0% found this document useful (0 votes)

22 views

ActiveRoles_EvaluationGuide

Uploaded by

s26708807

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

22 views

ActiveRoles_EvaluationGuide

Uploaded by

s26708807

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 67

One Identity Active Roles 8.1.

Evaluation Guide
Copyright 2023 One Identity LLC.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this
guide is furnished under a software license or nondisclosure agreement. This software may be used
or copied only in accordance with the terms of the applicable agreement. No part of this guide may
be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying and recording for any purpose other than the purchaser’s personal use without the
written permission of One Identity LLC .
The information in this document is provided in connection with One Identity products. No license,
express or implied, by estoppel or otherwise, to any intellectual property right is granted by this
document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE
TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR
STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-
INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT
LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF
ONE IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity makes
no representations or warranties with respect to the accuracy or completeness of the contents of this
document and reserves the right to make changes to specifications and product descriptions at any
time without notice. One Identity does not make any commitment to update the information
contained in this document.
If you have any questions regarding your potential use of this material, contact:
One Identity LLC.
Attn: LEGAL Dept
4 Polaris Way
Aliso Viejo, CA 92656
Refer to our Web site (http://www.OneIdentity.com) for regional and international office
information.
Patents
One Identity is proud of our advanced technology. Patents and pending patents may apply to this
product. For the most current information about applicable patents for this product, please visit our
website at http://www.OneIdentity.com/legal/patents.aspx.
Trademarks
One Identity and the One Identity logo are trademarks and registered trademarks of One Identity
LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit
our website at www.OneIdentity.com/legal. All other trademarks are the property of their
respective owners.
Legend

WARNING: A WARNING icon highlights a potential risk of bodily injury or property

damage, for which industry-standard safety precautions are advised. This icon is
often associated with electrical hazards related to hardware.

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data

if instructions are not followed.

Active Roles Evaluation Guide

Updated - July 2023
Version - 8.1.3
Contents

Introduction 6

Test lab setup 7

Preparing a server for Active Roles installation 7
Installing and configuring Active Roles 8
Setup user account 8
Run Setup 8
Run Active Roles Configuration Center 9
Installing the reporting components 10
Connecting to Administration Service 11
Registering the domain 11

Managing users and groups 13

Use the Active Roles console 13
Create a user 13
Create a group 14
Find and disable a user account 14
Use the Active Roles Web Interface 15
Create a user account and add it to groups 15
Find a user and reset the user’s password 16
Perform self-administration 16

Delegating administration 18
Assign the Help Desk role for an OU 18
Test the delegated administrator’s rights 19

Using Managed Units 21

Create a Managed Unit 21
Assign the Full Control role for an MU 22
Test the delegated administrator’s rights 23

Using Active Roles policies 25

Enforce user naming conventions 25
Create and apply the Policy Object 26
Verify the naming conventions 28

Active Roles 8.1.3 Evaluation Guide

3
Clean up your test environment 29
Use a Logon Name Generation policy 29
Scenario 1: Using uniqueness number 29
Create and apply the Policy Object 30
Test the User Logon Name Generation policy 31
Scenario 2: Using multiple rules 32
Configure the Policy Object 33
Test the User Logon Name Generation policy 34
Clean up your test environment 34
Use an E-mail Alias Generation policy 35
Create and apply the Policy Object 35
Test the E-mail Alias Generation policy 37
Clean up your test environment 38
Enforce group scope restrictions 38
Prepare the script module 39
Create and apply the Policy Object 39
Test the group scope restrictions 40
Use a Home Folder Provisioning policy 40
Create and apply the Policy Object 40
Test the Home Folder policy 41

Managing Exchange recipients 43

Create a mailbox for an existing user 43
Modify a user’s e-mail address 44

Managing permissions in Active Directory 45

View or modify permission entries 45
Manage native security with Access Templates 46

Using dynamic groups 48

Configure a dynamic group 49
Test the dynamic group 50
Explicit inclusion 50
Explicit exclusion 51
Inclusion by query 52
Inclusion of group members 52
Enforcement of membership rules 53

Active Roles 8.1.3 Evaluation Guide

4
Delegating computer resource management 54
Assign the Server Operator role for an OU 54
Test the delegated administrator’s rights 55

Using audit trail and reporting 57

Analyze the Audit Trail 57
Examine the audit trail using event viewer 57
Use reports to analyze the audit trail 57
Work with Active Roles reports 58
Collect data for reporting 58
Generate and view reports 59

Using Active Roles replication 61

Configure replication 61
Test replication 63

Customizing the Web Interface 64

Add a text box to the user creation page 64
Test the user creation page 65

About us 67
Contacting us 67
Technical support resources 67

Active Roles 8.1.3 Evaluation Guide

5
1

Introduction

Active Roles (formerly known as ActiveRoles®) is an administrative platform that facilitates

user and group administration for Microsoft Active Directory and Exchange. Active Roles
enables organizations to create flexible administration solutions that suit their needs, while
ensuring secure delegation of tasks, reduced workloads, and lower costs. It also enables
the integration of diverse corporate data sources and provisioning processes, which can
expedite business workflow and eliminate data inconsistencies.
This document is for IT specialists who are evaluating Active Roles. The document provides
evaluation scenarios to help better understand the Active Roles functionality. The
document covers the following topics:
l Active Roles test lab setup
l Managing users and groups
l Delegating administration using Active Roles
l Using Managed Units to delegate administration
l Using Active Roles policies
l Managing Exchange recipients
l Managing native Active Directory security
l Using dynamic (rules-based) groups
l Delegating and managing computer resources
l Using Active Roles audit trail and reporting
l Using Active Roles replication
l Customizing the Web Interface

NOTE:
l Unless otherwise indicated, the instructions in this document assume that you are
logged on as Active Roles Admin. The Active Roles Admin account is specified when
installing the Administration Service, and defaults to the Administrators local group
of the computer running the Administration Service.
l You should verify that the Active Roles console is in Advanced view mode: On the
View menu, click Mode; then, click Advanced Mode.

Active Roles 8.1.3 Evaluation Guide

6
Introduction
2

Test lab setup

Successful deployment requires thorough testing in a lab environment. When planning your
testing, we recommend:
l Designing your lab to reflect your production environment. For example, if your
network has multiple sites, then your lab should have multiple sites.
l Having your lab’s number of users and computers be at least two to five percent of
the number of users and computers in your production environment.

This section describes how to initially set up your test lab for evaluation purposes: install
Active Roles on your computer, connect to the Active Roles Administration Service and
register domains with Active Roles.

Preparing a server for Active Roles

installation
To perform evaluation, you need a test Active Directory domain with a member server set
up and configured. Your server must meet the following hardware requirements:
l 64-bit (x64) processor, 2.0 GHz or faster
l At least 8 GB of RAM
l At least 100 GB of free hard disk space
l Network adapter
l Video adapter and monitor with screen resolution of 1280x800 or higher
l Mouse, or other pointing device

Ensure that you have the following software available:

l Microsoft Windows Server 2016 or later
l Active Roles 8.1.3 distribution package

Install the Windows Server operating system on your server, and join the server to your
test Active Directory domain.
Then, install the following software on your server:

Active Roles 8.1.3 Evaluation Guide

7
Test lab setup
l Microsoft .NET Framework 4.7.2 (see “Installing the .NET Framework 4.7.2” at
http://go.microsoft.com/fwlink/p/?LinkId=257868)
NOTE: You need to install .NET Framework 4.7.2 if the Windows Server version
does not include this software as a part of the operating system.
l Windows Management Framework 5.1 (see “Windows Management Framework 5.1”
at https://www.microsoft.com/en-us/download/details.aspx?id=54616)
l Microsoft SQL Server 2012 Express (see “Microsoft SQL Server 2012 Service Pack 1
(SP1) Express” at http://go.microsoft.com/fwlink/?LinkID=267905)

Once you have prepared your server, you are ready to install and configure Active Roles.

Installing and configuring Active Roles

To install and configure Active Roles for evaluation purposes, you will follow these steps:

1. Run Setup, which installs binaries and configures registry settings for Active Roles.
2. Run Active Roles Configuration Center, which creates and configures the Active Roles
database, Administration Service, and Web Interface.

Setup user account

Ensure that the account that you use to install and configure Active Roles meets the
following requirements:
l Domain user account that is a member of the Domain Admins group in your test
Active Directory domain
l Member of the Administrators group on your computer intended for installing
Active Roles
l SQL login on the SQL Server Express instance that runs on your computer for
installing Active Roles
l Member of the sysadmin fixed server role on that SQL Server Express instance

Run Setup
Setup installs binaries and configures registry settings for Active Roles.

Active Roles 8.1.3 Evaluation Guide

8
Test lab setup
To run Setup

1. Log on with a user account that meets the requirements listed in Setup user account.
2. Navigate to the location of the Active Roles distribution package, and start the Setup
wizard by double-clicking ActiveRoles.exe.
3. In the Setup wizard, review the Introduction page, and click Next.
4. On the License Terms page, review the Active Roles license agreement, select
the option indicating that you accept the terms in the license agreement, and
then click Next.
5. On the Component Selection page, verify that the Administration Service, Web
Interface, and Console components are selected, and click Next.
6. On the Ready to Install page, click Install to begin installation.
7. On the Completion page, verify that the I want to perform configuration check
box is selected, and click Finish.

Setup will start Active Roles Configuration Center, allowing you to configure your Active
Roles installation (see Run Active Roles Configuration Center).

Run Active Roles Configuration Center

After you complete Active Roles Setup, run Active Roles Configuration Center to create and
configure the Active Roles database, Administration Service, and Web Interface.

To run Active Roles Configuration Center

1. In the Active Roles Setup wizard (see Run Setup), select the I want to perform
configuration check box on the Completion page and click Finish to start Active
Roles Configuration Center.
You can also start Configuration Center by selecting Active Roles 8.1.3
Configuration Center on the Apps page or Start menu, depending upon the
version of your Windows operating system.

2. In the Active Roles Configuration Center main window, under Administration

Service, click Configure.
This starts the wizard that will create and configure the Active Roles database and
Administration Service.

3. On the Service Account page, verify that the Logon name field displays the name
of your Setup user account, type the password of that user account in the Password
field, and then click Next.
4. On the Active Roles Admin page, verify that the Name field reads
BUILTIN\Administrators (which identifies the Administrators group of the
computer on which you are configuring Active Roles), and then click Next.

Active Roles 8.1.3 Evaluation Guide

9
Test lab setup
5. On the Database Options page, verify that the New Active Roles database
option is selected and the Use a pre-created blank database check box is cleared,
and then click Next.
6. On the Connection to Database page:
a. In the SQL Server field, specify the name of your SQL Server Express
instance, such as <computername>\SQLEXPRESS where <computername> stands
for the short name of the computer on which you are configuring Active Roles.
b. Verify that the Windows authentication option is selected.
c. Click Next.
7. On the Ready to Configure page, click Configure.
8. Wait for the wizard to complete the operation.
9. On the Completion page, click Finish to close the wizard.
10. In the Active Roles Configuration Center main window, under Web Interface,
click Configure.
This starts the wizard that will create and configure the default Web Interface sites.

11. On the Administration Service page, select the Administration Service on the
computer running the Web Interface option, and then click Configure.
12. Wait for the wizard to complete the operation.
13. On the Completion page, click Finish to close the wizard.

Installing the reporting components

You can install reporting components from the Active Roles distribution package. For the
purposes of this evaluation, install the Active Roles Collector on the computer where you
have installed Active Roles and then use the Collector wizard to deploy the Report Pack.

To install the Collector

l In the Active Roles distribution package, navigate to the Solutions/Collector and
Report Pack folder, double-click the .msi file held in that folder, and follow the
instructions in the Setup wizard to install Collector.

Once you have installed the Collector, you can start the Collector wizard by selecting
Active Roles Active Roles Collector and Report Pack on the Apps page or Start
menu, depending upon the version of your Windows operating system.
Report Pack requires Microsoft SQL Server Reporting Services (SSRS). Make sure that you
have SSRS deployed in your environment. When deploying Report Pack, the Collector
wizard prompts you for the address (URL) of the Report Server Web service. You can find
this address on the Web Service URL page in the Reporting Services Configuration
Manager tool on the server where SSRS is installed.

Active Roles 8.1.3 Evaluation Guide

10
Test lab setup
To deploy the Report Pack

1. Start the Collector wizard by selecting Active Roles Active Roles Collector and
Report Pack on the Apps page or Start menu, depending upon the version of your
Windows operating system.
2. On the Select Task page, click Deploy reports to Report Server, and then
click Next.
3. On the Report Server page, type the URL of your SSRS Report Server in the Report
Server Web Service URL box. Click Next.
By default, the URL is http://<ComputerName>/reportserver where
<ComputerName> stands for the name of the computer on which SSRS is installed.

4. On the Data Source page, click Next.

5. Wait while the wizard deploys the Report Pack.

Connecting to Administration Service

The next step is to start the Active Roles console (MMC Interface) and have the console
connect to the Administration Service.

To start the Active Roles console

l Depending upon the version of your Windows operating system, click Active Roles
8.1.3 Console on the Apps page or select All Programs | One Identity Active
Roles 8.1.3 | Active Roles 8.1.3 Console from the Start menu.

Normally, the Active Roles console automatically connects to the appropriate

Administration Service. Optionally, you can select a different Administration Service to
connect to.

To select Administration Service

1. Right-click the console tree root, and then click Connect.

2. In the Connect to Administration Service dialog box, type or select the name of
the computer running the Administration Service. Click OK.
3. Wait while the console establishes a connection to the Administration Service.

Once the connection is established, the name of the Administration Service computer is
displayed in the brackets next to the console tree root.

Registering the domain

The next step is to register your test domain with Active Roles. This operation is also
referred to as adding a managed domain.

Active Roles 8.1.3 Evaluation Guide

11
Test lab setup
A list of managed domains is part of Active Roles configuration. After you initially install
the Administration Service, the list is empty. By registering a domain, you add a record
to that list.

To register your test domain

1. Click the console tree root.

2. In the details pane, click the Add Domain button to start the Add Managed
Domain wizard.
3. Click Next.
4. Type the name of your test domain, or click Browse to select the domain.
Click Next.
5. Verify that the following option is selected: The service account information the
Administration Service uses to log on.
6. Click Next.
7. Click Finish to close the wizard.
8. Wait while Active Roles completes the domain registration.

NOTE: You can un-register domains by deleting their registration objects from the
Managed Domains container. To access that container, select the console tree root,
and then, in the details pane, click Go to Managed Domains in the Domains area.

Active Roles 8.1.3 Evaluation Guide

12
Test lab setup
3

Managing users and groups

This section provides sample procedures that illustrate how to manage users and groups in
Active Directory using the Active Roles console or Web Interface.
NOTE: To walk through the scenarios outlined in this chapter, you must be logged on as a
user with sufficient permissions in Active Roles. For example, it would suffice if you are
logged on as Active Roles Admin—a member of the Administrators group on the
computer running the Administration Service. Alternatively, you might be granted full
control of the organizational unit that holds your test users and groups. For information
on how to specify user permissions in Active Roles, see Delegating administration later in
this document.

Use the Active Roles console

Create a user
To create a user account

1. In the console tree, expand Active Directory and select the OU where you want to
add the user.
2. In the console tree, right-click the OU, and select New | User.
3. Type in the First name, Last name, and User logon name boxes. Click Next.
4. Click the button next to the Password box to generate a password. Click Next.
5. If Microsoft Exchange Server is deployed in your test domain, you can make the user
mailbox-enabled. To do this, select the Create an Exchange mailbox check box.
Click Next.
6. If you need to specify additional properties of the new user, select the Display the
object properties when this wizard closes check box. Click Finish.

Active Roles 8.1.3 Evaluation Guide

13
Managing users and groups
Create a group
To create a group

1. In the console tree, expand Active Directory and select the OU where you want to
add the group.
2. In the console tree, right-click the OU, and select New | Group.
3. Type a name for the new group, click the Group scope and Group type you want,
and then click Next.
4. If Microsoft Exchange Server is deployed in your test domain, you can establish an e-
mail address for the group. To do this, select the Create an Exchange e-mail
address check box. Click Next.
5. Use the Add and Remove buttons to populate the group membership list. When
finished, click Next.
6. If you need to specify additional properties of the new group, select the Display the
object properties when this wizard closes check box. Click Finish.

Find and disable a user account

To find and then disable a user account

1. In the console tree, select Active Directory.

2. In the details pane, right-click your test domain and click Find.
3. In the Find window, do the following:
a. From the Find list, select Users.
b. In the Name box, type the name of the user you want to find, or part
of the name.
c. Click Find Now.
d. In the list of search results, right-click the user and click Disable Account.

Active Roles 8.1.3 Evaluation Guide

14
Managing users and groups
Use the Active Roles Web Interface

Create a user account and add it to groups

To create a user account and add it to groups

1. Connect to the Web Interface for Administrators: Open your Web browser and
navigate to http://localhost/ARWebAdmin.
2. In the Search box on the header of the Web Interface page, type the name of the OU
where you want to create the user, and then press Enter.
3. In the list of search results, click the name of the OU.
4. In the right pane of the Web Interface page, click New User.
5. Type in the First Name, Last Name, and User logon name boxes. Click Next.
6. Click the Generate button (beneath the Confirm password box) to generate a
password. Click Finish (or Next, if Microsoft Exchange Server is deployed in your
test domain).
7. If Microsoft Exchange Server is deployed in your test domain, you can create a
mailbox for the new user. To do this, select the Create an Exchange mailbox
check box. Click Finish.
8. Close the property page that appears.
9. In the Search box on the header of the Web Interface page, type the name of the
user account you have created.
10. In the list of search results, select the check box next to the name of the
user account.
11. In the right pane of the Web page, click Member Of.
12. On the Member Of page that appears, click the Add button.
13. On the Select Object page that appears, choose the groups to which you want to
add the user account:
a. Specify search criteria and press Enter to build a list of groups.
b. Choose the desired groups by selecting the check box next to the name of the
group in the list.
c. When finished, click OK.
For example, you can type group names separated by a semicolon in the Search box
at the top of the Select Object page, and then press Enter.

14. To remove the user account from groups, on the Member Of page, select the check
box next to the name the group and then click the Remove button.

Active Roles 8.1.3 Evaluation Guide

15
Managing users and groups
Find a user and reset the user’s password
To find a user account and then reset its password

1. Connect to the Web Interface for Help Desk: Open your Web browser and navigate to
http://localhost/ARWebHelpDesk.
2. In the Search box on the header of the Web Interface page, type the name of the
user you want to find, and then press Enter.
3. In the list of search results, select the check box next to the name of the
user account.
4. In the right pane of the Web Interface page, click Reset Password.
5. On the Reset Password page that appears, click the Generate button.

The new password is displayed in the Password box.

6. Click the Finish button to apply your changes.

Perform self-administration
Active Roles makes it possible to authorize users to administer their own accounts in Active
Directory. Specifically, users may be permitted to modify personal information in their
accounts. An administrator can use the Active Roles console to delegate this task.

To delegate self-administration

1. In the console tree, select the domain or OU where you want to delegate the self-
administration task.
2. Right-click the selection and click Delegate Control.
3. In the Active Roles Security dialog box, click Add.
4. Follow the steps in the Delegation of Control Wizard.
5. On the Users or Groups page, click Add, use the Select Objects dialog box to
select the Self object, and then click Next.
6. On the Access Templates page, expand User Self-management, and select the
check box next to Self - Account Management. Click Next.
7. Click Next two times, and then click Finish.
8. In the Active Roles Security window, click OK.

Once you have delegated the self-administration task, you can check how users can
perform self-administration in the Active Roles Web Interface.

Active Roles 8.1.3 Evaluation Guide

16
Managing users and groups
To perform self-administration

1. Log on to your server as any user defined in your test domain.

2. Connect to the Web Interface for Self-Administration: Open your Web browser and
navigate to http://localhost/ARWebSelfService.
3. On the Web Interface Home page, click User Profile Editor.
4. On the User Profile Editor page that appears, use the General, Address,
Telephones, and Picture tabs to view or change your personal information.
5. When finished, click the Save button.

Active Roles 8.1.3 Evaluation Guide

17
Managing users and groups
4

Delegating administration

The examples in this section demonstrate how to delegate administration using

Active Roles.

Assign the Help Desk role for an OU

When you assign the Help Desk role to a group for a given OU, you authorize the members
of that group to reset user passwords, unlock user accounts, and view all properties of user
accounts in that OU and its child OUs. The members of the group to which you have
assigned an administrative role are referred to as delegated administrators.

To assign the Help Desk role for an OU

1. In the Active Roles console, right-click the OU, and then click Delegate Control.
2. In the Active Roles Security window, click Add.
3. Follow the steps in the Delegation of Control wizard.
4. On the Users or Groups page, click Add.
5. Select the group to which you want to assign the Help Desk role and click OK.
6. Click Next.
7. On the Access Templates page, expand Active Directory, select the check box
next to Users – Help Desk, and then click Next.
8. Click Next, click Next, and then click Finish.
9. In the Active Roles Security window, click OK.

To enable the delegated administrators to browse OUs in the domain, you must grant them
the Read All Properties permission on the OU objects at the domain level.

To grant the Read All Properties permission

1. Select the domain and use the Delegation of Control wizard as described in the
previous procedure.

Active Roles 8.1.3 Evaluation Guide

18
Delegating administration
2. On the Access Templates page, expand Active Directory, and select the check
box next to OUs – Read All Properties.

Test the delegated administrator’s

rights
The delegated administrator can use the Active Roles console to perform administrative
tasks. Use the following steps to verify the rights of a delegated administrator using the
Active Roles console (MMC Interface).

To verify delegation using the Active Roles console

1. Open the Active Roles console and connect to the Administrative Service as the
delegated administrator:
a. Right-click the console tree root, and then click Connect.
b. In the Connect to Administration Service dialog box, click Options.
c. In the Connect as area, click The following user and specify the user logon
name and password of the delegated administrator.
2. In the console tree, select the OU for which the delegated administrator is assigned
the Help Desk role.
3. Verify that you can reset passwords and unlock accounts: Right-click a user account
in the details pane, and click Reset Password.
4. Verify that you can view user properties: Right-click a user account in the details
pane, and click Properties.

The delegated administrator can also use the Web Interface to perform administrative
tasks. Take the following steps to verify the rights of a delegated administrator using the
Active Roles Web Interface.

To verify delegation using the Web Interface

1. Log on to your computer with the delegated administrator’s user name and
password.
2. Connect to the Web Interface for Help Desk: Open your Web browser and navigate to
http://localhost/ARWebHelpDesk.
3. In the Search box on the header of the Web Interface page, type the name of the
OU for which the delegated administrator is assigned the Help Desk role, and then
press Enter.
4. In the list of search results, click the name of the OU to display a list of objects
held in that OU.
5. In the list of objects, select the check box next to the name of a user account.

Active Roles 8.1.3 Evaluation Guide

19
Delegating administration
6. Verify that you can reset the user’s password and unlock the user account:
a. In the right pane of the Web Interface page, click Reset Password.
b. On the Reset Password page that appears, specify a new password, clear the
Account is locked out check box if the check box is selected, and then
click Finish.
If the user account is not locked out, the Account is locked out check box is
unavailable.

Active Roles 8.1.3 Evaluation Guide

20
Delegating administration
5

Using Managed Units

The examples in this section demonstrate how to configure Managed Units, and allow you
to see how Managed Units work.
Managed Unit (MU) is a collection of objects (administrative view), created for the purposes
of distribution of administration, enforcement of business rules, and management of
complex network environments. Managed Units provide the capability to separate the
management framework from the Active Directory design. By using Managed Units,
directory objects can be grouped into administrative views regardless of object location in
Active Directory.

Create a Managed Unit

Consider an example in which the AD design is based on geographic locations, with
domains named after cities or regions and OUs named for corporate departments or
groups. Managed Units could be designed to manage specific departments or groups that
are divided across multiple geographic locations.
In this example, each AD domain has a Human Resources (HR) OU and a Sales OU. The
Active Roles design has an HR MU and a Sales MU. The HR MU enables administrators to
configure the policies and security restrictions for all HR users in one place, while the Sales
MU provides the same kind of capability for all Sales users.
MUs are defined by membership rules—criteria that Active Roles uses to evaluate which
objects belong to specific MU.
In your test domain, create three OUs named PHX Sales, BST Sales, and SEA Sales. Then,
perform the following steps to create the Sales MU.

To create Managed Unit

1. Start the Active Roles console and connect to the Administration Service.
2. Ensure that the console is in Advanced View mode: On the View menu, click Mode,
and then select the Advanced Mode option.
3. In the console tree, expand Configuration, right-click Managed Units, and select

Active Roles 8.1.3 Evaluation Guide

21
Using Managed Units
New | Managed Unit.
The New Object - Managed Unit wizard starts.

4. In the Name box, type the name of the Managed Unit - Sales MU. Click Next.
5. Click Add.
6. In the list of rule types, click Include by Query. Click OK.
7. From the Find list, select Organizational Units.
8. Click Browse next to the In box, and select your test domain.
9. In the Name box, type *Sales*
10. Optionally, click Preview Rule.
The window displays a list of all the Sales OUs found.

11. Click Add Rule.

12. In the wizard, click Next, click Next, and then click Finish.

This procedure ensures that all OUs with names containing ‘Sales’ are included in the Sales
MU. If you only want the MU to include the OUs with specific names, such as ‘PHX Sales
OU’, ‘BST Sales OU’ and ‘SEA Sales OU’, use explicit inclusion. To create the Sales MU using
explicit inclusion, modify the above procedure as follows:

1. In Step 6, select Include Explicitly from the list of rule types.

2. In the Select Objects window, specify the OU names (separated by semicolons),
and then click OK.
3. Follow the steps in the wizard to complete the creation of the MU.

Assign the Full Control role for an MU

Active Roles ensures that security restrictions specified on an MU are applied to all objects
held in that MU. When an MU holds a container, all child objects in that container inherit the
security restrictions defined at the MU level. This inheritance continues down the directory
tree within all containers held in a given MU.
When you assign the Full Control role to a group for a given MU, you authorize the
members of that group to perform all administrative tasks in that MU. The members of the
group to which you have assigned an administrative role are referred to as delegated
administrators.

To assign the Full Control role for an MU

1. In the Active Roles console, right-click the Sales MU, and then click Delegate
Control.
2. In the Active Roles Security window, click Add.
3. Follow the steps in the Delegation of Control wizard.
4. On the Users or Groups page, click Add.

Active Roles 8.1.3 Evaluation Guide

22
Using Managed Units
5. Select the group to which you want to assign the Full Control role and click OK.
6. Click Next.
7. On the Access Templates page, expand Active Directory, select the check box
next to All Objects – Full Control, and then click Next.
8. Click Next, click Next, and then click Finish.
9. In the Active Roles Security window, click OK.

When assigned the Full Control role for an MU, the delegated administrator is authorized to
view the MU and manage all objects in it. In the Active Roles console, the MU appears under
Managed Units in the console tree.

Test the delegated administrator’s

rights
Delegated administrators can use the Active Roles console to perform administrative tasks
within the MU. Take the following steps to verify the rights of the delegated administrator
using the Active Roles console.

To verify delegation using the Active Roles console

1. Start the Active Roles console and connect to the Administrative Server as the
delegated administrator:
a. Right-click the console tree root, and then click Connect.
b. In the Connect to Administration Service dialog box, click Options.
c. In the Connect as area, click The following user and specify the user logon
name and password of the delegated administrator.
2. In the console tree, expand Managed Units | Sales MU, and select an OU.
3. Verify that you can administer objects in the OU: Right-click an object in the details
pane and use commands on the shortcut menu.
4. Verify that you can create new objects: In the console tree, under Sales MU, right-
click an OU, point to New, and select the type of the object to create.

Delegated administrators can also use the Web Interface to perform administrative tasks.
Take the following steps to verify the rights of the delegated administrator using the Active
Roles Web Interface.

To verify delegation using the Web Interface

1. Log on to your computer with the user name and password of the delegated
administrator.
2. Connect to the Web Interface for Administrators: Open your Web browser and
navigate to http://localhost/ARWebAdmin.
3. On the Web Interface Home page, click Directory Management.

Active Roles 8.1.3 Evaluation Guide

23
Using Managed Units
4. On the Views tab in the left pane of the Web Interface page, click Managed Units.
5. In the list of Managed Units, click Sales to display a list of OUs held in the Sales
Managed Unit.
6. In the list of OUs, click the name of an OU to display a list of objects held in that OU.
7. Verify that you can create new objects in the OU and administer the OU using
commands in the right pane of the Web Interface page.
8. Verify that you can administer objects held in the OU: Select the check box next
to the name of an object in the list and then use commands in the upper part of
the right pane.

Active Roles 8.1.3 Evaluation Guide

24
Using Managed Units
6

Using Active Roles policies

The examples in this section demonstrate how to configure provisioning policies, and allow
you to see how provisioning policy enforcement works in Active Roles.
NOTE: The instructions in this section assume that you are logged on as an Active Roles
Admin. The Active Roles Admin account is specified when installing the Administration
Service, and defaults to the Administrators local group of the computer running the
Administration Service.

Enforce user naming conventions

This section describes how to enforce the following user naming conventions:
l Full name must be ABC, where
A consists of max 5 first characters of Last name; in case of long Last name, A
consists of only the first 5 characters
B consists of min 2 characters: numbering beginning with 00; in case of short
Last name, filling characters are added: 000, 0000, so that AB consists of exactly
7 characters
C consists of one first character of First name
Example: ivano00a (ivano = 5 characters of Last name Ivanov; 00 = numbering;
a = the first character of First name Andre)
l User logon name must be the same as Full name
l User logon name (pre-Windows 2000) must be the same as Full name

To enforce these naming conventions, you need to create and apply an Active Roles
Policy Object.

Active Roles 8.1.3 Evaluation Guide

25
Using Active Roles policies
Create and apply the Policy Object
Perform the following steps to create and apply the Policy Object using the Active Roles
console. First, you create the Policy Object, configure policy for the Full name property,
and apply the Policy Object to your test domain. Next, you modify the Policy Object to add
the policy for the User logon name and User logon name (pre-Windows 2000)
properties.

To create and apply the Policy Object

1. In the console tree, expand Configuration | Policies, right-click Administration,

and select New | Provisioning Policy.
2. On the Welcome page of the New Provisioning Policy Object wizard, click Next.
3. In the Name box, type the name for the Policy Object: User Naming Conventions.
Click Next.
4. On the Policy to Configure page, select Property Generation and Validation.
Click Next.
5. On the Controlled Property page, click Select.
6. In the Select Object Type and Property dialog box:
a. From the Object type list, select User.
b. From the Object property list, select Name.
c. Click OK.
7. On the Controlled Property page, click Next.
8. On the Configure Policy Rule page, select the ‘Name’ must be <value> check
box, and then click the item <click to add value> in the Edit policy rule box.
9. In the Add Value dialog box, click Configure.
10. In the Configure Value dialog box, click Add.
11. In the Add Entry window:
a. Under Entry type, click User Property.
b. Under Entry properties, click Select, and then select Last Name from the
Object property list. Click OK.
c. Click The first, and then enter 5 in the box next to that option.
d. Select the If value is shorter, add filling characters at the end of value
check box, and then, in the Filling character box, enter 0.
e. Click OK.
12. In the Configure Value dialog box, click Add.
13. In the Add Entry window, click Text, type 00, and click OK.
14. In the Configure Value dialog box, click Add.

Active Roles 8.1.3 Evaluation Guide

26
Using Active Roles policies
15. In the Add Entry window:
a. Under Entry type, click User Property.
b. Under Entry properties, click Select, and then select First Name from the
Object property list. Click OK.
c. Click The first, and then enter 1 in the box next to that option.
d. Click OK.
16. In the Configure Value dialog box, click OK.
17. In the Add Value dialog box, click OK.
18. On the Configure Policy Rule page, click Next.
19. On the Policy Description page, click Next.
20. On the Enforce Policy page, click Add.
21. In the Select Objects window, select your test domain, click Add, and then
click OK.
22. Click Next, and then click Finish.

Next, perform the following steps to configure policy for the User logon name and User
logon name (pre-Windows 2000) properties.

To add policies to the Policy Object

1. In the console tree, select Configuration | Policies | Administration.

2. In the details pane, right-click User Naming Conventions and click Properties.
3. On the Policies tab in the User Naming Conventions Properties dialog
box, click Add.
4. On the Welcome page of the Add Provisioning Policy wizard, click Next.
5. On the Policy to Configure page, select Property Generation and Validation.
Click Next.
6. On the Controlled Property page, click Select.
7. In the Select Object Type and Property dialog box:
a. From the Object type list, select User.
b. From the Object property list, select Account Name (UPN Prefix).
c. Click OK.
8. On the Controlled Property page, click Next.
9. On the Configure Policy Rule page, select the ‘Account Name (UPN Prefix)’
must be <value> check box, and then click the item <click to add value> in the
Edit policy rule box.
10. In the Add Value dialog box, click Configure.
11. In the Configure Value dialog box, click Add.

Active Roles 8.1.3 Evaluation Guide

27
Using Active Roles policies
12. In the Add Entry dialog box window:
a. Under Entry type, click User Property.
b. Under Entry properties, click Select, and then select Name from the Object
property list. Click OK.
c. Click OK.
13. In the Configure Value dialog box, click OK.
14. In the Add Value dialog box, click OK.
15. On the Configure Policy Rule page, click Next.
16. Click Next, and then click Finish.
17. Repeat Steps 3-16 with the following modification to configure policy for User logon
name (pre-Windows 2000):
l In Step 7, from the Object property list, select Logon Name (pre-
Windows 2000).
18. In the User Naming Conventions Properties dialog box, click OK.

Verify the naming conventions

Use the following steps to see how the naming conventions are enforced when you create a
user account using the Active Roles console (MMC Interface).

To verify naming conventions using the Active Roles console

1. In the console tree, right-click an OU in your test domain, and select New | User.
2. Fill in the First name and Last name boxes.
3. Verify that the console automatically fills in the Full name, User logon name, and
User logon name (pre-Windows 2000) boxes in accordance with the user
naming conventions.
4. Complete the New Object - User wizard.
5. Right-click the newly created user account, click Properties, and examine the
Properties dialog box to verify that the user properties are in compliance with the
naming conventions.

Use the following steps to see how the naming conventions are enforced when you create a
user account using the Active Roles Web Interface.

To verify naming conventions using the Web Interface

1. In the Web Interface for Administrators, select an OU from your test domain.
2. In the right pane of the Web Interface page, click New User.
3. Fill in the First Name and Last Name fields.

Active Roles 8.1.3 Evaluation Guide

28
Using Active Roles policies
4. Verify that the Web Interface automatically fills in the Name, User logon name,
and User logon name (pre-Windows 2000) fields in accordance with the user
naming conventions.
5. Follow the steps in the wizard to complete the creation of the user account.

Clean up your test environment

The policy you configured and used in this section may interfere with the policies discussed
in the sections that follow. To prevent this issue, you should block the effect of the User
Naming Convention policy on your test domain before you proceed to the next sections.

To block the effect of the User Naming Conventions policy

1. In the Active Roles console, right-click your test domain, and click Enforce Policy.
2. In the Active Roles Policy window, locate the list entry named User Naming
Conventions, and select the Blocked check box in that entry.
3. Click OK to close the Active Roles Policy window.

Use a Logon Name Generation policy

You can use a policy of the Logon Name Generation category to automate the assignment
of the pre-Windows 2000 user logon name upon creation or modification of a user account.
When configuring a policy of this category, you can define multiple rules or apply an
incremental numeric value to ensure uniqueness of the policy-generated name.
This section covers both the scenario that uses a uniqueness number and the scenario that
involves multiple rules to generate logon names.

Scenario 1: Using uniqueness number

The policy described in this scenario generates the pre-Windows 2000 user logon name in
accordance with this rule: the first character of the user first name, optionally followed by a
uniqueness number, followed by the user last name. The length of the policy-generated
name is not more than 8 characters. If the name is longer, trailing characters are truncated
as needed. Examples of names generated by this policy are as follows:
l JSmitson
l J1Smitso
l J2Smitso

Active Roles 8.1.3 Evaluation Guide

29
Using Active Roles policies
The policy generates the name J1Smitso for the user John Smitson if the name JSmitson
is in use. If both JSmitson and J1Smitso are in use, the policy generates the name
J2Smitso, and so on.
To implement this scenario, you need to create and apply an Active Roles Policy Object. The
following two sub-sections elaborate on the steps to implement this scenario.

Create and apply the Policy Object

You can create and apply the Policy Object using the Active Roles console as follows.

To create and apply the Policy Object

1. In the console tree, expand Configuration | Policies, right-click Administration,

and select New | Provisioning Policy.
2. On the Welcome page of the New Provisioning Policy Object wizard, click Next.
3. In the Name box, type the name of the Policy Object: User Logon Name
Generation. Click Next.
4. On the Policy to Configure page, select User Logon Name Generation.
Click Next.
5. On the User Logon Name (pre-Windows 2000) Generation Rules page,
click Add.
6. In the Configure Value dialog box, click Add.
7. In the Add Entry window, configure the entry to include the first character of the
user first name:
a. Under Entry type, click User Property.
b. Under Entry properties, click Select.
c. In the Select Object Property window, click First Name in the Object
property list, and then click OK.
d. Under Entry properties, click The first, and verify that the box next to that
option reads 1.
e. Click OK.
8. In the Configure Value dialog box, click Add.
9. In the Add Entry window, configure the entry to optionally include a
uniqueness number:
a. Under Entry type, click Uniqueness Number.
b. Under Entry properties, click Add if the property value is in use.
c. Click OK.
10. In the Configure Value dialog box, click Add.

Active Roles 8.1.3 Evaluation Guide

30
Using Active Roles policies
11. In the Add Entry window, configure the entry to include the user last name:
a. Under Entry type, click User Property.
b. Under Entry properties, click Select.
c. In the Select Object Property window, click Last Name in the Object
property list, and then click OK.
d. Click OK.
At this point, the Configured value box should display the following syntax:
%1<givenName>{@counter(optional)}%<sn>

12. Click OK to close the Configure Value dialog box.

13. On the User Logon Name (pre-Windows 2000) Generation Rules page, click
the Advanced button.
14. In the Advanced dialog box, in the Maximum length, in characters box, type 8,
and then click OK.
15. On the User Logon Name (pre-Windows 2000) Generation Rules page,
click Next.
16. On the Enforce Policy page, click Add.
17. In the Select Objects window, select your test domain, click Add, and then
click OK.
18. Click Next, and then click Finish.

You must also take certain steps to override the effect of the default logon name generation
policy. You may block the policy effect for the entire domain or for individual containers
within the domain.

To block the effect of the default logon name generation policy

1. In the Active Roles console, right-click your test domain (or a certain container, such
as OU), and click Enforce Policy.
2. In the Active Roles Policy window, locate the list entry named Built-in Policy -
Default Logon Name, and select the Blocked check box in that entry.
3. Click OK to close the Active Roles Policy window.

Test the User Logon Name Generation policy

The policy effect on the user creation operation is as follows. On the user creation forms,
the Active Roles user interfaces provide a Generate button to create a pre-Windows 2000
user logon name in accordance with the policy rule. In the event of a naming conflict,
clicking the Generate button causes the policy to add a uniqueness number to the name.
You can use the following steps to verify the policy behavior in the Active Roles console.

Active Roles 8.1.3 Evaluation Guide

31
Using Active Roles policies
To verify the policy behavior using the Active Roles console

1. Create the user account for the first user:

a. In the console tree, right-click an OU, and select New | User.
b. In First name, type John; in Last name, type Smitson.
c. Click the button next to the User logon name (pre-Windows 2000) box.
This will generate JSmitson.
d. Complete the creation of the user account.

2. Create the user account for the second user:

a. In the console tree, right-click an OU, and select New | User.
b. In First name, type Jane; in Last name, type Smitson.
c. Click the button next to the User logon name (pre-Windows 2000) box.
This will generate J1Smitso, because the name JSmitson is in use.
d. Complete the creation of the user account.
3. Create the user account for the third user:
a. In the console tree, right-click an OU in your test domain, and select
New | User.
b. In First name, type Joanne; in Last name, type Smitson.
c. Click the button next to the User logon name (pre-Windows 2000) box.
This will generate J2Smitso, since both the JSmitson and J1Smitso names
are in use.
4. Complete the creation of the user account.

Scenario 2: Using multiple rules

The policy described in this scenario uses multiple rules to generate the pre-Windows 2000
user logon name based on the following rules:

1. The first character of the user first name, followed by the user last name
2. The first two characters of the user first name, followed by the user last name
3. The first three characters of the user first name, followed by the user last name

The length of the policy-generated name is at most 8 characters. If the name is longer,
trailing characters are truncated as needed.
Examples of names generated by this policy are as follows:
l JSmitson
l JoSmitso
l JohSmits

Active Roles 8.1.3 Evaluation Guide

32
Using Active Roles policies
The policy generates the name JoSmitso for the user John Smitson if the name JSmitson is
in use. If both JSmitson and JoSmitso are in use, the policy generates the name JohSmits.
If the policy fails to generate a unique name, it allows a name to be specified manually.
To implement this scenario, you might re-configure the User Logon Name Generation
Policy Object, used in the previous scenario.

Configure the Policy Object

Use the Active Roles console to make the appropriate changes to the User Logon Name
Generation Policy Object.

To modify the Policy Object

1. In the Active Roles console, right-click the User Logon Name Generation Policy
Object, and click Properties.
2. On the Policies tab, select the policy, and then click View/Edit.
3. Remove the uniqueness number entry from the first rule:
a. On the Generation Rules tab, select the rule, and then click View/Edit.
b. In the Configure Value dialog box, select the Uniqueness number entry,
click Remove, and then click OK.
4. Add the second rule:
a. On the Generation Rules tab, click Add.
b. In the Configure Value dialog box, click Add.
c. In the Add Entry window:
i. Select the User Property entry type
ii. Select the First name property
iii. Click The first and then type 2
iv. Click OK
d. In the Configure Value dialog box, click Add.
e. In the Add Entry window:
i. Select the User Property entry type
ii. Select the Last name property
iii. Click OK
f. In the Configure Value dialog box, click OK.
5. Repeat Step 4, modifying Sub-step c) as follows in order to add the third rule: Click
The first and then type 3.
6. On the Generation Rules tab, select the Allow manual edits of pre-Windows
2000 logon name check box, and then click Only if a unique name cannot be
generated by this policy.

Active Roles 8.1.3 Evaluation Guide

33
Using Active Roles policies
7. Click OK to close the User Logon Name Generation Policy Properties
dialog box.
8. Click OK to close the Properties dialog box for the Policy Object.

Test the User Logon Name Generation policy

The policy effect on the user creation operation is as follows. On the user creation forms,
the Active Roles user interfaces provide a Generate button to create a pre-Windows 2000
user logon name in accordance with the policy rules. In the event of a naming conflict,
clicking the Generate button causes the policy to apply a subsequent rule.
You can use the following steps to verify the policy behavior in the Active Roles console.

To verify the policy behavior using the Active Roles console

1. Create the user account for the first user:

a. In the console tree, right-click an OU, and select New | User.
b. In First name, type Jack; in Last name, type Smitson.
c. Click the button next to the User logon name (pre-Windows 2000) box.
This will generate JaSmitso. The policy applies the second rule.
d. Complete the creation of the user account.
2. Create the user account for the second user:
a. In the console tree, right-click an OU, and select New | User.
b. In First name, type Jay; in Last name, type Smitson.
c. Click the button next to the User logon name (pre-Windows 2000) box.
This will generate JaySmits. The policy applies the third rule.
d. Complete the creation of the user account.
3. Create the user account for the third user:
a. In the console tree, right-click an OU, and select New | User.
b. In First name, type Jaycob; in Last name, type Smitson.
c. Click the button next to the User logon name (pre-Windows 2000) box.
In this case, the policy fails to generate a unique name since each of the three
generation rules returns a name that is in use by an existing user account in your test
domain. The console prompts you to specify a name because the policy is configured
to allow this action in the situation where it cannot generate a unique name.

Clean up your test environment

The policy you configured and used in this section may interfere with the policies discussed
in the sections that follow. To prevent this issue, you should block the effect of the E-mail

Active Roles 8.1.3 Evaluation Guide

34
Using Active Roles policies
Alias Generation policy on your test domain before you proceed to the next sections.

To block the effect of the E-mail Alias Generation policy

1. In the Active Roles console, right-click your test domain, and click Enforce Policy.
2. In the Active Roles Policy window, locate the list entry named E-mail Alias
Generation, and select the Blocked check box in that entry.
3. Click OK to close the Active Roles Policy window.

Use an E-mail Alias Generation policy

To implement the scenario described in this section, you must have a supported Microsoft
Exchange Server version installed in your test Active Directory forest. For the list of
Exchange Server versions supported by Active Roles, see System requirements in the
Active Roles Release Notes.
You can use a policy of the E-mail Alias Generation category to automate the assignment of
the e-mail alias when designating a user as mailbox-enabled on Microsoft Exchange Server.
By default, Microsoft Exchange Server provides for the following recipient e-mail address
format: <alias>@<domain>. You can use pre-defined rules to generate e-mail aliases, or
configure custom rules. Custom rules provide for addition of an incremental numeric value
to ensure uniqueness of the alias.
The policy described in this scenario generates the e-mail alias in accordance with this
rule: user first name, optionally followed by a three-digit uniqueness number, followed
by a period, followed by the user last name. Examples of aliases generated by this rule
are as follows:
l John.Smith
l John001.Smith
l John002.Smith

The policy generates the alias John001.Smith for the user John Smith if the alias
John.Smith is in use. If both John.Smith and John001.Smith are in use, the policy
generates the alias John002.Smith, and so on.
The following two sections elaborate on the steps to implement this scenario.

Create and apply the Policy Object

You can create and apply the Policy Object using the Active Roles console as follows.

To create and apply the Policy Object

1. In the console tree, expand Configuration | Policies, right-click Administration,

and select New | Provisioning Policy.

Active Roles 8.1.3 Evaluation Guide

35
Using Active Roles policies
2. On the Welcome page of the New Provisioning Policy Object wizard, click Next.
3. In the Name box, type the name of the Policy Object: E-mail Alias Generation.
Click Next.
4. On the Policy to Configure page, click E-mail Alias Generation. Click Next.
5. On the E-mail Alias Generation Rule page, click Other combination of user
properties, and then click Configure.
6. In the Configure Value dialog box, click Add.
7. In the Add Entry window, configure the entry to include the user first name:
a. Under Entry Type, click User Property.
b. Under Entry Properties, click Select.
c. In the Select Object Property window, click First Name in the Object
property list, and then click OK.
d. Click OK.
8. In the Configure Value dialog box, click Add.
9. In the Add Entry window, configure the entry to optionally include a
uniqueness number:
a. Under Entry type, click Uniqueness Number.
b. Under Entry properties, set the entry options:
i. Click Add if the property value is in use
ii. Select the Fixed-length number, with leading zeros check box
iii. In the box next to Length of the number, in digits, type 3
c. Click OK.
10. In the Configure Value dialog box, click Add.
11. In the Add Entry window, configure the entry to include the period character:
a. Under Entry properties, type the period character.
b. Click OK.
12. In the Configure Value dialog box, click Add.
13. In the Add Entry window, configure the entry to include the user first name:
a. Under Entry type, click User Property.
b. Under Entry properties, click Select.
c. In the Select Object Property window, click Last Name in the Object
property list, and then click OK.
d. Click OK.
At this point, the Configured value box should display the following syntax:
%<givenName>{@counter(optional,3)}.%<sn>

14. Click OK to close the Configure Value dialog box.

15. On the E-mail Alias Generation Rule page, click Next.

Active Roles 8.1.3 Evaluation Guide

36
Using Active Roles policies
16. On the Enforce Policy page, click Add.
17. In the Select Objects window, select your test domain, click Add, and then
click OK.
18. Click Next, and then click Finish.

You must also take certain steps to override the effect of the default e-mail alias generation
policy. You may block the policy effect for the entire domain or for individual containers
within the domain.

To override the default e-mail alias generation policy

1. In the Active Roles console, right-click your test domain (or a certain container, such
as OU), and click Enforce Policy.
2. In the Active Roles Policy window, locate the list entry named Built-in Policy -
Default E-mail Alias, and select the Blocked check box in that entry.
3. Click OK to close the Active Roles Policy window.

Test the E-mail Alias Generation policy

The policy effect on the user creation operation is as follows. On the user creation forms,
the Active Roles user interfaces provide a Generate button to create an e-mail alias in
accordance with the policy rule. In the event of an alias naming conflict, clicking the
Generate button causes the policy to add a uniqueness number to the alias.
You can use the following steps to verify the policy behavior in the Active Roles console.

To verify the policy behavior using the Active Roles console

1. Create the user account for the first user:

a. In the console tree, right-click an OU in your test domain, and select
New | User.
b. In First name, type John; in Last name, type Smith.
c. Fill in User logon name and User logon name (pre-Windows 2000).
d. Click Next.
e. Fill in Password and Confirm password, and click Next.
f. Click the button located next to the Alias box.
This will generate John.Smith as the e-mail alias.
g. Complete the creation of the user account.
2. Create the user account for the second user:
a. In the console tree, right-click an OU in your test domain, and select
New | User.
b. In First name, type John; in Initials, type A, in Last name, type Smith.

Active Roles 8.1.3 Evaluation Guide

37
Using Active Roles policies
c. Fill in User logon name and User logon name (pre-Windows 2000).
d. Click Next.
e. Fill in Password and Confirm password, and click Next.
f. Click the button located next to the Alias box.
This will generate John001.Smith as the e-mail alias, since the alias
John.Smith is in use.
g. Complete the creation of the user account.
3. Create the user account for the third user:
a. In the console tree, right-click an OU in your test domain, and select
New | User.
b. In First name, type John; in Initials, type B, in Last name, type Smith.
c. Fill in User logon name and User logon name (pre-Windows 2000).
d. Click Next.
e. Fill in Password and Confirm password, and click Next.
f. Click the button located next to the Alias box.
This will generate John002.Smith as the e-mail alias, since both the John.Smith
and John001.Smith aliases are in use.

Clean up your test environment

The policy you configured and used in this section may interfere with the policies discussed
in the sections that follow. To prevent this issue, you should block the effect of the E-mail
Alias Generation policy on your test domain before you proceed to the next sections.

To block the effect of the E-mail Alias Generation policy

Enforce group scope restrictions

This scenario describes how to configure a policy to ensure that only non-universal
groups are permitted to be created. The script prevents Active Roles from creating
universal groups.
The policy is based on a script that detects the group scope setting and disallows the
creation of groups with universal scope. The script comes with Active Roles SDK. You can

Active Roles 8.1.3 Evaluation Guide

38
Using Active Roles policies
access the Active Roles SDK documentation by selecting Active Roles 8.1.3 SDK on the
Apps page or Start menu, depending upon the version of your Windows operating system.

Prepare the script module

To implement this policy, you first need to prepare a script module using the Active
Roles console.

To prepare the script module

1. In the console tree, expand Configuration, right-click Script Modules, and then
click Import.
2. Use the Import Script window to open the file RestrictGroupScope.ps1, located
in the folder %ProgramFiles%\One Identity\Active
Roles\8.1.3\SDK\Samples\RestrictGroupScope\
3. In the Script dialog box, click OK.

The module RestrictGroupScope is created in the Script Modules container. You can
view the script code in the details pane by selecting the module in the console tree.

Create and apply the Policy Object

Once you have prepared the script module, you can create, configure, and apply the Policy
Object using the Active Roles console.

To create and apply the Policy Object

1. In the console tree, expand Configuration | Policies, right-click Administration,

and select New | Provisioning Policy.
2. On the Welcome page of the New Provisioning Policy Object wizard, click Next.
3. In the Name box, type the name of the Policy Object: Group Scope Restrictions.
Click Next.
4. On the Policy to Configure page, select Script Execution. Click Next.
5. On the Script Module page, select RestrictGroupScope. Click Next.
6. On the Policy Parameters page, click Next.
7. On the Enforce Policy page, click Add.
8. In the Select Objects window, select your test domain, click Add, and then
click OK.
9. Click Next, and then click Finish.

Active Roles 8.1.3 Evaluation Guide

39
Using Active Roles policies
Test the group scope restrictions
Perform the following steps to see how group type restrictions are enforced when you
create a mail-enabled group using the Active Roles console.

To verify the group type restrictions

1. In the console tree, right-click an OU in your test domain, and select New | Group.
2. Type a name for the group.
3. Under Group scope, click Universal.
4. Click Next.
This will cause an error message to appear stating that you cannot create
universal groups.

5. Close the error message box.

6. Under Group scope, click Global.
7. Click Next and notice that no error message appears this time.

As you can see, the policy allows you to created a group with any scope except for
universal.

Use a Home Folder Provisioning policy

This section describes how to configure Active Roles to automatically create or rename the
user’s home folder on a certain file server when a user is created or renamed with Active
Roles. In this scenario, renaming a user means modifying the User logon name (pre-
Windows 2000) property of the user account.
NOTE: This scenario requires that the service account of the Administration Service be a
member of the Administrators group of the file server on which you want Active Roles to
manage home folders. You specify the service account in Active Roles Configuration
Center when configuring the Administration Service (see Run Active Roles Configuration
Center earlier in this document).
To implement this policy, you need to create and apply an Active Roles Policy Object.

Create and apply the Policy Object

Perform the following steps to create and apply the Policy Object using the Active
Roles console.

Active Roles 8.1.3 Evaluation Guide

40
Using Active Roles policies
To create and apply the Policy Object

1. In the console tree, expand Configuration | Policies, right-click Administration,

and select New | Provisioning Policy.
2. On the Welcome page of the New Provisioning Policy Object wizard, click Next.
3. In the Name box, type the name of the Policy Object: Handling Home Folders.
Click Next.
4. On the Policy to Configure page, select Home Folder AutoProvisioning.
Click Next.
5. On the Home Folder Management page:
a. In the To box, type \\<Server>\<Home>\%USERNAME%, where <Server>
is the name of your file server, <Home> is the name of a network share on
your file server. The policy will create home folders in the network share you
have specified.
b. Select both the Apply this home folder setting when user account is
created and Apply this home folder setting when user account is
renamed check boxes.
c. Ensure that the Create or rename home folder on file server as needed
check box is selected.
d. Click Next.
6. On the Home Share Management page, click Next.
7. On the Enforce Policy page, click Add.
8. In the Select Objects window, select your test domain, click Add, and then
click OK.
9. Click Next, and then click Finish.

Test the Home Folder policy

Perform the following steps to see how Active Roles manages the user’s home folder when
you create or rename a user account by using the Active Roles console.

To verify the home folder policy

1. Using the Active Roles console, create a user account in any OU in your test domain.
2. Right-click the user account created in Step 1 and click Properties.
3. In the Properties dialog box, click the Profile tab.
4. On the Profile tab, in the Home folder area, examine the home folder path: The
path is identical to the network path you specified when creating the Policy Object,
with the user logon name (pre-Windows 2000) substituted for %USERNAME%.
5. On your file server, verify that the home folder is created.
6. In the Properties dialog box for the user account, click the Account tab.

Active Roles 8.1.3 Evaluation Guide

41
Using Active Roles policies
7. Modify the value in the User logon name (pre-Windows 2000) box, and
click Apply.
8. On the Profile tab, in the Home folder area, examine the home folder path:
The home folder name is identical to the new value of User logon name (pre-
Windows 2000).
9. On your file server, verify that the home folder is renamed.

Active Roles 8.1.3 Evaluation Guide

42
Using Active Roles policies
7

Managing Exchange recipients

This section provides sample procedures that illustrate how you can use the Active Roles
Console or Web Interface to perform Exchange tasks, and manage Exchange-related
properties of users and groups. To follow these procedures, you must have a supported
Microsoft Exchange Server version installed in your test domain. For the list of Exchange
Server versions supported by Active Roles, see System requirements in the Active Roles
Release Notes.
NOTE: Mailboxes can be created only for Users, enabling mailbox for a Contact is
not allowed.

Create a mailbox for an existing user

Using the Active Roles console or Web Interface, you can create an Exchange mailbox for
an existing user account. To perform this task, follow the steps below.

To create a mailbox for an existing user by using the Active Roles console

1. Right-click the user account and click Exchange Tasks.

2. In the Exchange Task Wizard, click Next, click Create User Mailbox, and
then click Next.
3. Verify that the information in the Alias and Mailbox database boxes is correct, and
then click Next.
4. Click Finish.

To create a mailbox for an existing user by using the Web Interface

Active Roles 8.1.3 Evaluation Guide

43
Managing Exchange recipients
If the Create User Mailbox command is unavailable, the selected user already
has a mailbox.

5. Verify that the information in the Alias and Mailbox database boxes is correct, and
then click the Finish button.

Modify a user’s e-mail address

You can use the Active Roles console or the Web Interface to modify the e-mail address of a
mailbox-enabled user. To perform this task, follow the steps below.

To modify e-mail address using the Active Roles console

1. Right-click the mailbox-enabled user account you want to modify, and then click
Properties.
2. On the E-mail Addresses tab, double-click the address you want to modify.
3. Modify the e-mail address information that appears for the address you have
selected, and click OK.
4. Click OK to close the Properties dialog box.

To modify e-mail address using the Web Interface

Active Roles 8.1.3 Evaluation Guide

44
Managing Exchange recipients
8

Managing permissions in Active

View or modify permission entries

Perform the following steps to manage Active Directory permission entries using the Active
Roles console.

To view or modify permission entries

1. On the View menu, check Advanced Details Pane.

2. In the console tree, expand Active Directory and browse the domain to locate and
select a directory object or container.
3. In the lower sub-pane of the details pane, click the Native Security tab.
This tab displays a list of all permission entries for the selected object or container.

4. On the Native Security tab, right-click an entry in the list, and then click
Properties to examine the selected permission entry.
The ACE Properties window displays the following properties of the permission
entry you have selected:

Active Roles 8.1.3 Evaluation Guide

45
Managing permissions in Active Directory
1. Type Permission type (Allow or Deny).
2. Status For an entry specified by using an Access Template, view whether the
entry is in sync with Active Roles (OK if in sync or, otherwise, an indication of a
problem). Disregard if the entry is specified in a different way.
3. Trustee Security principal to which the permission entry is assigned.
4. Source For an entry specified by using an Access Template, identifies the
name of the Access Template. <None> or Default AD Security if the entry is
specified in a different way.
5. Inherited from Container from which the permission entry is inherited
(if any).
6. Applies to Where the permission entry is applied (this object only, this object
and all child objects, etc.).
7. Permissions A list of permissions specified by the permission entry.
5. To delete a permission entry, right-click the entry, and then click Delete.
6. To start the native Active Directory ACL editor, right-click a permission entry, and
then click Edit Native Security.
You can use the ACL editor to add new permission entries and view or modify existing
permission entries.

Manage native security with Access

Templates
To add permission entries to Active Directory using an Access Template, perform the
following steps in the Active Roles console.

To apply Access Template to Active Directory

1. Select an Active Directory container to which you want to add permission entries.
2. Right-click the selection and click Delegate Control.
3. In the Active Roles Security window, click Add.
4. Follow the steps in the Delegation of Control wizard.
5. On the Permissions Propagation page, select the Propagate permissions to
Active Directory check box.
6. Complete the Delegation of Control wizard.
7. In the Active Roles Security window, click OK.

Once you have completed these steps, new permission entries are created in Active
Directory. You can examine them using the Active Roles console.

Active Roles 8.1.3 Evaluation Guide

46
Managing permissions in Active Directory
To examine permission entries
l Select the container you selected in Step 1 of the previous procedure, and examine
the list of permission entries on the Native Security tab in the lower sub-pane of the
details pane.
The new entries are added to the list. The name of an Access Template in the Source
column indicates the entries specified through the use of that Access Template.

Active Roles maintains one-way synchronization from Active Roles security to each
permission entry defined with the Permissions Propagation option.

To manage synchronization of permissions

1. Go to the Active Roles Security tab in the advanced details pane.

The Sync to Native Security column indicates whether permissions are
synchronized to Active Directory.

2. On the Active Roles Security tab, right-click an entry with the Yes label in the
Sync to Native Security column, click Desync to AD, and then click Yes.
The label in the Sync to Native Security column changes to No.

3. Go to the Native Security tab and refresh the view (press F5).
Active Roles removes the permission entries corresponding to the entry you selected
on the Active Roles Security tab in Step 2.

4. Go to the Active Roles Security tab, right-click the entry you selected in Step 2,
and then click Sync to AD.
The label in the Sync to Native Security column changes to Yes.

5. Go to the Native Security tab and refresh the view (press F5).
Active Roles adds the permission entries corresponding to the entry you selected on
the Active Roles Security tab in Step 4.

6. Go to the Active Roles Security tab, right-click a blank area of the tab, and
then click Add.
7. Follow the steps in the Delegation of Control Wizard to apply an Access Template.
8. On the Permissions Propagation page of the wizard, select the Propagate
permissions to Active Directory check box.
9. Go to the Native Security tab and refresh the view (press F5).
Active Roles adds the permission entries corresponding to the Access Template you
have applied by using the Delegation of Control Wizard.

Active Roles 8.1.3 Evaluation Guide

47
Managing permissions in Active Directory
9

Using dynamic groups

The groups whose membership lists are automatically maintained by Active Roles are
referred to as dynamic groups. For dynamic groups, Active Roles ensures that their
membership lists include only those objects that match membership rules, even if
administrative tools other than Active Roles are used to manage groups.
To automate the maintenance of group membership lists, Active Roles provides:
l Rules-based mechanism that automatically adds and removes objects from groups
whenever object attributes change in Active Directory
l Flexible membership criteria that enable both query-based and static
population of groups

The membership criteria fall into these categories:

l Include Explicitly Ensures that specified objects are included in the membership
list regardless of any changes made to the objects.
l Include by Query Populates the membership list with objects that have certain
properties. When an object is created, or when its properties are changed, Active
Roles adds or removes it from the membership list depending on whether the object’s
properties match the search criteria specified.
l Include Group Members Populates the membership list with members of specified
groups. When an object is added or removed from those groups, Active Roles adds or
removes that object from the membership list.
l Exclude Explicitly Ensures that specified objects are not in the membership list
regardless of any changes made to those objects.
l Exclude by Query Ensures that objects with certain properties are not in the
membership list. Active Roles automatically removes objects from the membership
list depending on whether the objects’ properties match the search criteria specified.
l Exclude Group Members Ensures that members of specified groups are not in the
membership list. When an object is added to any one of those groups, Active Roles
automatically removes that object from the membership list.

Active Roles processes membership rules in the following order by rule category:
l Include by Query
l Include Group Members

Active Roles 8.1.3 Evaluation Guide

48
Using dynamic groups
l Exclude by Query
l Exclude Group Members
l Include Explicitly
l Exclude Explicitly

This section outlines the procedures to follow in order to configure dynamic groups and to
examine the behavior of dynamic groups.

Configure a dynamic group

To configure a dynamic group, perform the following steps using the Active Roles console.

To create a dynamic group

1. Right-click a group, and then click Convert to Dynamic Group.

2. In the confirmation message box, click Yes.
The New Membership Rule wizard starts.

3. Select a rule type, such as Include Explicitly.

4. Click Next.
5. Click Add and select any objects to include in the group.
6. Click Finish.

NOTE: Once you have added a membership rule to a regular group, the group becomes a
dynamic group. This behavior does not depend on the type of the rule. When a group is
converted, all of its previous members are removed. Therefore, after you complete these
steps, the group only includes the objects you selected.
Next, add membership rules to further configure the dynamic group. To accomplish this
task, perform the following steps.

To set up membership rules

1. Right-click the dynamic group and click Properties.

2. In the Properties dialog box, click the Membership Rules tab.
3. On the Membership Rules tab, click Add.
This displays the Membership Rule Type dialog box.

4. In the list of rule types, click Include by Query. Click OK.

This displays the Create Membership Rule dialog box.

5. From the Find list, select Users.

6. From the In list, select your test domain.
7. In the Name box, type a.

Active Roles 8.1.3 Evaluation Guide

49
Using dynamic groups
8. Click Add Rule.
As a result, the group will include all users whose names begin with the letter a. (You
might specify a different query-based rule.)

9. On the Membership Rules tab, click Add.

10. In the list of rule types, click Include Group Members and click OK.
11. In the Select Objects window, select the Domain Admins group, click Add, and
then click OK.
As a result, the group will include all members of the Domain Admins group. (You
might choose a different group.)

12. On the Membership Rules tab, click Add.

13. In the list of rule types, click Exclude Explicitly. Click OK.
14. In the Select Objects window, select the Administrator account, click Add, and
then click OK.
As a result, Administrator will be excluded from the group. (You might choose a
different user account to exclude.)

15. In the Properties dialog box, click OK.

If you no longer want the group to be dynamic, right-click the group and then click Convert
to Basic Group. This operation only removes all membership rules from the group,
whereas the group membership list remains intact.

Test the dynamic group

Use the following tests to examine the behavior of the dynamic group you have configured.
In the Active Roles console, right-click your dynamic group and click Properties. Examine
the Properties dialog box:
l On the General tab, the Notes box contains a text indicating that this group is a
dynamic group.
l On the Members tab, you cannot modify the membership list.
l The Membership Rules tab displays a list of membership rules. You can add,
modify, and remove rules.

Explicit inclusion
To examine the behavior of membership rules based on explicit inclusion, perform the
following steps with the Active Roles console.

Active Roles 8.1.3 Evaluation Guide

50
Using dynamic groups
To examine explicit inclusion

1. Open the Properties dialog box for your dynamic group, and go to the Members
tab: the objects you explicitly included in the group are in the membership list.
2. Close the Properties dialog box.
3. Rename, modify, or move objects you selected for the explicit inclusion.
4. Open the Properties dialog box for your dynamic group, and go to the Members
tab: the objects remain in the group membership list; for the objects you renamed,
the list displays new names.

Explicit inclusion adds objects by object ID that remains unchanged during the entire object
lifecycle. Once added through explicit inclusion, an object can only be removed from a
dynamic group in one of these ways:
l Delete the membership rule for explicit inclusion of that object.
l Add the membership rule for explicit exclusion of that object.

To add or remove membership rules, you can use the Membership Rules tab in the
Properties dialog box for the dynamic group.

Explicit exclusion
To examine the behavior of membership rules based on explicit exclusion, perform the
following steps using the Active Roles console. These instructions assume that you have
chosen the Administrator account for explicit exclusion from your dynamic group.

To examine explicit exclusion

1. Open the Properties dialog box for Domain Admins group and go to the Members
tab to check that Administrator is a member of the Domain Admins group. Close the
Properties dialog box.
2. Open the Properties dialog box for your dynamic group, go to the Membership
Rules tab, and add the explicit inclusion rule that makes Administrator a member of
your dynamic group.
3. Apply your changes by clicking Apply in the Properties dialog box for your
dynamic group.
4. Go to the Members tab, click the Rebuild button and note that Administrator is not
a member of your dynamic group although each of the following rules adds
Administrator to the group:
l Explicit inclusion rule (you configured it in Step 2).
l Query-based inclusion rule (Administrator’s name begins with the letter a).
l Group membership inclusion rule (Administrator is a member of the group
Domain Admins).

Active Roles 8.1.3 Evaluation Guide

51
Using dynamic groups
Explicit exclusion removes objects by object ID that remains unchanged during the entire
object lifecycle. Once removed through explicit exclusion, an object can only be added to
the dynamic group after deleting the Exclude Explicitly membership rule for that object.

Inclusion by query
To examine the behavior of query-based inclusion rules, perform the following steps using
the Active Roles console. These instructions assume that your query-based rule is
configured so that the group includes all users whose names begin with the letter a.

To examine inclusion by query

1. In any OU in your test domain, create a new user account with a full name that
begins with the letter a.
2. Open the Properties dialog box for your dynamic group, and go to the Members
tab: the new user account is in the membership list (unless it is removed from the
dynamic group by exclusion rules).
3. Rename an existing user account so that its new full name begins with the letter a.
4. Go to the Members tab in the Properties dialog box for your dynamic group, and
click the Rebuild button: the user account is added to the membership list (unless it
is removed from the dynamic group by exclusion rules).
5. Rename the user account you managed in Step 4 so that its new full name begins
with the letter b.
6. Go to the Members tab in the Properties dialog box for your dynamic group, and
click the Rebuild button: the user account is removed from the membership list
(unless it is added to the dynamic group by explicit inclusion rules).

Inclusion of group members

To examine the behavior of membership rules based on group membership, perform the
following steps using the Active Roles console. These instructions assume that you have
configured your dynamic group to include the members of the group Domain Admins.

To examine inclusion of group members

1. Open the Properties dialog box for your dynamic group, and go to the Members
tab: the members of the Domain Admins group are in the membership list (except
those removed from the dynamic group by exclusion rules).
2. Add a member to the Domain Admins group.
3. Go to the Members tab in the Properties dialog box for your dynamic group, and
click the Rebuild button: the new member of the Domain Admins group is added to
your dynamic group (unless that member is removed from the dynamic group by
exclusion rules).

Active Roles 8.1.3 Evaluation Guide

52
Using dynamic groups
4. Remove a member from the Domain Admins group.
5. Go to the Members tab in the Properties dialog box for your dynamic group, and
click the Rebuild button: the object you removed from the Domain Admins group is
also removed from your dynamic group (unless that object is added to the dynamic
group by explicit inclusion rules).

Enforcement of membership rules

When changes are made to the membership list of a dynamic group, Active Roles detects
the changes regardless of their origin, and reapplies membership rules. This ensures that
the group membership list is in compliance with the rules even if it was modified by using
an administrative tool other than Active Roles. For example, you can use the Active
Directory Users and Computers tool to make changes to the membership list of a dynamic
group, and see how Active Roles reapplies membership rules.
Perform the following steps in the Active Directory Users and Computers.

To examine enforcement of membership rules

1. Open the Active Directory Users and Computers tool (run dsa.msc from a
command prompt).
2. In any OU in your test domain, create a user account with a full name that begins
with the letter a.
3. Open the Properties dialog box for your dynamic group, and go to the Members
tab: the new user is in the group membership list.
4. On the Members tab, select that user, and click Remove. Click Yes. Click OK.
5. Open the Properties dialog box for your dynamic group, and go to the Members
tab: the user is still in the group membership list.
Active Roles has detected the removal, and added the user to the group in
accordance with the membership rules.

Active Roles 8.1.3 Evaluation Guide

53
Using dynamic groups
10

Delegating computer resource

management

Active Roles provides the capability to delegate administration of computer resources, such
as network shares, services, and logical printers. It is also possible to delegate
administration of local users and groups on member servers and workstations. Delegated
administrators can use the Active Roles Web Interface to manage computer resource.
Active Roles comes with a suite of Access Templates that facilitate the delegation of
computer management tasks. When applied to an OU, Access Templates from that suite
provide for the following levels of access to the computers placed in that OU:
l Full Control Perform all management tasks on computer resources.
l Local Account Operator Create, modify, and delete local user accounts and
groups.
l Network Share Operator Create, modify, and delete network shares.
l Print Operator View and modify properties of logical printers; manage print jobs.
l Service Operator Start/stop services; view/modify service properties.
l Server Operator Start/stop services; create, modify, and delete network shares;
pause/resume/cancel printing; view properties of all computer resources.

This section outlines the procedure you can use to assign the Server Operator role to a
delegated administrator for an OU, and briefly describes how to perform computer
management tasks using the Active Roles Web Interface for Administrators.

Assign the Server Operator role for an

OU
When you assign the Server Operator role to a group for a given OU, you authorize the
members of that group to perform all management tasks on the services, network shares,
and logical printers on any computer in that OU and its child OUs.
You can assign the Server Operator role using the Active Roles console as follows.

Active Roles 8.1.3 Evaluation Guide

54
Delegating computer resource management
To assign the Server Operator role for OU

1. In the Active Roles console, right-click the OU and then click Delegate Control.
2. In the Active Roles Security window, click Add.
3. Follow the steps in the Delegation of Control wizard.
4. On the Users or Groups page, click Add.
5. Select the group you want to designate as the delegated administrator and click OK.
6. Click Next.
7. On the Access Templates page, expand Computer Resources, select the check
box next to Computer Management - Server Operator, and then click Next.
8. Click Next two times, and then click Finish.

To enable the delegated administrators to browse OUs in the domain, you must grant them
the Read All Properties permission on the OU objects at the domain level.

To grant the Read All Properties permission

1. Select the domain and use the Delegation of Control wizard as described in the
previous procedure.
2. On the Access Templates page, expand Active Directory, and select the check
box next to OUs – Read All Properties.

Test the delegated administrator’s

rights
The delegated administrator can use the Active Roles Web Interface for Administrators to
perform management tasks on computer resources. Take the following steps to verify the
administrator’s rights.

To verify the delegated administrator’s rights

1. Log on to your computer with the delegated administrator’s user name and
password.
2. Connect to the Web Interface for Administrators: Open your Web browser and
navigate to http://localhost/ARWebAdmin.
3. In the Search box on the header of the Web Interface page, type the name of the OU
for which the delegated administrator is assigned the Server Operator role, and then
press Enter.
4. In the list of search results, click the name of the OU to displays a list of computers
held in that OU.
5. In the list of computers, click select the check box next to the name of a computer.

Active Roles 8.1.3 Evaluation Guide

55
Delegating computer resource management
6. In the right pane of the Web Interface page, click Manage to view a list of resource
categories.
7. Verify that you can start and stop services on the selected computer:
a. In the list of resource categories, click Services to view a list of services
installed on the selected computer.
b. To start a stopped service, select the check box next to the name of that
service, and then click Start in the right pane.
c. To stop a started service, select the check box next to the name of that service,
and then click Start in the right pane.
8. Return to the list of resource categories: In the breadcrumb navigation control above
the list of services, click the name of the computer, and then, in the right pane of the
Web Interface page, click Manage.
9. Verify that you have full control of network shares on the selected computer:
a. In the list of resource categories, click Shares to view a list of network file
shares defined on the selected computer.
b. To create a new share, click New Share in the right pane of the Web
Interface page.
c. To manage an existing share, select the check box next to the name of that
share and use commands in the upper area of the right pane:
l Click Properties to view or change the properties and security settings
of the selected share.
l Click the Stop Sharing command to remove the selected share.
10. Return to the list of resource categories: In the breadcrumb navigation control above
the list of services, click the name of the computer, and then, in the right pane of the
Web Interface page, click Manage.
11. Verify that you can view or change printer properties as well as pause, resume, and
cancel printing of documents on a given printer:
a. In the list of resource categories, click Printers to view a list of printers
installed on the selected computer.
b. In the list of printers, select the check box next to the name of a printer and
then click commands in the right pane of the Web Interface page to perform
the following tasks:
l Click Properties to view or change the properties of the selected printer.
l Click Pause to suspend printing of all documents on the printer. This will
replace Pause with Resume.
l To continue printing, click Resume.
l Click Cancel All Documents to cancel printing of all documents on
the printer.
l Click Print Jobs to view a list of documents being printed. You can select
a document from the list, and then use command in the right pane to
pause, resume, restart, or cancel printing of that document.

