the user account.

User login name

User account login name. User login names that are formatted like this correspond to the User Principal Name (UPN) in Active Directory.

If you have already established the container and entered the login name (pre Win2000), the user login name is created following the formatting rule as shown:

<login name (pre Win2000)>@<AD domain name>

Email address

User account email address. If you assigned an account definition, the email address is made up of the employee’s default email address depending on the manage level of the user account.

Additional email addresses

Other email addresses for the user account.

Account expiry date

Account expiry date. Specifying an expiry data for the account has the effect that the logon for this user account is blocked as soon as the given date is exceeded. If you assigned an account definition, the employee’s last day of work it is automatically taken as the expiry date depending on the manage level. Any existing account expiry date is overwritten in this case.

Structural object class

Structural object class representing the object type. By default, you set up user accounts in One Identity Manager with the USER object class. However, the INETORGPERSON object class is also supported, which is used by other LDAP and X.500 directory services for the mapping of user accounts.

Risk index (calculated)

Maximum risk index value of all assigned groups. The property is only visible if the QER | CalculateRiskIndex configuration parameter is set. For more information, see the One Identity Manager Risk Assessment Administration Guide.

Category

Categories for the inheritance of groups by the user account. Groups can be selectively inherited by user accounts. To do this, groups and user accounts or contacts are divided into categories. Select one or more categories from the menu.

Description

Text field for additional explanation.

Identity

User account's identity type Permitted values are:

  • Primary identity: Employee's default user account.

  • Organizational identity: Secondary user account used for different roles in the organization, for example for subcontracts with other functional areas.

  • Personalized administrator identity: User account with administrative permissions, used by one employee.

  • Sponsored identity: User account to use for a specific purpose. Training, for example.

  • Shared identity: User account with administrative permissions, used by several employees. Assign all employees that use this user account.

  • Service identity: Service account.

Privileged user account.

Specifies whether this is a privileged user account.

Groups can be inherited

Specifies whether the user account can inherit groups through the linked employee. If the option is set, the user account inherits groups through hierarchical roles, in which the employee is a member, or through IT Shop requests.

  • If you add an employee with a user account to a department, for example, and you have assigned groups to this department, the user account inherits these groups.

  • If an employee has requested group membership in the IT Shop and the request is granted approval, the employee's user account only inherits the group if the option is set.

Preferred user account

Preferred user account when an employee has several user accounts in Active Directory.

User account is disabled

Specifies whether the user account is disabled. If a user account is not required for a period of time, you can temporarily disable the user account by using the <User account is deactivated> option.

Account locked

Specifies whether the user account is locked. Depending on the configuration, the user account in the Active Directory environment is locked after multiple incorrect password attempts. You can lock the user account again in the Manager using the Unlock user account task.

If the user account is linked to an employee, the user account is unlocked when a new central password is set for the employee. This behavior is controlled by the TargetSystem | ADS | Accounts | UnlockByCentralPassword configuration parameter. For more information about an employee’s central password, see One Identity Manager Identity Management Base Module Administration Guide.

Protected from accidental deletion

Specifies whether to protect the user account against accidental deletion. If the option is set, the permissions for deleting the user account are removed in Active Directory. The user account cannot be deleted or moved.

Related topics

Password data for Active Directory user accounts

Table 33: Configuration parameters for setting up password data
Configuration parameter Meaning

TargetSystem | ADS | Accounts |
NotRequirePassword

Specifies whether a password is required when creating new Active Directory user accounts in One Identity Manager. If the configuration parameter is not set, entry of a password that meets the defined password guidelines is requested when a new Active Directory user account is created. If the configuration parameter is set, it is not necessary to specify a password when creating new Active Directory user accounts.

TargetSystem | ADS | Accounts |
UserMustChangePassword

Specifies whether the Change password at next login option is enabled when a new user account is created.

NOTE: One Identity Manager password policies, global account policy settings for the Active Directory domain, and Active Directory account policies are all taken into account when verifying user passwords.

Enter the following main data on the Password tab.

Table 34: User account password data

Property

Description

Password

Password for the user account. The employee’s central password can be mapped to the user account password. For more information about an employee’s central password, see One Identity Manager Identity Management Base Module Administration Guide.

If you use a random generated initial password for the user accounts, it is automatically entered when a user account is created.

The password is deleted from the database after publishing to the target system.

Password confirmation

Reconfirm password.

Password last changed

Data of last password change. The date is read in from the Active Directory system and cannot be changed.

Password never expires

Specifies whether the password expires. This option is usually used for service accounts. It overwrites the maximum lifetime of a password and the Change password at next logon option.

Cannot change password

Specifies whether the password can be changed. This option is normally set for user accounts that are used by several users.

Change password at next login

Specifies whether the user must change their password the next time they log in.

TIP: To enable this option every time new user accounts are created, set the TargetSystem | ADS | Accounts | UserMustChangePassword configuration parameter.

Save passwords with reversible encryption

Details for encrypting the password. By default, passwords that are saved in Active Directory are encrypted. When you use this option, passwords are saved in plain text and can be restored again.

SmartCard required to log on

Data required for logging in with a SmartCard. Set this option to save public and private keys, passwords, and other personal information for this Active Directory user account. For the user to be able to log in to the network, the user’s computer must be equipped with a smart card reader and the user must have a personal identification number (PIN).

Account trusted for delegation purposes

Data required for delegation. Set this option so that a user can delegate the responsibility for administration and management of a partial domain to another Active Directory user account or another group.

Cannot delegate account

Data required for delegation. Set this option when this user account may not be assigned for delegation purposes from another user account.

Account uses DES encryption

Data required for encryption. Set this option if you would like to enable Data Encryption Standard (DES) support.

Kerberos preauthentication not required

Specifies whether Kerberos pre-authentication is required. Set this option when the user account uses a different implementation of the Kerberos protocol.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating