立即与支持人员聊天
与支持团队交流

Active Roles 8.1.3 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Report section: Undo Group Object Relocation

Table 36: Undo Group Object Relocation

Report Item (Success)

Report Item (Failure)

No changes to undo.

N/A

The group is moved to its original location.

Former location: <name of container>

Restored original location: <name of container>

Failed to move the group to its original location.

Current location: <name of container>

Failed to move to this location: <name of container>

Report section: Undo Group Object Permanent Deletion

Table 37: Undo Group Object Permanent Deletion

Report Item (Success)

Report Item (Failure)

No changes to undo.

N/A

Scheduled deletion of the group is canceled.

Failed to cancel scheduled deletion of the group.

The group is going to be deleted on this date: <date>

Container Deletion Prevention policy

A bulk deletion may occur in a situation where an administrator selects and deletes a container object, such as an Organizational Unit, that has subordinate objects. Although bulk deletions are rare, they are disruptive events you can guard against by leveraging a new policy: Container Deletion Prevention.

One of the most common bulk deletions is a container deletion, which occurs when Active Roles is used to delete a container object that holds other (subordinate) objects. By default, a container deletion has the following characteristics:

  • First, Active Roles builds a list of all the objects found in the container (subordinate objects), and then starts deleting the listed objects one by one.

  • Then, for every object in the list, Active Roles performs an access check to determine if the user or process that requested the deletion has sufficient rights to delete the object. If the access check allows the deletion, then the object is deleted; otherwise, Active Roles does not delete the object, and proceeds to deletion of a subsequent object in the list.

  • Finally, once all the subordinate objects are deleted, Active Roles deletes the container itself. If any of the subordinate objects are not deleted, the container is not deleted as well.

As a result of this behavior, an administrator who has full control over an Organizational Unit in Active Roles can accidentally delete the entire Organizational Unit, with all its contents, within a single operation. To prevent this, Active Roles provides for a certain policy to deny deletion of non-empty containers.

The Container Deletion Prevention policy defines a configurable list of names of object types as specified by the Active Directory schema (for example, the Organizational Unit object type). When an Active Roles client requests the deletion of a particular container, the Administration Service evaluates the request in order to determine whether the type of the container is in the list defined by the policy. If the container type is in the list and the container holds any objects, the Administration Service denies the request, preventing the deletion of the container. In this case, the client prompts to delete all objects held in the container before attempting to delete the container itself.

To configure a Container Deletion Prevention policy

  1. In the Console tree, select Configuration > Policies > Administration > Builtin.

  2. In the details pane, double-click Built-in Policy - Container Deletion Prevention.

  3. On the Policies tab, select the policy from the list and then click View/Edit.

  4. On the Types of Containers tab, click Add and use the Select Object Type dialog to select the type (or types) of container you want to protect, and then click OK.

    For example, you can select the Organizational Unit object type to prevent deletion of non-empty Organizational Units.

  5. Click OK to close the dialogs you opened.

The built-in Policy Object you have configured using the above instructions prevents deletion of non-empty containers in any managed domain.

You may not want Active Roles to prevent deletion of non-empty containers that are outside a certain scope (such as a certain domain, Organizational Unit, or Managed Unit), whereas deletion should be prohibited on the non-empty containers that fall within that particular scope. In this scenario, you need to create and configure a copy of the built-in Policy Object and apply that copy to the scope in question. Then, block the effect of the built-in Policy Object by selecting the Disable all policies included in this Policy Object check box on the Policies tab in the dialog for managing properties of the Policy Object.

If you only need to allow deletion of non-empty containers within a certain scope, then you can simply block the effect of the built-in Policy Object on the object representing the scope in question. Thus, if you want to allow deletion of Organizational Units that fall within a certain Managed Unit, you can use the Enforce Policy command on that Managed Unit to display the dialog for managing policy settings and then select the Blocked check box next to the name of the built-in Policy Object.

Protecting objects from accidental deletion

Another option to guard Organizational Units against accidental deletion is by using an Active Roles feature that allows you to deny deletion of particular objects. When creating an Organizational Unit by using Active Roles, you have the option to protect the newly created Organizational Unit from deletion. You can also use Active Roles to enable this protection on any existing Organizational Units or other objects in the managed Active Directory domains and Active Directory Lightweight Directory Services (AD LDS) partitions.

On the pages for creating an Organizational Unit in the Active Roles Console or Web Interface, you can select the Protect container from accidental deletion check box. This option removes the Delete and Delete Subtree permissions on the Organizational Unit and the Delete All Child Objects permission on the parent container of the Organizational Unit. An Organizational Unit created with this option cannot be deleted, whether using Active Roles or other tools for Active Directory administration, as the deletion-related permissions are removed by applying the appropriate Access Templates in Active Roles and replicating the resulting permission entries to Active Directory.

The option to protect existing Organizational Units or other objects from deletion is available on the Object tab of the Properties page for an object in the Active Roles Console or Web Interface. If you select the Protect object from accidental deletion check box on that tab, Active Roles configures the permission entries on the object in the same way as with the Protect container from accidental deletion option for an Organizational Unit. When somebody attempts to delete a protected object, the operation returns an error indicating that the object is protected or access is denied.

The option to protect an object from deletion adds the following Access Template links:

  • On the object to protect, adds a link to the Objects - Deny Deletion Access Template for the Everyone group.

  • On the parent container of the object, adds a link to the Objects - Deny Deletion of Child Objects Access Template for the Everyone group. (Active Roles does not add this link if it detects that a link of the same configuration already exists.)

The links are configured to apply the Access Template permission entries not only in Active Roles but also in Active Directory. This adds the following access control entries (ACEs) in Active Directory:

  • On the object to protect, adds explicit Deny ACEs for the Delete and Delete Subtree permissions for the Everyone group.

  • On the parent container of the object, adds an explicit Deny ACE for the Delete All Child Objects permission for the Everyone group. (Active Roles does not add this ACE if it detects that an ACE of the same configuration already exists.)

If you clear the Protect object from accidental deletion check box for a given object, Active Roles the updates the object to remove the link to the Objects - Deny Deletion Access Template in Active Roles along with the explicit Deny ACEs for the Delete and Delete Subtree permissions for the Everyone group in Active Directory. As a result, the object is no longer guarded against deletion. Note that clearing the check box for a particular object removes the Access Template links and ACEs from only that object, leaving the Access Template links and ACEs on the parent container intact. This is because the parent container may hold other objects that are protected from deletion. If the container does not hold any protected objects, you could remove the link to the Objects - Deny Deletion of Child Objects Access Template by using the Delegate Control command on that container in the Active Roles Console, which will also delete the corresponding ACE in Active Directory.

It is possible to configure Active Roles so that the Protect container from accidental deletion check box will be selected by default on the pages for creating Organizational Units in the Active Roles Console or Web Interface. To enable this behavior within a domain or container, apply the Built-in Policy - Set Option to Protect OU from Deletion Policy Object to that domain or container. This Policy Object ensures that Organizational Units created by Active Roles are protected from deletion regardless of the method used to create them. Thus, Organizational Units created using Active Roles script interfaces will also be protected by default.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级