Active Roles 8.1.3 Evaluation Guide

56
Delegating computer resource management
11

Using audit trail and reporting

This section describes how to view the Active Roles audit trail and how to work with Active
Roles reports.

Analyze the Audit Trail

Active Roles provides a complete audit trail, showing who performed what actions and who
tried to perform actions that were not permitted, and offers a rich suite of reports based on
the audit trail.
Active Roles creates the audit trail by generating events and recording them into the
Active Roles Admin Service event log. You can use Event Viewer to examine events
in that log, or you can use Active Roles reports to perform an in-depth analysis of the
audit trail.

Examine the audit trail using event viewer

To view details about an Active Roles event

1. On the computer running the Active Roles Administration Service, open Event
Viewer.
2. In the console tree, under Application and Services Logs, select the Active
Roles Admin Service log.
3. In the details pane, right-click an event, and then click Event Properties.

Use reports to analyze the audit trail

The Work with Active Roles reports section provides information about how to use reporting
in Active Roles. You can also create reports based on the Active Roles audit trail. Some
examples are as follows.

Active Roles 8.1.3 Evaluation Guide

57
Using audit trail and reporting
Work with Active Roles reports
Active Roles comes with a rich suite of reports—Active Roles Report Pack. Active Roles
reports cover all administrative actions that can be taken with this product. To create
and view reports, you must install Active Roles Collector and Active Roles Report Pack. If
you install Active Roles as described in the section Installing the reporting components
earlier in this document, you have installed all components required to work with Active
Roles reports.

Collect data for reporting

To prepare reports, you first need to collect data for reporting.

To collect data for reporting

1. Open the Active Roles Collector wizard by selecting Active Roles Active Roles
Collector on the Apps page or Start menu, depending upon the version of your
Windows operating system.
2. On the Welcome page, click Next.
3. On the Select Task page, select the option Collect data from the
network. Click Next.
4. Click Browse and complete the SQL Server Connection wizard as follows.
You only need to complete the SQL Server Connection wizard once, when using the
Collector wizard for the first time.

5. On the SQL Server page, click Use SQL Server authentication, and set the other
options as follows:
a. In the Server box, enter <ServerName>\sqlexpress, replacing
<ServerName> with the name of the computer on which you installed SQL
Server Express.
b. In the Logon Name box, type sa.
c. In the Password box, type the password for the sa login.
6. Click Next.
7. On the Select database page, in the Database box, type ARServerReporting.
The wizard will create a database with the name you specify. It is advisable to
create a new database rather than select an existing database. If you select an
existing database, the data in that database may be corrupted during the data
collection process.

8. In the Configure Data Source dialog box, review the settings you have specified,
and then click OK.

Active Roles 8.1.3 Evaluation Guide

58
Using audit trail and reporting
9. In the Active Roles Service box, type the name of the computer running the
Administration Service.
10. Select the Current User option (assuming that you are logged on as an
administrator of that computer).
11. Click Next.
12. On the Data Collection Tasks page, in the Collect box, select all check
boxes. Click Next.
13. On the Data to Collect page, in the Collect box, select all check boxes. Click Next.
14. On the Select Domains or OUs page, click Add and select your test
domain. Click Next.
15. On the Select Operation Mode page, select the Now option. Click Next.
16. Wait while the wizard collects data for reporting.
17. Click Finish to close the wizard.

Generate and view reports

After the data for reporting is collected, you need to configure the data source for the Active
Roles Report Pack to connect to the database where you have collected data for reporting.

To configure the data source

1. Start SSRS Report Manager from your Web browser.

Report Manager is installed during setup of SQL Server Reporting Services (SSRS) on
the same computer as the report server. To start Report Manager, open your web
browser and type the Report Manager URL into the browser address bar. By default,
the URL is http://<ComputerName>/reports.

2. Perform the following steps on the Contents page that appears:

a. Click Details View.
b. Click Active Roles.
c. Click SharedDataSources.
d. Click the data source named Active Roles 8.1.3 Report Data.
3. In the Connection string box on the Properties page that appears, specify the SQL
Server instance and the name of the database that holds the report data prepared by
the Active Roles Collector.
For example, if the name of the database is ARServerReporting and the database is
on the SQL Server instance named MyServer\sqlexpress, then the connection string
is as follows:
data source = MyServer\sqlexpress initial catalog = ARServerReporting

4. Click Apply.

Active Roles 8.1.3 Evaluation Guide

59
Using audit trail and reporting
Once you have configured the data source, you can use Report Manager to generate and
view reports.

To generate and view reports

1. In Report Manager, at the top of the window, click Active Roles.

2. Perform the following steps on the Contents page that appears:
a. Click 8.1.3.
b. Click the folder containing a report you want to prepare.
c. Click the name of the report.
3. Wait while the Report Manager generates the report.

Active Roles 8.1.3 Evaluation Guide

60
Using audit trail and reporting
12

Using Active Roles replication

Active Roles uses the replication functionality of Microsoft SQL Server to copy and
distribute configuration data from one Administration Service database to another, and to
synchronize between configuration databases for consistency.
Administration Service database servers synchronized by using the SQL Server replication
function are referred to as replication partners. Each replication partner hosts a writable
copy of the Active Roles configuration data. Whenever changes are made on one replication
partner, the changes are propagated to the other replication partners.
This section outlines the procedures to follow in order for you to configure replication and
see how replication works in Active Roles. To use these procedures, you must install Active
Roles on two network computers, as described in the Test lab setup section earlier in this
document. Two Active Roles instances will be configured to replicate configuration data
with each other.
NOTE:
l Due to limited replication-related capabilities of SQL Server Express (may hold only
the Subscriber role), the scenario discussed in this section requires a different
edition of SQL Server (such as Enterprise, Standard, or Workgroup) to be used as
the Publisher role holder.
l For the purposes of this evaluation scenario, you may use the same SQL
Server to host the databases for both the Administration Services participating
in the scenario.
l When installing the second Administration Service, specify a database name that is
different from the name of the database used by the first Administration Service.
This ensures that each Administration Service uses a separate database, so two
databases could be synchronized with each other via replication of data.

Configure replication
When configuring Active Roles replication, you first create a replication group by
designating the database server of a particular Administration Service as the Publisher.
When planning to assign the Publisher role to the database server of a certain
Administration Service, ensure that the following requirements are met:

Active Roles 8.1.3 Evaluation Guide

61
Using Active Roles replication
l The SQL Server Agent service is started on SQL Server that hosts the database of
that Administration Service, and configured to log on as a domain user account with
administrator rights on SQL Server.
l The Administration Service is configured to log on as a domain user account with
administrator rights on SQL Server.

For evaluation purposes, you may configure both the SQL Server Agent service and the
Administration Service to log on as a user account that belongs to the Domain Admins
group of your test domain.
To assign the Publisher role to the database server of a certain Administration Service,
perform the following steps using the Active Roles console.

To create the Publisher

1. Open the Active Roles console and connect to the Administration Service whose
database server you want to designate as the Publisher.
2. In the console tree, expand Configuration, expand Server Configuration, and
then select Configuration Databases.
3. In the details pane, right-click the database server and click Promote.
4. In the confirmation message box, click Yes.
5. Wait while Active Roles completes the operation.

The new replication group now has a single member—the Publisher. You can add replication
partners—Subscribers. To add a Subscriber, perform the following steps using the Active
Roles console.

To add a Subscriber

1. Open the Active Roles console and connect to the Administration Server whose
database server you have designated as the Publisher.
2. In the console tree, expand Configuration, expand Server Configuration, and
then select Configuration Databases.
3. In the details pane, right-click the Publisher, and then click Add Replication
Partner.
4. Follow the instructions in the New Replication Partner wizard.
5. On the Database Selection page, click Browse.
6. Use the Connect to Administration Service dialog box to specify the
Administration Service whose database server you want to add to the replication
group. Click OK.
7. Click Next two times, and then click Finish.

Active Roles 8.1.3 Evaluation Guide

62
Using Active Roles replication
Test replication
To see how replication works, create a Managed Unit on one of the Administration Services
you have configured to be replication partners. Then, connect to the other Administration
Service and verify that the new Managed Unit has been replicated to that Service.

To create a Managed Unit

1. Open the Active Roles console and connect to one of the Administration Services.
2. In the console tree, expand Configuration, right-click Managed Units, and select
New | Managed Unit.
3. Complete the New Object - Managed Unit wizard.

Wait a few minutes and then use the Active Roles console to verify that the new Managed
Unit is also created on the other Administration Service.

To verify replication of the Managed Unit

1. Open the Active Roles console and connect to the other Administration Service.
2. In the console tree, expand Configuration, and click Managed Units: the newly
created Managed Unit appears in the details pane.

You can create, modify, or delete Active Roles configuration objects, such as Managed
Units, Access Templates or Policy Objects, on one of the replication partners, regardless of
whether it is the Publisher or a Subscriber, and then connect to other replication partners
and see that your changes are propagated to all replication partners.
NOTE: Although Active Roles replication is configured to initiate the propagation of
changes immediately after the changes are made, it may take a few minutes for SQL
Server to propagate the changes between the Publisher and Subscribers.

Active Roles 8.1.3 Evaluation Guide

63
Using Active Roles replication
13

Customizing the Web Interface

The Active Roles Web Interface allows you to customize menus, commands, and forms
used to administer directory objects. You can add and remove commands or entire menus,
assign tasks and forms to commands, modify existing forms, and create new commands,
tasks, and forms.
To use the customization capabilities of the Web Interface, you must be logged on as Active
Roles Admin. If you have used the default settings when installing the Administration
Service, the Active Roles Admin account is set to the Administrators local group on the
computer running the Administration Service. So, to customize the Web Interface in your
test environment, log on with any user account that is a member of that group.
This section provides an example of how to customize the Site for Administrators. By
default, the Web Interface pages for user account creation do not include the box where
you could specify the user’s telephone number. After you complete the following steps, a
new field—Telephone Number—is added on the Web page for user account creation.
When you fill in that field, the number is saved in the telephoneNumber property of the
user account.

Add a text box to the user creation page

Perform the following steps to add the Telephone number field on the Web page for
user creation.

To add the field to the form for user account creation

1. Connect to the Web Interface for Administrators: Open your Web browser and
navigate to http://localhost/ARWebAdmin.
2. On the Web Interface Home page, click Customization.
3. On the Customization page that appears, click Customization Tasks.
This displays a list of object types. Each object type is linked with a list of commands,
referred to as a menu. When you manage an object in the Web Interface, the menu
linked with the type of that object provides the commands to perform management
tasks. Since you want to customize the behavior of the user creation command, you

Active Roles 8.1.3 Evaluation Guide

64
Customizing the Web Interface
should access the menu containing that command—the menu linked with the
Container object type.
NOTE: The Customization option is unavailable unless you are logged on as
Active Roles Admin.

4. In the list of object types, click Container.

5. In the list of commands, click New User.
6. In the right pane of the Web Interface page, click Edit Form.
This opens the form in the Form Editor. The Form Editor provides you with a central
place to add, remove, or modify tabs and entries, as well as to change the order of
tabs and entries on the form.
In the Web Interface, the user creation task is divided into a series of steps.
Therefore the form includes several tabs, with each tab being used to perform a
particular step. You are going to add a field to the General tab.

7. On the toolbar in the Form Editor, point to Add Entry and click Create.
This displays a list of properties. You can select the property you want to manage by
using the new entry.

8. In the list of properties, click Telephone Number. Click Next.

This displays the page where you can set the name of the entry. The entry name is
used to label the field on the form.

9. Specify Telephone number as the entry name, and click Finish.

This displays the entries disposed on the General tab. The tab now includes the
Telephone number entry. For these changes to take effect, they must be saved,
and then the Web Interface configuration data must be reloaded.

10. Click Save, and then click Reload on the message bar that appears at the top of the
Form Editor page.
NOTE: You can undo the changes you have made: In the leftmost pane of the
Web Interface page, click to expand the Customization item, and then click
Restore Default.

Test the user creation page

After you complete the steps in the previous section, you can use the Web Interface for
Administrators to verify that the new field is added to the user creation page.

To verify the configuration of the user creation page

1. Go to the Web Interface Home page.

2. In the Search box on the header of the Web Interface page, type the name of the OU
where you want to create the user, and then press Enter.
3. In the list of search results, click the name of the OU.

