立即与支持人员聊天
与支持团队交流

Active Roles 8.1.1 - Administration Guide

Introduction Getting started Rule-based administrative views Role-based administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based access rules
Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configure an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Managing Hybrid AD users
Creating a new Azure AD user with the Web Interface Viewing or updating the Azure AD user properties with the Web Interface Viewing or modifying the manager of a hybrid Azure user Disabling an Azure AD user Enabling an Azure AD user Deprovisioning of an Azure AD user Undo deprovisioning of an Azure AD user Adding an Azure AD user to a group Removing an Azure AD user from a group View the change history and user activity for an Azure AD user Deleting an Azure AD user with the Web Interface Creating a new hybrid Azure user with the Active Roles Web Interface Converting an on-premises user with an Exchange mailbox to a hybrid Azure user Licensing a hybrid Azure user for an Exchange Online mailbox Viewing or modifying the Exchange Online properties of a hybrid Azure user Creating a new Azure AD user with Management Shell Updating the Azure AD user properties with the Management Shell Viewing the Azure AD user properties with the Management Shell Delete an Azure AD user with the Management Shell Assigning Microsoft 365 licenses to new hybrid users Assigning Microsoft 365 licenses to existing hybrid users Modifying or removing Microsoft 365 licenses assigned to hybrid users Updating Microsoft 365 licenses display names
Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Microsoft 365 roles management for hybrid environment users Managing Microsoft 365 contacts Managing Hybrid AD groups Managing Microsoft 365 Groups Managing cloud-only distribution groups Managing cloud-only dynamic distribution groups Managing Azure security groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Modern Authentication Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Adding an AD LDS proxy object (user proxy)

AD LDS proxy objects are used in special cases where an application can perform a simple LDAP bind to AD LDS but the application still needs to associate the AD LDS user with a security principal (user account) in Active Directory. A process through which AD LDS can accept a bind request from an application and redirect this bind request to Active Directory, based on the contents of a proxy object, is referred to as bind redirection.

Bind redirection occurs when a bind to AD LDS is attempted using a proxy object (user proxy) - an object in AD LDS that represents a user account in Active Directory. Each proxy object in AD LDS contains the security identifier (SID) of a user in Active Directory. When an application attempts to bind to a proxy object, AD LDS takes the SID that is stored in the proxy object, together with the password that is supplied at bind time, and presents the SID and the password to Active Directory for authentication.

A proxy object in AD LDS represents an Active Directory user account, and it can be augmented to store additional data related to that user account that is specific to the application. Through bind redirection, applications can take advantage of the identity store of Active Directory, while retaining the flexibility of using AD LDS as an application data store.

To add a proxy object to AD LDS

  1. In the Console tree, expand the AD LDS (ADAM) container.

  2. In the Console tree, under AD LDS (ADAM), expand the directory partition to which you want to add a proxy object and locate the container to which you want to add the proxy object.

  3. In the Console tree, right-click the container to which you want to add the proxy object, and select New > Proxy Object to start the wizard that will help you create a proxy object.

  4. Specify a name for the proxy object; then, click Next.

  5. Click Select and choose the Active Directory domain user account you want to be represented by the proxy object; then, click Next.

  6. If you want to set values for additional properties (those for which the wizard pages do not provide data entries), click Edit Attributes on the completion page of the wizard.

  7. After setting any additional properties for the new object, click Finish on the completion page of the wizard.

You can examine an existing proxy object by using the Properties command on that object. The Properties dialog allows you to view the user account that is represented by the proxy object. However, due to a limitation of AD LDS, this setting cannot be changed on an existing proxy object. You can select an Active Directory domain user account only at the time that the proxy object is created. After a proxy object is created, this setting cannot be modified.

When creating a proxy object, you can select a user account from any domain that is registered with Active Roles, provided that the domain is trusted by the computer on which the AD LDS instance is running.

A proxy object for a domain user cannot be created in an AD LDS directory partition that already contains a foreign principal object (FPO) or a proxy object for that same domain user.

For a given user account in Active Directory, you can view a list of proxy objects that represent the user account in AD LDS: In the Properties dialog for the user account, navigate to the Object tab and click AD LDS Proxy Objects.

Configuring Active Roles for AD LDS

The Active Roles configuration-related tasks specific to AD LDS data management include the following:

  • Deploying rule-based administrative views: You can configure Managed Units in Active Roles to represent virtual collections of directory objects, from AD LDS, Active Directory or both, for distribution of administrative responsibilities and enforcement of business rules and policies.

  • Implementing role-based delegation: You can apply Active Roles Access Templates to delegate control of AD LDS data the same way as you do for the directory data held in Active Directory domains.

  • Policy-based control and auto-provisioning of directory data: You can apply Active Roles Policy Objects to establish policy-based control and perform auto-provisioning of AD LDS data the same way as you do for the directory data held in Active Directory domains.

Configuring Managed Units to include AD LDS objects

By using the Active Roles Console, you can configure Managed Units in Active Roles to represent virtual collections of directory objects, from AD LDS, Active Directory or both, for the distribution of administrative responsibilities and enforcement of business rules. By enabling Managed Units to include directory objects from any location, be it AD LDS or Active Directory, Active Roles provides the ability to implement role-based delegation and policy based administrative control of directory data where appropriate, without regard to directory boundaries.

You can use the following instructions to configure an existing Managed Unit so that it holds AD LDS objects such as AD LDS users, groups, or Organizational Units. For detailed instructions on how to create and administer Managed Units, see the Rule-based administrative views.

To configure an existing Managed Unit to include AD LDS objects returned from a query

  1. Right-click the Managed Unit and click Properties.

  2. On the Membership Rules tab, click Add.

  3. In the Membership Rule Type dialog, click Include by Query, and then click OK.

  4. Use the Create Membership Rule dialog to set up the query:

    1. In the Find list, click Custom Search.

    2. Click Browse next to the In box.

    3. In the Browse for Container dialog, expand the AD LDS (ADAM) container, expand the AD LDS directory partition containing the objects you want the query to return, and select the container that holds those objects. Then, click OK.

    4. Click Field, and select the type of the objects that you want the query to return and the object property that you want to query.

    5. In Condition, click the condition for your query, and then, in Value, type a property value, in order for your query to return the objects that have the object property matching the condition-value pair you have specified.

    6. Click Add to add this query condition to the query.

    7. Optionally, repeat steps d) through f), to further define your query by adding more conditions. If you want the query to return the objects that meet all of the conditions specified, click AND. If you want the query to return the objects that meet any of the conditions specified, click OR.

    8. Optionally, click Preview Rule to display a list of objects that your query returns. Note that the query results may vary depending on the current state of data in the directory. The Managed Unit will automatically re-apply the query whenever changes to directory data occur, in order to ensure that the membership list of the Managed Unit is current and correct.

    9. Click the Add Rule button.

  5. Click OK to close the Properties dialog for the Managed Unit.

You can also configure membership rules of categories other than “Include by Query” in order to include or exclude AD LDS objects from a Managed Unit. To do so, select the appropriate category in the Membership Rule Type dialog. Further steps for configuring a membership rule are all about using either the Create Membership Rule dialog to set up a certain query or the Select Objects dialog to locate and select a certain object.

Viewing or setting permissions on AD LDS objects

By using the Active Roles console, you can apply Active Roles Access Templates to delegate control of AD LDS data the same way as you do for the directory data held in Active Directory domains. By applying Access Templates to users or groups (Trustees) on AD LDS objects and containers, you can give the Trustees the appropriate level of access to directory data held in AD LDS, thus authorizing them to perform a precisely defined set of activities related to AD LDS data management.

Active Roles provides a rich suite of preconfigured Access Templates to facilitate delegation of AD LDS data management tasks. For a list of the AD LDS-specific Access Templates, refer to the Active Roles Built-in Access Templates Reference Guide. You can find those Access Templates in the Configuration/Access Templates/AD LDS (ADAM) container, in the Active Roles Console.

You can use the following instructions to examine which Access Templates are applied to a given AD LDS object, such as an AD LDS user, group, Organizational Unit, container, or entire directory partition, and to add or remove Access Templates in order to change the level of access the Trustees have to that object.

For more information on how to create, configure and apply Access Templates, see Role-based administration.

To view or modify the list of Access Templates on an AD LDS object

  1. In the Console tree, under AD LDS (ADAM), locate and select the container that holds the object on which you want to view or modify the list of Access Templates.

  2. In the details pane, right-click the object, and click Properties.

  3. On the Administration tab in the Properties dialog, click Security.

  4. In the Active Roles Security dialog, view the list of Access Templates that are applied to the AD LDS object, or modify the list as follows:

    • To apply an additional Access Template to the object, click Add and follow the instructions in the Delegation of Control Wizard.

    • To remove permissions specified by an Access Template on the object, select the Access Template from the list and click Remove.

  5. Click OK to close the Active Roles Security dialog.

  6. Click OK to close the Properties dialog for the AD LDS object.

In the Delegation of Control Wizard, you can select the users or groups (Trustees) to give permissions to, and select one or more Access Templates from the Access Templates/AD LDS (ADAM) container to define the permissions. As a result, the Trustees you select have the permissions that are defined by those Access Templates on the AD LDS object. The Trustees can exercise the permissions only within Active Roles as Active Roles does not stamp permission settings in AD LDS.

In the Active Roles Security dialog, an Access Template can only be removed if it is applied to the object you have selected (rather than to a container that holds the object). To view the Access Templates that can be removed on the current selection, clear the Show inherited check box.

Instead of removing an Access Template in the Active Roles Security dialog, you can select the Access Template and then click Disable in order to revoke the permissions on the object that are defined by the Access Template. In this way, you can block the effect of an Access Template regardless of whether the Access Template is applied to the object itself or to a container that holds the object. You can undo this action by selecting the Access Template and then clicking Enable.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级