立即与支持人员聊天
与支持团队交流

Active Roles 8.1.3 - Feature Guide

Introduction About Active Roles
Main Active Roles features Technical overview of Active Roles
Presentation components Service components Network data sources Security and administration elements Active Directory security management Customization using ADSI Provider and script policies Dynamic groups Workflows Operation in multi-forest environments
Examples of use
Administrative rules and roles
Managed Units Access Templates Access Rules Active Roles Synchronization Service Exchange Resource Forest Management Skype for Business Server User Management
Configuring and administering Active Roles Support for AWS Managed Microsoft AD FIPS compliance LSA protection support

Extensive data system support

To access external data systems, Synchronization Service uses so-called "connectors", enabling Synchronization Service to read and synchronize identity data from the specific data systems.

Active Roles Synchronization Service can connect to the following data systems:

  • Data sources accessible via an OLE DB provider.

  • Delimited text files.

  • IBM AS/400, IBM Db2, and IBM RACF systems.

  • LDAP directory service.

  • Micro Focus NetIQ Directory systems.

  • The following Microsoft services and resources:

    • Active Directory Domain Services (AD DS) with the domain or forest functional level of Windows Server 2016 or higher.

    • Active Directory Lightweight Directory Services (AD LDS) running on any Windows Server operating system supported by Microsoft.

    • Azure Active Directory (Azure AD) using Microsoft Graph API version 1.0.

    • Exchange Online services.

    • Exchange Server with the following versions:

      • Microsoft Exchange Server 2019

      • Microsoft Exchange Server 2016

    • Lync Server version 2013 with limited support.

    • SharePoint 2019, 2016, or 2013.

    • SharePoint Online service.

    • Skype for Business 2019, 2016 or 2015.

    • Skype for Business Online service.

    • SQL Server, any version supported by Microsoft.

  • One Identity Active Roles version 7.4.3, 7.4.1, 7.3, 7.2, 7.1, 7.0, and 6.9.

  • One Identity Manager version 8.0 and 7.0 (D1IM 7.0).

  • OpenLDAP directory service.

  • Oracle Database, Oracle Database User Accounts, and Oracle Unified Directory data systems.

  • MySQL databases.

  • Salesforce systems.

  • SCIM-based data systems.

  • ServiceNow systems.

For more information on using these connectors, see External data systems supported with built-in connectors in the Active Roles Synchronization Service Administration Guide.

Exchange Resource Forest Management

The Exchange Resource Forest Management (ERFM) feature of Active Roles allows you to automate mailbox provisioning for on-premises users in environments where the mailboxes and the user accounts are managed in different Active Directory (AD) forests. Such multi-forest environments are based on the resource forest model, and mailboxes provisioned in such environments are called linked mailboxes.

Multi-forest AD deployments have higher administrative and support costs. However, they offer the highest level of security isolation between AD objects and the Exchange service. As such, One Identity recommends configuring the resource forest model for use with Active Roles in organizations that:

  • Aim for an extra layer of data security.

  • Frequently experience organizational changes (for example, buying companies, or consolidating and breaking off branch companies, departments and other business units).

  • Abide by certain legal or regulatory requirements.

AD deployments following the resource forest model use two types of AD forests:

  • Account forests: These AD forests store the user objects. Organizations can use one or more account forests in the resource forest model.

  • Resource forest: This AD forest contains the Exchange server and stores the mailboxes of the user objects.

With ERFM, you can automate the provisioning, synchronization and deprovisioning of linked mailboxes in the resource forest for user accounts in the account forest(s).

  • During provisioning, Active Roles can automatically create linked mailboxes for new users (if you select to create a mailbox for the user), or create linked mailboxes for existing users without a mailbox.

    In both cases, Active Roles creates a disabled shadow user account in the resource forest for the user, then links it to the user account of the user in the account forest (also known as the master account).

    NOTE: By default, the shadow user account has the same name as the master user account in the account forest. However, if a shadow account with the same name already exists (for example, because Active Roles has already created a linked mailbox for a user in a different account forest), Active Roles uses a different shadow account name to maintain uniqueness.

  • Once a linked mailbox is created, Active Roles automatically synchronizes the properties of the master user accounts with their shadow accounts, whenever you modify them.

  • Finally, if the master user account is deprovisioned, Active Roles automatically deprovisions its shadow account as well, provided that you applied mailbox deprovisioning policies to the container that holds the shadow accounts in the resource forest.

    NOTE: Like other AD objects, you can un-deprovision master user accounts as well. However, their shadow accounts are un-deprovisioned automatically only if the container of the deprovisioned master accounts has the ERFM - Mailbox Management built-in policy applied on them.

Getting started

For more information on the prerequisites and configuration of ERFM and linked mailboxes, see Configuring linked mailboxes with Exchange Resource Forest Management in the Active Roles Administration Guide.

Skype for Business Server User Management

To provision Skype for Business Server user accounts in single-forest and multi-forest Active Directory (AD) environments, Active Roles offers the Skype for Business User Management feature.

The Skype for Business Server User Management feature provides built-in Active Roles policies that synchronize user account information between Active Roles and Skype for Business Server, allowing you to perform Skype for Business Server user management tasks via the Active Roles Web Interface.

Skype for Business Server User Management lets you use Active Roles to:

  • Add and enable new Skype for Business users.

