Chat now with support
Chat with Support

Identity Manager 9.2 - Administration Guide for Connecting to Active Directory

Managing Active Directory environments Synchronizing an Active Directory environment
Setting up initial synchronization with an Active Directory domain Adjusting the synchronization configuration for Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Active Directory user accounts and identities
Account definitions for Active Directory user accounts and Active Directory contacts Assigning identities automatically to Active Directory user accounts Supported user account types Updating identities when Active Directory user account are modified Automatic creation of departments and locations based on user account information Specifying deferred deletion for Active Directory user accounts and Active Directory contacts
Managing memberships in Active Directory groups Login credentials for Active Directory user accounts Mapping Active Directory objects in One Identity Manager
Active Directory domains Active Directory container structures Active Directory user accounts Active Directory contacts Active Directory groups Active Directory computers Active Directory security IDs Active Directory printers Active Directory sites Reports about Active Directory objects
Handling of Active Directory objects in the Web Portal Basic data for managing an Active Directory environment Configuration parameters for managing an Active Directory environment Default project template for Active Directory Processing methods of Active Directory system objects Active Directory connector settings

Password data for Active Directory user accounts

Enter the password data for the system user ID.

NOTE: One Identity Manager password policies, global account policy settings for the Active Directory domain, and Active Directory account policies are all taken into account when verifying user passwords.

NOTE: The TargetSystem | ADS | Accounts | NotRequirePassword configuration parameter specifies whether a password is required when creating new Active Directory user accounts in One Identity Manager. If the configuration parameter is not set, entry of a password that meets the defined password guidelines is requested when a new Active Directory user account is created. If the configuration parameter is set, it is not necessary to specify a password when creating new Active Directory user accounts. In the Designer, you can edit the configuration parameter as required.

Table 32: User account password data

Property

Description

Password

Password for the user account. The identity’s central password can be mapped to the user account password. For more information about an identity’s central password, see One Identity Manager Identity Management Base Module Administration Guide.

If you use a random generated initial password for the user accounts, it is automatically entered when a user account is created.

The password is deleted from the database after publishing to the target system.

Password confirmation

Reconfirm password.

Password last changed

Date of last password change. The date is read in from the Active Directory system and cannot be changed.

Password never expires

Specifies whether the password expires. This option is usually used for service accounts. It overwrites the maximum lifetime of a password and the Change password at next logon option.

Cannot change password

Specifies whether the password can be changed. This option is normally set for user accounts that are used by several users.

Change password at next login

Specifies whether the user must change their password the next time they log in.

TIP: To enable this option every time new user accounts are created, set the TargetSystem | ADS | Accounts | UserMustChangePassword configuration parameter.

Save passwords with reversible encryption

Details for encrypting the password. By default, passwords that are saved in Active Directory are encrypted. When you use this option, passwords are saved in plain text and can be restored again.

SmartCard required to log on

Data required for logging in with a SmartCard. Set this option to save public and private keys, passwords, and other personal information for this Active Directory user account. For the user to be able to log in to the network, the user’s computer must be equipped with a smart card reader and the user must have a personal identification number (PIN).

Account trusted for delegation purposes

Data required for delegation. Set this option so that a user can delegate the responsibility for administration and management of a partial domain to another Active Directory user account or another group.

Cannot delegate account

Data required for delegation. Set this option when this user account may not be assigned for delegation purposes from another user account.

Account uses DES encryption

Data required for encryption. Set this option if you would like to enable Data Encryption Standard (DES) support.

Kerberos preauthentication not required

Specifies whether Kerberos pre-authentication is required. Set this option when the user account uses a different implementation of the Kerberos protocol.

Related topics

Active Directory user account home directory and profile directory

Enter the data for the user's home and profile directories. When you enter a profile directory, a new user profile is created through One Identity Manager Service that is loaded over the network when the user logs on.

NOTE: If the QER | Person | User | ConnectHomeDir configuration parameter is set, some of the following data for the home directory is formed automatically. In the Designer, you can set the configuration parameter as required.

Table 33: Main data for a user directory
Property Description

Home server

Home server. You can select the home server depending on the number of home directories per home server that already exist (according to the database). If you assigned an account definition, the home server is determined from the current IT operating data for the assigned identity depending on the manage level.

Home share

The share that is stored under the user’s home directory on the home server. Default is HOMES.

Home directory path

Name of the home directory for the user under the home share. By default, the login name (pre Windows 2000) is used to format the home directory path.

Home shared as

Home directory share. This share is formatted using the default home directory path.

Home drive

The drive to be connected when the user logs in. The default domain home drive is used.

Home directory

The user's home directory. The given home directory is automatically added and shared by the One Identity Manager Service.

Size home directory [MB]

Size of the home directory in MB. Find the size of the home directory by running the schedule supplied by default. In the Designer, configure and enable the Load size of home folders for user accounts schedule.

Maximum home storage space [MB]

Maximum size for the home directory on the home server in MB.

Profile server

Profile server. If you assigned an account definition, the profile server is determined from the current IT operating data for the assigned identity depending on the manage level.

Profile share

The share that is stored under the user’s profile directory on the profile server. Default is PROFILES.

Profile shared as

Profile directory share.

Profile directory path

Name of the profile directory for the user under the profile share. By default, the login name (pre Windows 2000) is used to format the profile directory path.

Login script

Name of the login script. If the script is in a subdirectory of the login script path (normally Winnt\Sysvol\domain\scripts), you need enter the subdirectory as well. The given login script is run when the user logs in.

Related topics

Login credentials for Active Directory user accounts

Enter the following login credentials.

Table 34: Credentials
Property Description

Last login

Date of last login. The date is read in from the Active Directory system and cannot be changed manually.

Login workstation

Workstation on which the user can log in. A user can log in on all workstations by default.

Select the button next to the input field to activate it and add workstations. Use the button to remove workstations from the list.

Login times

Times and days on which the user is allowed to be logged in. By default, login is permitted at all hours and every day of the week. If a user is logged in, the login is disconnected at the end of the valid login period.

The calendar shows a 7-day week, each box represents one hour. The configured login times are shown in color, respectively. If a box is filled, login is allowed. If the box is empty, login is denied.

To specify login times

  • Select a time period with the mouse or keyboard.

  • Select Assign to enable login in the selected period.

  • Select Remove to deny login in the selected period.

  • Select Reverse to invert the selected period.

  • Use the arrow keys to reset or repeat a selection.

Dial-in access using Remote Access Service (RAS) for Active Directory user accounts

NOTE: Remote Access Service (RAS) properties are only synchronized and provisioned if the Enable RAS properties option is set.

Allocate remote dial-up permissions for the user account in the network and specify the callback option. The following data can be edited depending on the selected domain mode (mixed or native).

Enter the following main data:

Table 35: Remote access service
Property Description

Dial-up permitted

Specifies whether the user may dial up the network. Permitted values are:

  • Allow access: This permits the user to dial up the network.

  • Deny access: This specifies that you deny the user the dial-in to the network.

  • Control access using remote access policy: This data specifies that access to the network is controlled over RAS guidelines. RAS guidelines are usually used to apply the same access permissions to several Active Directory user accounts.

No callback

The callback function is switched off by this option.

Set by caller

The server expects the user to input the number that they can be called back on.

Always callback

The server tries to call the user back over the given number.

Verifying caller ID

A predefined number with which the user should dial into the network.

Static IP address

A fixed IP address assigned to the user.

Static routes with IP address, network address and metric

Target network IP addresses, network addresses and metrics for dialing in over fixed routes.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating