立即与支持人员聊天
与支持团队交流

Active Roles 8.1.1 - Administration Guide

Introduction Getting started Rule-based administrative views Role-based administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based access rules
Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configure an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Managing Hybrid AD users
Creating a new Azure AD user with the Web Interface Viewing or updating the Azure AD user properties with the Web Interface Viewing or modifying the manager of a hybrid Azure user Disabling an Azure AD user Enabling an Azure AD user Deprovisioning of an Azure AD user Undo deprovisioning of an Azure AD user Adding an Azure AD user to a group Removing an Azure AD user from a group View the change history and user activity for an Azure AD user Deleting an Azure AD user with the Web Interface Creating a new hybrid Azure user with the Active Roles Web Interface Converting an on-premises user with an Exchange mailbox to a hybrid Azure user Licensing a hybrid Azure user for an Exchange Online mailbox Viewing or modifying the Exchange Online properties of a hybrid Azure user Creating a new Azure AD user with Management Shell Updating the Azure AD user properties with the Management Shell Viewing the Azure AD user properties with the Management Shell Delete an Azure AD user with the Management Shell Assigning Microsoft 365 licenses to new hybrid users Assigning Microsoft 365 licenses to existing hybrid users Modifying or removing Microsoft 365 licenses assigned to hybrid users Updating Microsoft 365 licenses display names
Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Microsoft 365 roles management for hybrid environment users Managing Microsoft 365 contacts Managing Hybrid AD groups Managing Microsoft 365 Groups Managing cloud-only distribution groups Managing cloud-only dynamic distribution groups Managing Azure security groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Modern Authentication Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Administering Group Family

Most of the tasks related to Group Family administration are performed by using the Properties command on the groups used to store Group Family configurations. In the Active Roles Console, such groups are marked with a special icon, to distinguish them from regular groups.

So, when you create a Group Family, a group is created to store the Group Family configuration. The group is assigned the name you have provided for the Group Family, and marked with the Group Family icon:

To facilitate Group Family administration, the Properties dialog for a configuration storage group includes a number of Group Family-specific tabs:

  • General tab: Displays the name of the Group Family and allows the administrator to view or modify the description, group type, and group scope of the storage group.

  • Controlled Groups tab: Lists the groups that are under the control of the Group Family, and allows the administrator to view or modify the group-to-grouping links and group creation-related rules.

  • Groupings tab: Allows the administrator to view or modify the Group Family scope and the list of group-by properties.

  • Schedule tab: Displays Group Family schedule-related information, and allows the administrator to view or modify scheduling settings.

  • Action Summary tab: Displays information about the last run of the Group Family, and allows the administrator to view a log detailing results of the run.

These tabs are discussed in more detail later in this section.

NOTE: Changes to the regular, group-related properties of the configuration storage group do not affect the Group Family. For example, you can rename or move the configuration storage group without any impact on the process and results of Group Family operation. Renaming the configuration storage group only changes the display name of the Group Family.

The Action menu on each Group Family configuration storage group includes the Force Run command, so you can run the Group Family if you want to update it right away, without waiting for the scheduled run time.

Controlled groups

To help distinguish the groups that are under the control of a Group Family (controlled groups), the Active Roles Console marks them with a special icon. For example, the following icon is used to indicate a global group that is under the control of a Group Family:

In addition, an explanatory text is added to the Notes field for such groups, stating that the Group Family will override any changes made directly to the group membership list.

In the Active Roles Console, the Properties dialog for controlled groups includes a Group Family-specific tab named Controlled By. From that tab, you can manage the configuration of the Group Family that controls the group.

The Controlled By tab displays the name and path of the group that stores the configuration of the Group Family. To view or change the configuration of the Group Family, click Properties.

There are two ways to access the Properties dialog of the Group Family configuration storage group:

  • On the Controlled By tab in the Properties dialog for any group controlled by the Group Family, click Properties.

  • Right-click the Group Family configuration storage group, and click Properties.

The following sections elaborate on the Group Family-specific tabs found in the Properties dialog for the Group Family configuration storage group.