  • View or change Skype for Business Server user properties and policy assignments.

  • Move Skype for Business Server users from one Skype for Business Server pool to another.

  • Disable or re-enable user accounts for Skype for Business Server.

  • Remove users from Skype for Business Server.

To perform these administration tasks, the feature adds the following elements to Active Roles:

  • Built-in Policy Objects that enable Active Roles to perform user management tasks on Skype for Business Server, either in a single-forest or a multi-forest AD environment.

  • Additional commands and pages in the Active Roles Web Interface for managing Skype for Business Server users.

  • Access Templates (ATs) to delegate Skype for Business Server user management tasks.

The Skype for Business Server User Management policy allows you to control the following factors of creating and managing Skype for Business Server users:

  • SIP user name generation rules. When adding and enabling a new Skype for Business Server user, Active Roles can generate a SIP user name based on other properties of the user account.

  • SIP domain selection rules. When configuring the SIP address for a Skype for Business Server user, Active Roles can restrict the list of selectable SIP domains and suggest which SIP domain to select by default.

  • Telephony selection rules. When configuring telephony for a Skype for Business Server user, Active Roles can restrict the list of selectable telephony options and can suggest default options to select.

  • Pool selection rules. When adding and enabling a new Skype for Business Server user, Active Roles can restrict the list of selectable registrar pools and suggest which pool to select by default. This rule also applies to selecting the destination pool when moving a Skype for Business Server user from one pool to another.

Skype for Business Server User Management provides a number of ATs allowing you to delegate the following tasks in Active Roles:

  • Add and enable new Skype for Business Server users.

  • View existing Skype for Business Server users.

  • View or change the SIP address for Skype for Business Server users.

  • View or change the telephony option and related settings for Skype for Business Server users.

  • View or change Skype for Business Server user policy assignments.

  • Disable or re-enable user accounts for Skype for Business Server.

  • Move users from one Skype for Business Server pool to another.

  • Remove users from Skype for Business Server.

Getting started

For more information on the prerequisites and configuration of Skype for Business Server User Management, see Skype for Business Server Solution in the Active Roles Administration Guide.

Active Directory topologies supported by Skype for Business Server User Management

Skype for Business Server User Management supports the following Active Directory Domain Services (AD DS) topologies.

Single forest with single tree or multiple trees

In a single forest topology, the login-enabled user accounts managed by Active Roles are stored in the same Active Directory forest in which Skype for Business Server is deployed.

Skype for Business Server user management tasks have two main steps in a single-forest configuration:

  1. First, Active Roles makes changes to the attributes of the configured user account.

  2. Then, based on the attribute changes, the Skype for Business Server User Management policy requests the Skype for Business Server remote shell to update the user account accordingly.

For example, when creating a new Skype for Business Server user, Active Roles sets a virtual attribute on that user account directing the policy to invoke the remote shell command for enabling the new user for Skype for Business Server. When making changes to an existing Skype for Business Server user, Active Roles populates the attributes of the user account with the desired changes, causing the policy to apply those changes via the remote shell.

Multiple forests in a resource forest topology

In a resource forest topology, the servers running Skype for Business Server are hosted in a separate Skype for Business Server forest that does not host any login-enabled user accounts. Instead, the user accounts are stored in a user forest (or forests) where no Skype for Business Server instances are hosted.

  1. When creating a Skype for Business Server account for a user from an external forest, Active Roles:

  2. Creates an inactive user account (known as the "shadow account") in the Skype for Business Server forest.

  3. Links the associated user account in the user forest ("master account") with the inactive shadow account.

  4. Activates the shadow account for Skype for Business Server.

The policies of the Skype for Business Server User Management feature then work as follows:

The Master Account Management policy ensures that the attributes of the shadow account are synchronized with the attributes of the master account, so that you can administer Skype for Business Server user properties on the master account via Active Roles.

The User Management policy detects the attribute changes replicated from the master account to the shadow account in the Skype for Business Server forest, and translates them to remote shell commands on Skype for Business Server, similarly to how synchronization is performed in a single-forest configuration.

Multiple forests in a central forest topology

In a central forest topology, the servers running Skype for Business Server are hosted in a separate Skype for Business Server forest. However, unlike in a resource forest topology, this forest can also host login-enabled accounts. Outside the Skype for Business Server forest, user forests host login-enabled user accounts, but no servers running Skype for Business Server.

In this forest configuration, the Skype for Business Server User Management policy is applied to login-enabled user accounts in the Skype for Business Server forest. As a result, Active Roles can enable and administer those user accounts for Skype for Business Server in the same way as in case of using a single-forest configuration.

When creating a Skype for Business Server account for a user from an external forest, Active Roles performs the following actions:

  1. Creates a contact in the Skype for Business Server forest.

  2. Links the user account in the user forest (that is, the "master account") and the contact in the Skype for Business Server forest (that is, the "shadow account").

  3. Activates the contact for Skype for Business Server.

  4. The Master Account Management policy then ensures that the attributes of the contact are synchronized with the attributes of the user account, so that Skype for Business Server user properties can be administered on the user account via Active Roles.

  5. In the Skype for Business Server forest, the User Management policy detects the attribute changes replicated from the user account to the contact, and translates them to remote shell commands on Skype for Business Server, similarly to how synchronization is performed in a single-forest configuration.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级