Tivoli Identity Manager

Tivoli

®

Identity

Manager

Active

Directory

Adapter

Users

Guide

Version5

SC23-6176-00

Tivoli

®

Identity

Manager

Active

Directory

Adapter

Users

Guide

Version5

SC23-6176-00

Note

Beforeusingthisinformationandtheproductitsupports,readtheinformationinAppendixF,“Notices,”onpage57.

Thiseditionappliestoversion5ofthisadapterandtoallsubsequentreleasesandmodificationsuntilotherwise indicatedinneweditions.

©CopyrightInternationalBusinessMachinesCorporation2007.Allrightsreserved.

Preface

About

this

book

Thisusersguideprovidesinformationthatyouneed tomanageuseraccountson theActiveDirectoryusingtheIBM®_Tivoli®_{IdentityManager.Thisbookdescribes}

user accountmanagement tasks,suchasreconciliation, add,modify,suspend, restore,delete,andpasswordchange.

Intended

audience

for

this

book

ThisbookisintendedfortheActiveDirectoryadministratorsresponsiblefor managinguseraccountsontheActive Directoryserver.Readersareexpectedto understandtheaccountmanagement tasksinTivoliIdentityManager.Readers must alsobe familiarwiththeroutinesecurityadministrationtasks andoperating system concepts.

Publications

and

related

information

Thissectionlists publicationsintheActiveDirectoryAdapterlibraryand related documents.Thesection alsodescribeshow toaccessTivolipublicationsonlineand how toorderTivolipublications.

ReadthedescriptionsoftheTivoliIdentityManager library.Todeterminewhich additionalpublicationsyoumightfindhelpful, readthe“Prerequisiteproduct publications”onpagev andthe“Relatedpublications” onpagevi.Afteryou determinethepublicationsyouneed,refertotheinstructionsin“Accessing publicationsonline”onpagevii.

Tivoli

Identity

Manager

library

Thepublicationsinthetechnicaldocumentationlibraryforyourproductare organized intothefollowingcategories:

v Releaseinformation

v Onlineuserassistance

v Serverinstallationandconfiguration

v Problemdetermination

v Technicalsupplements

v Adapterdocumentation

Release Information:

v ReleaseNotes

Providessoftwareandhardwarerequirementsfortheproduct,additionalfix pack,andothersupportinformation.

v ReadThisFirstcard

Liststhepublicationsfortheproduct.

Online userassistance:

Provides onlinehelptopics andaninformationcenter foradministrativetasks.

Server installationandconfiguration:

Provides installationandconfigurationinformationfortheproductserver.

Problem determination:

Provides problemdetermination,logging, andmessageinformationforthe product.

Technicalsupplements:

The followingtechnicalsupplements areprovidedbydevelopersorbyother groupswhoare interestedinthisproduct:

v Performanceandtuninginformation

Providesinformationneededtotuneyour productionenvironment,available on theWebat:

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

ClicktheIcharacterintheA-ZproductlisttolocateTivoliIdentityManager

products.Clickthelinkforyourproduct, andthenbrowsetheinformation centerfortheTechnicalSupplementssection.

v Redbooks

™_{andwhitepapersareavailableontheWebat:}

http://www.ibm.com/software/sysmgmt/products/support/ IBMTivoliIdentityManager.html

NavigatetotheSelfHelpsection,intheLearncategory,and clicktheRedbooks

link.

v Technotesare availableontheWebat:

http://www.redbooks.ibm.com/redbooks.nsf/tips/ v Fieldguidesare availableontheWebat:

http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html v ForanextendedlistofotherTivoliIdentityManagerresources,searchthe

followingIBMdeveloperWorks®Webaddress: http://www.ibm.com/developerworks/

Adapterdocumentation:

The technicaldocumentationlibraryalsoincludesasetof platform-specific documents fortheadaptercomponentsoftheproduct.Adapterinformationis available ontheWebat:

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

Click theIcharacterintheA-ZproductlisttolocateIBMTivoliIdentityManager

products.Clickthelinkforyourproduct,and thenbrowsetheinformationcenter for theadapterinformationthatyouwant.

Skillsandtraining:

The followingadditionalskills andtechnicaltraininginformationwere availableat thetimethatthismanualwas published:

v VirtualSkillsCenter forTivoliSoftwareontheWebat:

http://www.cgselearning.com/tivoliskills/

http://www.ibm.com/software/tivoli/education/eduroad_prod.html v TivoliTechnicalExchangeontheWebat:

http://www.ibm.com/software/sysmgmt/products/support/ supp_tech_exch.html

Prerequisite

product

publications

Tousetheinformationinthisbookeffectively,youmusthaveknowledgeofthe productsthatareprerequisites foryourproduct. Publicationsare availablefrom thefollowinglocations:

v ActiveDirectory

– Microsoft Windows2000ServerrunningActive Directory

http://www.microsoft.com/windows2000/en/server/help/ – Microsoft Windows2003ServerrunningActive Directory

http://www.microsoft.com/resources/documentation/ WindowsServ/2003/standard/proddocs/en-us/default.asp – Microsoft WindowsXPServerrunningActiveDirectory

http://www.microsoft.com/resources/documentation/ Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/ Windows/XP/all/reskit/en-us/prcf_omn_gjjv.asp v Operatingsystems – z/OS http://www-1.ibm.com/servers/eserver/zseries/zos/ – IBMAIX ® http://publib16.boulder.ibm.com/pseries/Ja_JP/infocenter/base/index.htm – Solaris OperatingEnvironment

http://docs.sun.com/app/docs/prod/solaris – Red HatLinux

http://www.redhat.com/docs/ – Microsoft

®_Windows® _Server2003

http://www.microsoft.com/windowsserver2003/proddoc/default.mspx v Databaseservers

– IBM DB2UniversalDatabase

- Support:http://www.ibm.com/software/data/db2/udb/support.html

- Informationcenter:http://publib.boulder.ibm.com/infocenter/db2help/

index.jsp

- Documentation:http://www.ibm.com/cgi-bin/db2www/data/db2/udb/

winos2unix/support/v8pubs.d2w/en_main - DB2

®_{productfamily: http://www.ibm.com/software/data/db2}

- Fixpacks:http://www.ibm.com/software/data/db2/udb/support/

downloadv8.html

- Systemrequirements: http://www.ibm.com/software/data/db2/udb/

sysreqs.html – Oracle http://www.oracle.com/technology/documentation/index.html http://otn.oracle.com/tech/index.html http://otn.oracle.com/tech/linux/index.html – Microsoft SQLserver Preface

v

http://www.msdn.com/library/ http://www.microsoft.com/sql/ v Directoryserverapplications

– IBM DirectoryServer

http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/ en_US/HTML/ldapinst.htm

http://www.ibm.com/software/network/directory – SunONEDirectoryServer

http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52 v WebSphere

Additionalinformationisavailable intheproductdirectoryorWebsites. http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp http://www.redbooks.ibm.com/ v WebLogicServer http://e-docs.bea.com/ v WebSphere ®_{embedded messaging} http://www.ibm.com/software/integration/wmq/ v IBMHTTPServer http://www.ibm.com/software/webservers/httpservers/library.html v WebProxyServer

– IBM HTTPServer

http://www.ibm.com/software/webservers/httpservers/library.html – Microsoft IISHTTPServer

http://www.microsoft.com/technet/prodtechnol/iis/default.asp – ApacheHTTPServer

http://httpd.apache.org/docs-project

Related

publications

Informationthatisrelatedtoyourproductisavailable inthefollowing publications:

v TheTivoliSoftwareLibrary providesavarietyofTivolipublicationssuchas

whitepapers,datasheets,demonstrations,redbooks,and announcementletters. TheTivoliSoftwareLibrary isavailable ontheWebat:

http://www.ibm.com/software/tivoli/literature/

v TheTivoliSoftwareGlossaryincludesdefinitions formanyof thetechnicalterms

relatedto Tivolisoftware.TheTivoliSoftwareGlossaryisavailable fromthe

GlossarylinkoftheTivoliSoftwareLibraryWebpageat:

http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

Accessing

terminology

online

The TivoliSoftwareGlossary includesdefinitionsformanyofthetechnicalterms relatedtoTivolisoftware.TheTivoliSoftwareGlossaryisavailableat thefollowing Tivolisoftware libraryWebsite:

TheIBM TerminologyWebsiteconsolidatestheterminologyfromIBMproduct libraries inoneconvenientlocation.YoucanaccesstheTerminologyWebsiteatthe followingWebaddress:

http://www.ibm.com/software/globalization/terminology

Accessing

publications

online

IBM postspublicationsforthisand allotherTivoliproducts,astheybecome available andwhenevertheyareupdated,totheTivolisoftwareinformationcenter Website.AccesstheTivolisoftwareinformationcenterat thefollowingWeb address:

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

Click theIcharacterintheA-Zlist,andthenclick thelinkforyour productto accesstheproductlibrary.

Note: IfyouprintPDFdocumentsonotherthanletter-sizedpaper, settheoption

intheFile→ PrintwindowthatallowsAdobeReadertoprintletter-sized pagesonyourpaper.

Ordering

publications

YoucanordermanyTivolipublicationsonline athttp://

www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi. Youcanalsoorderbytelephonebycallingoneofthese numbers:

v IntheUnitedStates:800-879-2755

v InCanada:800-426-4968

Inothercountries,contactyour softwareaccountrepresentativetoorder Tivoli publications. Tolocatethetelephonenumber ofyourlocalrepresentative,perform thefollowingsteps:

1. Gotohttp://www.elink.ibmlink.ibm.com/public/applications/publications/

cgibin/pbi.cgi.

2. Selectyour countryfromthelistandclick Go.

3. ClickAbout thissiteinthemainpaneltoseean informationpagethat

includesthetelephonenumberofyour localrepresentative.

Accessibility

Accessibilityfeatureshelpuserswitha physicaldisability,suchasrestricted mobilityorlimited vision,tousesoftwareproductssuccessfully.Withthisproduct, youcanuseassistivetechnologiestohearand navigatetheinterface.Youcanalso usethekeyboardinsteadofthemousetooperateallfeaturesofthegraphicaluser interface.

For additionalinformation,seeAppendixD,“Accessibility featuresfortheActive DirectoryAdapter,”onpage51.

Tivoli

technical

training

For Tivolitechnicaltraininginformation,refertothefollowingIBMTivoli EducationWebsiteathttp://www.ibm.com/software/tivoli/education.

Support

information

Ifyouhaveaproblemwithyour IBMsoftware,youwanttoresolveit quickly.IBM provides thefollowingwaysforyoutoobtainthesupportyouneed:

v Searchingknowledgebases:Youcansearchacrossalargecollection ofknown

problemsandworkarounds,Technotes, andotherinformation.

v ContactingIBM SoftwareSupport:Ifyoustill cannotsolve yourproblem,and

youneedtoworkwith someonefromIBM,youcanusea varietyofwaysto contactIBMSoftwareSupport.

For moreinformationaboutthesewaystoresolveproblems,seeAppendixE, “Support information,”onpage53.

Conventions

used

in

this

book

Thisreferenceusesseveralconventionsforspecial termsand actionsandfor operatingsystem-dependent commandsandpaths.

Typeface

conventions

Thisguideusesthefollowingtypefaceconventions:

Bold

v Lowercasecommandsandmixedcasecommandsthatareotherwise

difficulttodistinguishfromsurroundingtext

v Interfacecontrols(check boxes,pushbuttons,radiobuttons,spin

buttons,fields,folders,icons,listboxes, itemsinsidelistboxes, multicolumnlists,containers, menuchoices,menu names,attribute names,tabs,propertysheets),labels(suchasTip:,andOperatingsystem considerations:)

v Keywordsandparametersintext

v Commandnames Italic

v Wordsdefinedintext

v Emphasisofwords(wordsaswords)

v Newtermsintext(exceptina definitionlist)

v Variablesand valuesyoumustprovide

Monospace

v Examplesandcodeexamples

v Filenames,programming keywords,andotherelementsthataredifficult

todistinguishfromsurroundingtext

v Messagetextandprompts addressedtotheuser

v Textthattheusermust type

v Valuesforargumentsorcommandoptions

v Namesofobjectclasses

Operating

system-dependent

variables

and

paths

ThisguideusestheWindows®conventionforspecifyingenvironment variables and fordirectorynotation.

WhenusingtheUnix commandline, replace%variable%with $variablefor environment variablesand replaceeachbackslash(\)with aforwardslash(/)in directory paths.Thenamesofenvironmentvariablesarenotalwaysthesamein Windows andUNIX.Forexample,%TEMP%intheWindowsoperatingsystemis equivalentto$tmpinaUNIX operatingsystem.

Note: Ifyouare usingthebashshellonaWindows system,youcanusetheUNIX

conventions.

Contents

Preface

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. iii

Aboutthisbook . . . iii

Intendedaudienceforthisbook . . . iii

Publicationsandrelatedinformation . . . iii

TivoliIdentityManagerlibrary . . . iii

Prerequisiteproductpublications . . . v

Relatedpublications . . . vi

Accessingterminologyonline . . . vi

Accessingpublicationsonline . . . vii

Orderingpublications. . . vii

Accessibility . . . vii

Tivolitechnicaltraining . . . vii

Supportinformation . . . viii

Conventionsusedinthisbook. . . viii

Typefaceconventions. . . viii

Operatingsystem-dependentvariablesand paths . . . viii

List

of

tables

.

.

.

.

.

.

.

.

.

.

.

. xiii

Chapter

1.

Introduction

to

the

Active

Directory

Adapter

.

.

.

.

.

.

.

.

.

. 1

FeaturesoftheActiveDirectoryAdapter . . . 1

Chapter

2.

Checklist

for

configuring

Tivoli

Identity

Manager

to

run

the

adapter

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 3

Chapter

3.

Active

Directory

Adapter

user

account

management

tasks

.

.

.

.

.

. 5

Reconcilinguseraccounts . . . 5

Attributesreconciled. . . 6

Attributesnotreconciled . . . 7

Reconcilingsupportdata . . . 7

ReconcilingtheuserAccountControlattribute . . 7

Filterreconciliation . . . 7

Addinguseraccounts . . . 12

Attributesforaddinguseraccount . . . 12

Creatingadistinguishednameforauseraccount 13 Userprincipalnameofauseraccount . . . . 14

Specifyingcontrolsforauseraccount . . . . 15

Creatingahomedirectoryforauseraccount . . 16

Enablingauseraccountformail . . . 17

Creatingaproxyaddressforauseraccount . . 17

Modifyinguseraccounts . . . 18

Modifyingthecontainerattribute . . . 18

ModifyingtheHomeDirectoryattribute. . . . 19

Modifyinguserpassword . . . 22

ModifyingtheMailboxStoreattribute . . . . 22

Suspendinguseraccounts . . . 23

Restoringuseraccounts . . . 24

Deletinguseraccounts. . . 24

Deletingamailbox . . . 24

Chapter

4.

Troubleshooting

the

Active

Directory

Adapter

errors

.

.

.

.

.

.

. 25

Appendix

A.

Country

and

region

codes

33

Appendix

B.

Active

Directory

Adapter

attributes

.

.

.

.

.

.

.

.

.

.

.

.

.

. 41

Appendix

C.

APIs

used

by

the

Active

Directory

Adapter

.

.

.

.

.

.

.

.

.

. 47

ADSIinterfacesandthecorrespondingAPIsused bytheActiveDirectoryAdapter . . . 47

WIN32APIsusedbytheActiveDirectoryAdapter 50

Appendix

D.

Accessibility

features

for

the

Active

Directory

Adapter

.

.

.

.

. 51

Accessibilityfeatures . . . 51

Keyboardnavigation . . . 51

Relatedaccessibilityinformation . . . 51

IBMandaccessibility . . . 51

Appendix

E.

Support

information

.

.

. 53

Searchingknowledgebases . . . 53

Searchtheinformationcenteronyourlocal systemornetwork . . . 53

SearchtheInternet . . . 53

ContactingIBMSoftwareSupport . . . 53

Determinethebusinessimpactofyourproblem 54 Describeyourproblemandgatherbackground information . . . 55

SubmityourproblemtoIBMSoftwareSupport 55

Appendix

F.

Notices

.

.

.

.

.

.

.

.

. 57

Trademarks . . . 58

Index

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 61

List

of

tables

1. Attributessupportedbytheadapterforfilterreconciliation . . . 8

2. Attributesnotsupportedbytheadapterforfilterreconciliation . . . 9

3. Objectsandtheircorrespondingobjectclass. . . 11

4. ListofattributesandtheirdefaultvaluesontheActiveDirectory . . . 12

5. TheorderofattributesontheActiveDirectoryaccountformthattheadaptercheckstogenerateanRDN 13 6. AttributesontheActiveDirectoryaccountformandtheircorrespondingpropertyflags . . . 15

7. HomeDirectoryNTFSAccessattributevaluesandtheircorrespondingpermissionsonthehomedirectory 16 8. TroubleshootingtheActiveDirectoryAdaptererrors. . . 25

9. Countriesandregionsandtheircorrespondingcodes . . . 33

10. MappingofattributesonTivoliIdentityManagertotheattributesontheActiveDirectory . . . 41

11. ADSIInterfacesandthecorrespondingAPIsusedbytheActiveDirectoryAdapter . . . 47

12. WIN32APIsusedbytheActiveDirectoryAdapter . . . 50

Chapter

1.

Introduction

to

the

Active

Directory

Adapter

TheActiveDirectoryAdapterisanapplication thatprovidesconnectivitybetween TivoliIdentityManagerandthenetworkofsystemsrunningtheActive Directory. Theadapter runsasa service,independent ofwhetheryouarelogged ontoTivoli IdentityManager.Youcanautomatethefollowinguseraccountmanagementtasks usingtheActiveDirectoryAdapterandTivoliIdentityManager:

v AddingActiveDirectoryuser accounts

v Creatingahomedirectory forauser account

v ModifyingattributesofActiveDirectoryuseraccounts

v ChangingpasswordsofActiveDirectoryuser accounts

v Suspending,restoring,and deletingActiveDirectoryuseraccounts

v RetrievinguseraccountsfromtheActive Directory

v ManagingmailboxesontheExchangeserver

v Movingauser intheActiveDirectoryhierarchy

Features

of

the

Active

Directory

Adapter

TheActiveDirectoryAdaptersupports:

v ReconciliationofuseraccountsfromtheActiveDirectorytothedirectoryserver

ofTivoliIdentityManager.

v Useraccountmanagement tasks,suchasadd,modify(includingpassword

change),suspend, restore,anddeletetomanageaccountsontheActive DirectoryusingTivoliIdentityManager.

v ManagementoftheExchange2000andtheExchange2003mailboxes.

v CustomizationoftheActiveDirectoryaccountform.

v Passwordsynchronizationofdifferentaccountsofadomainuser byproviding

registryaccesstothePasswordSynchronizationplug-in.

Chapter

2.