General tab

The General tab displays the Group Family name, and allows you to edit the description. This tab cannot be used to modify the Group Family name. You can change the name by using the Rename command on the Group Family configuration storage group.

By clicking Storage Group Scope and Type (Advanced), you can view or modify the group scope and group type of the configuration storage group. Changes to these settings do not affect the Group Family. The group type and group scope are set to Security and Global by default, and normally need not be modified.

Controlled groups tab

The Controlled Groups tab lists the groups that are controlled by this Group Family. The tab includes the following items:

Table 65: Controlled groups tab items

Item

Description

Controlled groups

This is a list of all groups that are under the control of this Group Family. For each group, the list displays the name of the group along with the path and name of the container that holds the group.

Capture Groups

Click this button to examine the list of controlled groups in detail. For each of the controlled groups, you can identify the grouping assigned to that group.

Manage Rules

Click this button to view or change the Group Family settings that determine properties of the controlled groups such as the naming properties, the group type and scope, the container that holds the groups, and Exchange-related properties.

Each of the groups listed on this tab is either created or captured by the Group Family, and linked to a certain grouping. You can view or modify those links by clicking Capture Groups.

NOTE: For a newly created Group Family configuration, the list on this tab only includes the groups specified in the Capture Existing Groups Manually step of the New Group Family wizard. If that step was skipped, the list is empty until the Group Family has been run.

Clicking Capture Groups displays a window where you can view the list of controlled groups in more detail. The Capture Groups window allows you to add, modify, or remove entries from that list.

The Capture Groups window lists all the controlled groups. For each group, you can see which grouping is linked to that group. As usual, groupings are identified by combinations of values of the group-by properties. Thus, each entry in the list includes the following information:

  • Combination of values of the group-by properties: The combination of property values that identifies a grouping.

  • Group Name: Identifies the group linked to the grouping.

  • In Folder: The canonical name of the container holding the group.

  • Last Update: The date and time the group was last updated by the Group Family. The update occurs during a Group Family run, when any changes to the grouping are detected and the membership list of the group is modified so as to reflect those changes.

  • Members: The number of members that the group holds after the last update. Equals to the number of objects the Group Family found in the grouping as of the time of the last update.

The Capture Groups window provides these buttons for managing the list:

  • Add: Opens a window where you can select a group and specify a grouping to which you want to link (assign) an existing group. To specify a grouping, you need to enter a certain value of each of the group-by properties. The result is that the group you select is linked to the grouping identified by the combination of values you have entered.

  • Edit: Allows you to modify an entry you select from the list. Opens a window where you can select a different group, or specify a different grouping by making changes to the combination of values of the group-by properties.

  • Remove: Deletes the entries you select from the list. The result is that the Group Family will create new groups for the groupings you remove from the list.

  • Scan: Detects new combinations of values of group-by properties, and displays them in the list so that you can link existing groups to new combination manually if you do not want the Group Family to create new groups for those combinations.

When managing the list of groups in the Capture Groups window, consider the following:

  • You can assign an existing group to a grouping regardless of whether the grouping actually exists in the directory. For example, you can assign a group to a grouping with a Department property value that is not encountered in the directory. Once the Department property for some users is set to that value, the Group Family will add those users to the specified group instead of creating a new group for the new Department.

  • Only one group can be assigned to a grouping. If the list already includes a given grouping, you will not be allowed to add a new entry referring to that same grouping. In this case, you have the option to use Edit, to link a different group to the grouping.

  • When you edit a list entry to link a different group to a grouping, the group that was earlier linked to the grouping remains intact. It neither is deleted nor has the membership list updated. In other words, the members of the grouping still belong to the group even though you have removed that group from the list, and thus from under the control of the Group Family.

  • When you remove an entry from the list, the group that the entry refers to is not deleted. During a subsequent run, the Group Family will detect a grouping that has no group assigned and try to create a group for that grouping. This operation may fail due to a name conflict so long as there is an existing group with the same name—the group that was earlier linked to the grouping. To avoid name conflicts, rename or delete the groups you remove from under the control of the Group Family.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级