立即与支持人员聊天
与支持团队交流

Active Roles 8.1.3 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Installing Configuration Transfer Wizard

You can install Configuration Transfer Wizard from the Active Roles *.iso file, if the installation requirements are met. For more information, see Configuration Transfer Wizard requirements.

To install Configuration Transfer Wizard

  1. In the Active Roles *.iso file, navigate to the following folder:

    \Solutions\Configuration Transfer Wizard

  2. To start installing the Wizard, double-click ConfigurationTransferWizard_8.1.3.msi.

  3. Follow the instructions of the installer.

Using the Configuration Transfer Wizard

This section describes how to use Configuration Transfer Wizard to import and export Active Roles configuration data.

General considerations for using Configuration Transfer Wizard

To use Configuration Transfer Wizard, you must have the necessary security permissions. It is sufficient to be a member of the Active Roles Admin account, in both the source and destination environments. The Active Roles Admin account is specified during installation of the Administration Service and defaults to the Administrators group on the computer running the Administration Service.

IMPORTANT: Before transferring the Active Roles configuration data, ensure that the Active Directory Organizational Unit (OU) structure in the destination environment is identical to the OU structure in the source environment.

These are the general steps required to transfer Active Roles configuration data by using this solution:

  1. Collect configuration data from a source Active Roles environment In this step, you select the Active Roles configuration objects you want the configuration package to include, and then create a configuration package XML file. This step is performed in the source environment.

  2. Deploy the collected configuration data to a destination Active Roles environment In this step, the target Active Roles instance is populated with configuration objects from an earlier created package. This step is performed in the destination environment.

NOTE: If an object to deploy already exists in the target configuration, then the properties of the object are updated during the deployment process.

To perform these steps, you can use either the Configuration Collection Wizard and Configuration Deployment Wizard, or the ARSconfig command-line tool. Both methods have the same effect and can be used interchangeably, depending on your requirements.

You can use the Configuration Transfer Wizard to transfer the following Active Roles configuration objects:

  • Access Templates and containers that hold Access Templates.

  • Managed Units and containers that hold Managed Units.

  • Policy Objects and containers that hold Policy Objects.

  • Scheduled Task objects and containers that hold such objects.

  • Application objects and containers that hold such objects.

  • Script Modules and containers that hold Script Modules.

  • Virtual attributes.

  • Access Template links (edsACE object type).

  • Policy Object links (edsPolicyObjectLink object type).

  • Mail Configuration objects (edsMailConfiguration object type).

  • Workflow definition objects (edsWorkflowDefinition object type).

  • Automation Workflow definition objects (edsAutomationWorkflowDefinition object type).

  • Policy Type objects (edsPolicyType object type).

  • Entitlement Profile Specifier objects and containers (edsOneViewSpecifier or edsOneViewSpecifiersContainer object type).

  • Display specifiers and containers that hold display specifiers (displaySpecifier or edsDisplaySpecifierContainer object type).

However, the Configuration Transfer Wizard cannot transfer the following configuration object categories:

  • Built-in objects (that is objects that have "built-in" in their name).

  • Web Interface configuration data (that is objects held in the Configuration/Application Configuration/Web Interface container)

If you need to roll back the changes made to the configuration of the target Active Roles instance, during the package deployment, you can do so by using the command-line tool included with Configuration Transfer Wizard. For more information, see Example: Rolling back the configuration changes.

Dangling links during configuration transfer

When collecting Access Templates and Policy Objects, Configuration Transfer Wizard analyzes their links and writes the links to the destination package. Every link record includes information about the directory object and, if applicable, the trustee to which the respective Access Template or Policy Object is applied. In the configuration package file, this information normally takes the form of the distinguished name (DN), while in the Active Roles environment the links refer to the objects by security identifier (SID) or globally unique identifier (GUID). The Wizard needs DN rather than SID or GUID to identify an object as in a different environment, the object SID or GUID differs from that in the original environment. By identifying the link reference objects by DN, the solution enables the delegation and policy settings to be properly transferred from the source environment to the destination environment.

To have the link records identify the link reference objects by DN, the Wizard has to look up object SID or GUID to object DN. If this process fails for a given link, the link record is created that identifies the link reference object by SID or GUID. Such a record is referred to as "dangling link".

If any dangling links have been recorded to the destination package, Configuration Transfer Wizard indicates this condition. Deploying a package that contains dangling links may create links in the destination environment that refer to non-existent objects. As a result, some delegation and policy settings configured by deploying the package may not match the settings found in the source environment from which the package was collected.

The ARSconfig tool provides the danglingLinks parameter that allows you to specify how you want the deployment process to handle dangling links. For more information, see Using the ARSconfig command-line tool.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级