Checklist

for

configuring

Tivoli

Identity

Manager

to

run

the

adapter

ToconfiguretheTivoliIdentityManagertoruntheActiveDirectoryAdapter, perform thefollowingsteps:

1. InstalltheActive DirectoryAdapter.Formoreinformation,seetheActive DirectoryAdapterInstallationand ConfigurationGuideandsearchforthesection "Installingtheadapter."

2. ImporttheActiveDirectoryprofileintotheTivoliIdentityManager.For more

information,seetheActive DirectoryAdapterInstallationandConfigurationGuide

andsearchforthesection"Importing theadapterprofileintotheTivoliIdentity Manager."

3. CreateanActiveDirectoryservice.For moreinformation,seetheActive DirectoryAdapterInstallationand ConfigurationGuideandsearchforthesection "CreatinganActive Directoryservice."

4. Createa provisioningpolicyfortheActiveDirectoryAdapter service.For more

informationaboutaddingaprovisioningpolicy,seetheTivoliIdentityManager informationcenter.

5. Perform areconciliationoperationtoretrieveuser accountsfromtheActive

DirectoryandstorethemintheTivoliDirectoryServer.Formoreinformation aboutrunningareconciliationoperation,seetheTivoliIdentityManager informationcenter.

6. AdoptorphanaccountsontheTivoliIdentityManager.Formoreinformation

aboutadoptingorphanaccounts,seetheTivoliIdentityManagerinformation center.

Chapter

3.

Active

Directory

Adapter

user

account

management

tasks

TivoliIdentityManagermanagesuseraccountsstored ontheActiveDirectory usingtheActiveDirectoryAdapter.Youcanperformvariousoperations,suchas reconciliation, add,modify(includingpasswordchange),suspend, restore,and deletetomanage youraccounts.Youcanmanage:

v Accountsforaspecific person

v Accountsforaserviceinstance

v Specificaccountsusingthesearchfunctionof TivoliIdentityManager

Before performinganyoperationusingtheadapter:

1. EnsurethatyouperformthestepsgiveninChapter2,“Checklistfor

configuringTivoliIdentityManagertoruntheadapter,”onpage3. 2. StarttheActiveDirectoryAdapterusingoneofthefollowingmethods:

v Windows servicesinservicemode

a. IntheWindowscontrolpanel, double-clickAdministrativeTools.

b. Double-clickServices.

c. Right-clicktheTivoliActiveDirectoryAgentservice,and clickStart.

v Windows commandpromptinconsolemode

Gototheadapterinstallationdirectoryandrunthefollowingcommand: adagent -console

3. VerifythattheActiveDirectoryAdapter registrykeysettingsare configured

accordingtoyour requirements.Tomodifythevaluesoftheregistrykeys,use theActiveDirectoryAdapterconfigurationtool, agentCfg.Formore

information,seetheActive DirectoryAdapterInstallationandConfigurationGuide

andsearchfor"Registrykeydescriptions"and"Startingtheadapter configurationtool."

Reconciling

user

accounts

ThereconciliationoperationretrievestheuseraccountinformationfromtheActive DirectoryandstoresitinthedirectoryserverofTivoliIdentityManager.

Reconciliationfirst comparestheuser accountinformationontheActiveDirectory with theexistinguser IDsonTivoliIdentityManagerand thensearchesforan existingowner withinTivoliIdentityManager.Ifamatchexistsbetweentheuser loginIDandanaccount, TivoliIdentityManagercreates anownerrelationship betweenthepersonand theaccount. Iftheuser loginIDdoesnotmatchan account, TivoliIdentityManagerlists theunmatchedaccountasanorphan account.Adoptingan orphanaccountassignsownershipoftheaccounttoan existingperson inTivoliIdentityManager.

Youcanschedulereconciliationtorunatspecific timesandtoreturnspecific parameters. Runningareconciliationbeforeitsscheduledtimedoesnotprevent thereconciliationfromrunningat thescheduledtime. Formoreinformationabout schedulingreconciliationandrunningascheduledreconciliation,seetheTivoli IdentityManagerinformationcenter.