Active Roles 8.1.3 Evaluation Guide

65
Customizing the Web Interface
4. In the right pane of the Web Interface page, click New User.
5. Review the New User wizard: The General page now includes the Telephone
Number field.

NOTE: You can also use the Customize link to add and remove user interface elements
from the form. This link is equivalent to the command Edit Form.

Active Roles 8.1.3 Evaluation Guide

66
Customizing the Web Interface
About us

About us

One Identity solutions eliminate the complexities and time-consuming processes often
required to govern identities, manage privileged accounts and control access. Our solutions
enhance business agility while addressing your IAM challenges with on-premises, cloud and
hybrid environments.

Contacting us
For sales and other inquiries, such as licensing, support, and renewals, visit
https://www.oneidentity.com/company/contact-us.aspx.

Technical support resources

Technical support is available to One Identity customers with a valid maintenance contract
and customers who have trial versions. You can access the Support Portal at
https://support.oneidentity.com/.
The Support Portal provides self-help tools you can use to solve problems quickly and
independently, 24 hours a day, 365 days a year. The Support Portal enables you to:
l Submit and manage a Service Request
l View Knowledge Base articles
l Sign up for product notifications
l Download software and technical documentation
l View how-to videos at www.YouTube.com/OneIdentity
l Engage in community discussions
l Chat with support engineers online
l View services to assist you with your product

Active Roles 8.1.3 Evaluation Guide

67
About us

The Product Manager's Desk Reference, Third Edition
From Everand
The Product Manager's Desk Reference, Third Edition
Steven Haines
No ratings yet
Admin Guide Human Capital Management
No ratings yet
Admin Guide Human Capital Management
2,371 pages
Kubernetes Handbook: Non-Programmer's Guide to Deploy Applications with Kubernetes
From Everand
Kubernetes Handbook: Non-Programmer's Guide to Deploy Applications with Kubernetes
Stephen Fleming
3.5/5 (2)
ANSWER Key Quiz 5 Auditing CIS
100% (1)
ANSWER Key Quiz 5 Auditing CIS
7 pages
Nms2000 Installation Instruction - 20140313 (v3.0)
No ratings yet
Nms2000 Installation Instruction - 20140313 (v3.0)
18 pages
ActiveRoles 7.3 Evaluation Guide
No ratings yet
ActiveRoles 7.3 Evaluation Guide
67 pages
ActiveRoles UserGuide
No ratings yet
ActiveRoles UserGuide
137 pages
ActiveRoles-8.1.5-QuickStartGuide
No ratings yet
ActiveRoles-8.1.5-QuickStartGuide
146 pages
ActiveRoles_AdministrationGuide
No ratings yet
ActiveRoles_AdministrationGuide
984 pages
ActiveRoles Predefined Access Templates Guide
No ratings yet
ActiveRoles Predefined Access Templates Guide
51 pages
ActiveRoles 7.3 Feature Guide
No ratings yet
ActiveRoles 7.3 Feature Guide
48 pages
ActiveRoles 7.3 Product Overview Guide
No ratings yet
ActiveRoles 7.3 Product Overview Guide
32 pages
ActiveRoles_WebInterfaceUserGuide
No ratings yet
ActiveRoles_WebInterfaceUserGuide
202 pages
ActiveRoles 7.3 Administration Guide
No ratings yet
ActiveRoles 7.3 Administration Guide
726 pages
ActiveRoles_How_To_Guide (4)
No ratings yet
ActiveRoles_How_To_Guide (4)
55 pages
ActiveRoles Solutions Guide
No ratings yet
ActiveRoles Solutions Guide
140 pages
ActiveRoles 7.4 How To Guide
No ratings yet
ActiveRoles 7.4 How To Guide
53 pages
ActiveRoles Administration Guide
No ratings yet
ActiveRoles Administration Guide
1,068 pages
ActiveRoles 7.4.1 Administration Guide
No ratings yet
ActiveRoles 7.4.1 Administration Guide
870 pages
ActiveRoles_Web_Interface_User's_Guide
No ratings yet
ActiveRoles_Web_Interface_User's_Guide
42 pages
ActiveRoles_Web_Interface_Administration_Guide
No ratings yet
ActiveRoles_Web_Interface_Administration_Guide
97 pages
ActiveRoles_WebInterfaceConfigurationGuide
No ratings yet
ActiveRoles_WebInterfaceConfigurationGuide
112 pages
ActiveRoles_SynchronizationServiceAdministrationGuide
No ratings yet
ActiveRoles_SynchronizationServiceAdministrationGuide
435 pages
ActiveRoles_SyncService_AdminGuide
No ratings yet
ActiveRoles_SyncService_AdminGuide
453 pages
ActiveRoles_Synchronization_Service_Administration_Guide
No ratings yet
ActiveRoles_Synchronization_Service_Administration_Guide
421 pages
ActiveRoles 7.3 Azure AD Office365 Administration Guide
No ratings yet
ActiveRoles 7.3 Azure AD Office365 Administration Guide
58 pages
OneIM OperationalGuide
No ratings yet
OneIM OperationalGuide
197 pages
ActiveRoles 7.2 Azure AD Office365 Administrator Guide
No ratings yet
ActiveRoles 7.2 Azure AD Office365 Administrator Guide
46 pages
ActiveRoles 7.3 Exchange Resource Forest Management Administration Guide
No ratings yet
ActiveRoles 7.3 Exchange Resource Forest Management Administration Guide
36 pages
OneIM ITShop Administration
No ratings yet
OneIM ITShop Administration
270 pages
Android Jetpack Compose Handbook
From Everand
Android Jetpack Compose Handbook
Onyx Rose
No ratings yet
Mastering CryENGINE
From Everand
Mastering CryENGINE
Sascha Gundlach
No ratings yet
Swing Extreme Testing
From Everand
Swing Extreme Testing
Lindsay Peters
3.5/5 (1)
Docker Orchestration
From Everand
Docker Orchestration
Randall Smith
No ratings yet
Plone 3 Intranets
From Everand
Plone 3 Intranets
Victor Fernandez de Alba
No ratings yet
SPS_6.2_SecurityChecklist
No ratings yet
SPS_6.2_SecurityChecklist
7 pages
Agile Web Application Development with Yii1.1 and PHP5
From Everand
Agile Web Application Development with Yii1.1 and PHP5
Jeffrey Winesett
3.5/5 (1)
Performance Management System: Course Instructor: Ms. Hina Shahab
No ratings yet
Performance Management System: Course Instructor: Ms. Hina Shahab
50 pages
Mastering Eclipse Plug-in Development
From Everand
Mastering Eclipse Plug-in Development
Dr Alex Blewitt
No ratings yet
Scalabilityand High Availabilityin Safeguard
No ratings yet
Scalabilityand High Availabilityin Safeguard
21 pages
WebSphere Application Server 7.0 Administration Guide
From Everand
WebSphere Application Server 7.0 Administration Guide
Steve Robinson
No ratings yet
Role and Role Effectiveness
No ratings yet
Role and Role Effectiveness
20 pages
OneIM WebPortal UserGuide
No ratings yet
OneIM WebPortal UserGuide
472 pages
It Manager
No ratings yet
It Manager
3 pages
One Identity Solutions Fact Sheet Datasheet 153076
No ratings yet
One Identity Solutions Fact Sheet Datasheet 153076
2 pages
Learning Puppet
From Everand
Learning Puppet
Jussi Heinonen
No ratings yet
Visual SourceSafe 2005 Software Configuration Management in Practice
From Everand
Visual SourceSafe 2005 Software Configuration Management in Practice
Aleksandar Seovic
No ratings yet
Designing deep learning systems: Software engineering, #1
From Everand
Designing deep learning systems: Software engineering, #1
rayaan
No ratings yet
Grails 1.1 Web Application Development
From Everand
Grails 1.1 Web Application Development
Jon Dickinson
No ratings yet
OneIdentityManagerOnDemand QuickStart
No ratings yet
OneIdentityManagerOnDemand QuickStart
18 pages
Middleware Management with Oracle Enterprise Manager Grid Control 10g R5
From Everand
Middleware Management with Oracle Enterprise Manager Grid Control 10g R5
Arvind Maheshwari
3/5 (1)
Mastering Shell for DevOps: Automate, streamline, and secure DevOps workflows with modern shell scripting
From Everand
Mastering Shell for DevOps: Automate, streamline, and secure DevOps workflows with modern shell scripting
Gilbert Stew
No ratings yet
Mastering Shell for DevOps
From Everand
Mastering Shell for DevOps
Gilbert Stew
No ratings yet
React Web Development Handbook
From Everand
React Web Development Handbook
Onyx Rose
No ratings yet
Domino 7 Lotus Notes Application Development
From Everand
Domino 7 Lotus Notes Application Development
Dick McCarrick
No ratings yet
Feature Flagging with LaunchDarkly: Modern Approaches to Progressive Deployment
From Everand
Feature Flagging with LaunchDarkly: Modern Approaches to Progressive Deployment
Robert Johnson
No ratings yet
VMware vRealize Operations Essentials
From Everand
VMware vRealize Operations Essentials
Steiner Matthew
No ratings yet
Professional Plone 4 Development
From Everand
Professional Plone 4 Development
Martin Aspeli
3.5/5 (5)
Oracle VM Manager 2.1.2
From Everand
Oracle VM Manager 2.1.2
Tarry Singh
No ratings yet
Mastering JIRA 7 - Second Edition
From Everand
Mastering JIRA 7 - Second Edition
Ravi Sagar
No ratings yet
OneIM AzureActiveDirectory Administration
No ratings yet
OneIM AzureActiveDirectory Administration
248 pages
Internal Performance Feedback - 87686868
No ratings yet
Internal Performance Feedback - 87686868
3 pages
OCA Oracle Database 11g Administration I Exam Guide (Exam 1Z0-052)
From Everand
OCA Oracle Database 11g Administration I Exam Guide (Exam 1Z0-052)
John Watson
No ratings yet
PGT436e - Rangka Kursus
No ratings yet
PGT436e - Rangka Kursus
5 pages
d3d11 Log
No ratings yet
d3d11 Log
547 pages
Chapter-1-3-Updated-2 (1)
No ratings yet
Chapter-1-3-Updated-2 (1)
23 pages
Summative Test Empowerment (Module 5,6 and 7
No ratings yet
Summative Test Empowerment (Module 5,6 and 7
2 pages
Teradata Performance Tuning
No ratings yet
Teradata Performance Tuning
19 pages
PDSInstall Checklist
No ratings yet
PDSInstall Checklist
15 pages
CSE Exclusive
No ratings yet
CSE Exclusive
84 pages
Reporte Verizon
No ratings yet
Reporte Verizon
105 pages
Reversal Automation: System Access Information
No ratings yet
Reversal Automation: System Access Information
6 pages
Shameem Peerbuccoss Java J2EE Developer
No ratings yet
Shameem Peerbuccoss Java J2EE Developer
4 pages
Qualcomm & Leadcore & Intel & Pinecone Platform Series Devices Flash Instruction V42
No ratings yet
Qualcomm & Leadcore & Intel & Pinecone Platform Series Devices Flash Instruction V42
25 pages
Read This Important
No ratings yet
Read This Important
4 pages
3.5 Kemahiran TMK
No ratings yet
3.5 Kemahiran TMK
7 pages
FEAP - A Finite Element Analysis Program: Version 8.4 Installation Manual
No ratings yet
FEAP - A Finite Element Analysis Program: Version 8.4 Installation Manual
11 pages
Set Edit
No ratings yet
Set Edit
32 pages
Get To Know The DoCmd Object - Access VBA Programming
No ratings yet
Get To Know The DoCmd Object - Access VBA Programming
3 pages
Sending E-Mail With Concurrent
No ratings yet
Sending E-Mail With Concurrent
6 pages
Psycopg - PostgreSQL Database Adapter For Python PDF
No ratings yet
Psycopg - PostgreSQL Database Adapter For Python PDF
79 pages
Work Guide: Project Python
No ratings yet
Work Guide: Project Python
44 pages
logtrack
No ratings yet
logtrack
71 pages
Pragya Bansal - Python
No ratings yet
Pragya Bansal - Python
2 pages
Class 4
No ratings yet
Class 4
3 pages
SharePtServTechRef PDF
No ratings yet
SharePtServTechRef PDF
628 pages
Evolution-Of-The-Web - Web 1 To Web 3 - L 5
No ratings yet
Evolution-Of-The-Web - Web 1 To Web 3 - L 5
20 pages
Bca 03
No ratings yet
Bca 03
2 pages
Master Veeam Tricks Volume 1
No ratings yet
Master Veeam Tricks Volume 1
277 pages
Features of MapReduce
No ratings yet
Features of MapReduce
4 pages

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.