立即与支持人员聊天
与支持团队交流

Identity Manager 9.2.1 - Administration Guide for Connecting to Active Directory

Managing Active Directory environments Synchronizing an Active Directory environment
Setting up initial synchronization with an Active Directory domain Adjusting the synchronization configuration for Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Active Directory user accounts and identities
Account definitions for Active Directory user accounts and Active Directory contacts Assigning identities automatically to Active Directory user accounts Supported user account types Updating identities when Active Directory user account are modified Automatic creation of departments and locations based on user account information Specifying deferred deletion for Active Directory user accounts and Active Directory contacts
Managing memberships in Active Directory groups Login credentials for Active Directory user accounts Mapping Active Directory objects in One Identity Manager
Active Directory domains Active Directory container structures Active Directory user accounts Active Directory contacts Active Directory groups Active Directory computers Active Directory security IDs Active Directory printers Active Directory sites Reports about Active Directory objects
Handling of Active Directory objects in the Web Portal Basic data for managing an Active Directory environment Configuration parameters for managing an Active Directory environment Default project template for Active Directory Processing methods of Active Directory system objects Active Directory connector settings

Active Directory groups

Read the documentation for your Active Directory for an explanation of group concepts under Windows Server.

In Active Directory, contacts, computers, and groups can be collected into groups for which the access to resources can be regulated not only within a domain but across domains.

We distinguish between two group types:

  • Security groups

    Permissions are granted through security groups. User accounts, computers, and other groups are added to security groups and which makes administration easier. Security groups are also used for email distribution groups.

  • Distribution groups

    Distribution groups can be used as mail-enabled distribution groups. Distribution groups do not have any security.

In addition, a group area is defined for each group type. Permitted group types are:

  • Universal

    Groups within this scope are described as universal groups. Universal groups can be used to make cross-domain permissions available. Universal group members can be user accounts and groups from all domains in one domain structure.

  • Local domain

    Groups in this scope are described as groups of the local domain. Local groups are used when permissions are issued within the same domain. Members of a domain local group can be user accounts, computers, or groups in any domain.

  • Global

    Groups within this scope are described as global groups. Global groups can be used to make cross-domain permissions available. Members of a global group are only user accounts, computers, and groups belonging to the global group’s domain.

Related topics

Creating and editing Active Directory groups

Groups are loaded into One Identity Manager by synchronization. You can set up new groups or edit existing groups.

To create a group

  1. In the Manager, select the Active Directory > Groups category.

  2. Click in the result list.

  3. On the main data form, edit the main data of the group.

  4. Save the changes.

To edit group main data

  1. In the Manager, select the Active Directory > Groups category.

  2. Select the group in the result list.

  3. Select the Change main data task.

  4. On the main data form, edit the main data of the group.

  5. Save the changes.
Detailed information about this topic

General main data of Active Directory groups

Enter the following general main data.

Table 47: General main data
Property Description

Name

Name of the group. The group identifier is used to form the group name for previous group name (pre Win2000) versions.

Domain

Domain in which to create the group.

Container

Container in which to create the group.

Distinguished name

Distinguished name of the group. The distinguished name is determined by template from the name of the group and the container and cannot be edited.

Display name

Name for displaying the group in the user interface of One Identity Manager tools.

Group name (pre Win2000)

Name of the group for the previous versions. The group name is taken from the group identifier.

Structural object class

Structural object class representing the object type. Possible values:

  • GROUP: Default object class for groups.

  • POSIXGROUP: Object class for groups with additional POSIX (Portable Operating System Interface) properties.

Object class

List of classes defining the attributes for this object. The object classes listed are read in from the database during synchronization with the Active Directory environment. However, in the input field, you can add object classes and auxiliary classes that are used by other LDAP and X.500 directory services.

Account manager

Manager responsible for the group.

To specify an account manager

  1. Click next to the field.
  2. In the Table menu, select the table that maps the account manager.
  3. In the Account manager menu, select the manager.
  4. Click OK.

Group manager can update members list.

Specifies whether the account manager can change the memberships for this group.

Protected from accidental deletion

Specifies whether to protect the group against accidental deletion. If the option is set, the permissions for deleting the group are removed in Active Directory. The group cannot be deleted or moved.

Email address

Group's email address

Risk index

Value for evaluating the risk of assigning the group to user accounts. Set a value in the range 0 to 1. This input field is only visible if the QER | CalculateRiskIndex configuration parameter is activated.

For more information, see the One Identity Manager Risk Assessment Administration Guide.

Category

Categories for group inheritance. Groups can be selectively inherited by user accounts and contacts. To do this, groups and user accounts or contacts are divided into categories. Select one or more categories from the menu.

Description

Text field for additional explanation.

Remark

Text field for additional explanation. Abbreviations for combinations of group type and group area are added in the comment and should not be changed.

Security group

Group type. Authorizations are issued through security groups. User accounts, computers, and other groups are added to security groups and which makes administration easier. Security groups are also used for email distribution groups.

Distribution group

Group type. Distribution groups can be used as email distribution groups. Distribution groups do not have any security.

Universal group

Group scope. Universal groups can be used to make cross-domain authorizations available. Universal group members can be user accounts and groups from all domains in one domain structure.

Local group

Group scope. Local groups are used when authorizations are issued within the same domain. Members of a domain local group can be user accounts, computers, or groups in any domain.

Global group

Group scope. Global groups can be used to make cross-domain authorizations available. Members of a global group are only user accounts, computers, and groups belonging to the global group’s domain.

IT Shop

Specifies whether the group can be requested through the IT Shop. If this option is set, the group can be requested through the Web Portal and allocated by defined approval processes. The group can still be assigned directly to hierarchical roles.

Only for use in IT Shop

Specifies whether the group can only be requested through the IT Shop. If this option is set, the group can be requested through the Web Portal and allocated by defined approval processes. Direct assignment of the group to hierarchical roles or user accounts is not permitted.

Service item

Service item data for requesting the group through the IT Shop.

Read-only memberships

Specifies whether memberships are read-only. For example, dynamic groups. The memberships are regulated by the target system. Manual changes to memberships in One Identity Manager are not permitted.

Related topics

Extension data for Active Directory groups

Enter the custom Active Directory schema extensions for the group.

Table 48: Extension data
Property Description

Attribute extension 01 - attribute extension 15

Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级