Identity Manager 9.2 - Administration Guide for Connecting to Active Directory

Enter the password data for the system user ID.

NOTE: One Identity Manager password policies, global account policy settings for the Active Directory domain, and Active Directory account policies are all taken into account when verifying user passwords.

NOTE: The TargetSystem | ADS | Accounts | NotRequirePassword configuration parameter specifies whether a password is required when creating new Active Directory user accounts in One Identity Manager. If the configuration parameter is not set, entry of a password that meets the defined password guidelines is requested when a new Active Directory user account is created. If the configuration parameter is set, it is not necessary to specify a password when creating new Active Directory user accounts. In the Designer, you can edit the configuration parameter as required.

Table 32: User account password data
Property	Description
Password	Password for the user account. The identity’s central password can be mapped to the user account password. For more information about an identity’s central password, see One Identity Manager Identity Management Base Module Administration Guide. If you use a random generated initial password for the user accounts, it is automatically entered when a user account is created. The password is deleted from the database after publishing to the target system.
Password confirmation	Reconfirm password.
Password last changed	Date of last password change. The date is read in from the Active Directory system and cannot be changed.
Password never expires	Specifies whether the password expires. This option is usually used for service accounts. It overwrites the maximum lifetime of a password and the Change password at next logon option.
Cannot change password	Specifies whether the password can be changed. This option is normally set for user accounts that are used by several users.
Change password at next login	Specifies whether the user must change their password the next time they log in. TIP: To enable this option every time new user accounts are created, set the TargetSystem \| ADS \| Accounts \| UserMustChangePassword configuration parameter.
Save passwords with reversible encryption	Details for encrypting the password. By default, passwords that are saved in Active Directory are encrypted. When you use this option, passwords are saved in plain text and can be restored again.
SmartCard required to log on	Data required for logging in with a SmartCard. Set this option to save public and private keys, passwords, and other personal information for this Active Directory user account. For the user to be able to log in to the network, the user’s computer must be equipped with a smart card reader and the user must have a personal identification number (PIN).
Account trusted for delegation purposes	Data required for delegation. Set this option so that a user can delegate the responsibility for administration and management of a partial domain to another Active Directory user account or another group.
Cannot delegate account	Data required for delegation. Set this option when this user account may not be assigned for delegation purposes from another user account.
Account uses DES encryption	Data required for encryption. Set this option if you would like to enable Data Encryption Standard (DES) support.
Kerberos preauthentication not required	Specifies whether Kerberos pre-authentication is required. Set this option when the user account uses a different implementation of the Kerberos protocol.

Related topics

Active Directory user account home directory and profile directory

Enter the data for the user's home and profile directories. When you enter a profile directory, a new user profile is created through One Identity Manager Service that is loaded over the network when the user logs on.

NOTE: If the QER | Person | User | ConnectHomeDir configuration parameter is set, some of the following data for the home directory is formed automatically. In the Designer, you can set the configuration parameter as required.

Table 33: Main data for a user directory
Property	Description
Home server	Home server. You can select the home server depending on the number of home directories per home server that already exist (according to the database). If you assigned an account definition, the home server is determined from the current IT operating data for the assigned identity depending on the manage level.
Home share	The share that is stored under the user’s home directory on the home server. Default is HOMES.
Home directory path	Name of the home directory for the user under the home share. By default, the login name (pre Windows 2000) is used to format the home directory path.
Home shared as	Home directory share. This share is formatted using the default home directory path.
Home drive	The drive to be connected when the user logs in. The default domain home drive is used.
Home directory	The user's home directory. The given home directory is automatically added and shared by the One Identity Manager Service.
Size home directory [MB]	Size of the home directory in MB. Find the size of the home directory by running the schedule supplied by default. In the Designer, configure and enable the Load size of home folders for user accounts schedule.
Maximum home storage space [MB]	Maximum size for the home directory on the home server in MB.
Profile server	Profile server. If you assigned an account definition, the profile server is determined from the current IT operating data for the assigned identity depending on the manage level.
Profile share	The share that is stored under the user’s profile directory on the profile server. Default is PROFILES.
Profile shared as	Profile directory share.
Profile directory path	Name of the profile directory for the user under the profile share. By default, the login name (pre Windows 2000) is used to format the profile directory path.
Login script	Name of the login script. If the script is in a subdirectory of the login script path (normally Winnt\Sysvol\domain\scripts), you need enter the subdirectory as well. The given login script is run when the user logs in.

Related topics

Preparing a home server and profile server for creating user directories

Enter the following login credentials.

Table 34: Credentials
Property	Description
Last login	Date of last login. The date is read in from the Active Directory system and cannot be changed manually.
Login workstation	Workstation on which the user can log in. A user can log in on all workstations by default. Select the button next to the input field to activate it and add workstations. Use the button to remove workstations from the list.
Login times	Times and days on which the user is allowed to be logged in. By default, login is permitted at all hours and every day of the week. If a user is logged in, the login is disconnected at the end of the valid login period. The calendar shows a 7-day week, each box represents one hour. The configured login times are shown in color, respectively. If a box is filled, login is allowed. If the box is empty, login is denied. To specify login times Select a time period with the mouse or keyboard. Select Assign to enable login in the selected period. Select Remove to deny login in the selected period. Select Reverse to invert the selected period. Use the arrow keys to reset or repeat a selection.

Dial-in access using Remote Access Service (RAS) for Active Directory user accounts

NOTE: Remote Access Service (RAS) properties are only synchronized and provisioned if the Enable RAS properties option is set.

Allocate remote dial-up permissions for the user account in the network and specify the callback option. The following data can be edited depending on the selected domain mode (mixed or native).

Enter the following main data:

Table 35: Remote access service
Property	Description
Dial-up permitted	Specifies whether the user may dial up the network. Permitted values are: Allow access: This permits the user to dial up the network. Deny access: This specifies that you deny the user the dial-in to the network. Control access using remote access policy: This data specifies that access to the network is controlled over RAS guidelines. RAS guidelines are usually used to apply the same access permissions to several Active Directory user accounts.
No callback	The callback function is switched off by this option.
Set by caller	The server expects the user to input the number that they can be called back on.
Always callback	The server tries to call the user back over the given number.
Verifying caller ID	A predefined number with which the user should dial into the network.
Static IP address	A fixed IP address assigned to the user.
Static routes with IP address, network address and metric	Target network IP addresses, network addresses and metrics for dialing in over fixed routes.

Identity Manager 9.2 - Administration Guide for Connecting to Active Directory

Password data for Active Directory user accounts

Related topics

Active Directory user account home directory and profile directory

Related topics

Login credentials for Active Directory user accounts

Dial-in access using Remote Access Service (RAS) for Active Directory user accounts

Related topics

请选择您的产品：

为向您提供更好的服务，请填写'Purpose of your Chat'（联系目的）：

针对您的问题建议的解决方案

Identity Manager 9.2 - Administration Guide for Connecting to Active Directory

Password data for Active Directory user accounts

Related topics

Active Directory user account home directory and profile directory

Related topics

Login credentials for Active Directory user accounts

Dial-in access using Remote Access Service (RAS) for Active Directory user accounts

Related topics