Attributes

reconciled

Duringreconciliation, thevalue ofthesAMAccountNameattributeoftheActive DirectoryisreturnedtoTivoli IdentityManagerastheUserIdattribute.

Whenyouperformareconciliation, theActiveDirectoryAdapterreturnsall containers tothebasepointthatisspecifiedintheActiveDirectoryAdapter serviceform. Ifyoudonotspecifyabase pointatthetimeof creatinganActive Directoryservice,thentheadapterreturnsallcontainerstotheActiveDirectory. Ina reconciliationoperation,youcanconfiguretheadaptertoreturntheWindows Terminalservices (WTS)attributesandtheattributesthatarerelatedtothehome directory security.

ToreconciletheWTSattributes,settheregistrykeysWtsDisableSearchtoFALSE and WtsEnabledtoTRUE.

TheActiveDirectoryAdapterretrievesthefollowingWTSattributesfromthe Active Directory:

v AllowLogon

v InitialProgram

v InheritInitial Program

v ProfilePath

v ConnectClientDrives

v ConnectClientPrinters

v ClientPrinterIsDefault

v WorkingDirectory

v WTSHomeDirectory

v WTSHomeDirectoryDrive

v WTSCallbackSettings

v WTSCallbackNumber

v IdleTimeout

v ConnectionTimeout

v DisconnectionTimeout

v BrokenTimeoutSetting

v ReconnectSettings

v ShadowSettings

The defaultvalueoftheregistrykeyWtsDisableSearchisTRUE.Ifyouretainthe defaultvalue, thentheadapterdoesnotreturn theWTSattributestoTivoli IdentityManagerandthereconciliationtakeslesstime.

Use theregistrykeyReconHomeDirSecuritytoretrievetheattributes thatare relatedtothehomedirectory security,suchasNTFSsecurity,share name,and share securityfromtheActiveDirectory.Attributescorresponding tothehome directory securityare:

v HomeDirectoryNTFSAccess

v HomeDirectoryShare

v HomeDirectoryShareAccess

v WTSHomeDirectoryNTFSAccess

v WTSHomeDirectoryShareAccess

Thedefaultvalue oftheregistrykeyReconHomeDirSecurityisFALSE.Ifyou retain thedefaultvalue, thentheadapterdoesnotretrievetheattributesthatare relatedtothehomedirectorysecurityandthereconciliationtakeslesstime. To reconciletheattributesthatarerelatedtothehomedirectorysecurity,set thevalue of theregistrykeyReconHomeDirSecuritytoTRUE.

Attributes

not

reconciled

TheActiveDirectoryAdapterdoesnotreturnthefollowingattributestoTivoli IdentityManagerafter reconciliation:

v Userpassword

v SystemCall(ThisattributeisnotsupportedbytheActive DirectoryAdapter.)

v WTSServerName

Exceptfortheseattributesand theattributesthatareretrieveddependingonthe valuesoftheregistrykeys,allotherattributesarealways reconciled.

Reconciling

support

data

Inadditiontoreconcilinguser accounts,theActiveDirectoryAdapteralso reconciles supportdata,suchasgroups,containers,and mailboxstorestoTivoli IdentityManager.Thesupportdataisreconciledonlywhenyouperforma full reconciliation.

Reconciling

the

userAccountControl

attribute

Theuser accountstatusonTivoliIdentityManagercanbeeitheractiveorinactive. Duringreconciliation, theActiveDirectoryAdapterretrievesthestatusofa user accountfromtheuserAccountControlattributeontheActiveDirectory.The ACCOUNTDISABLE propertyflagvalue oftheuserAccountControlattribute determinesthestatusofa useraccount.For moreinformationaboutpropertyflags of theuserAccountControlattribute,seetheMicrosoft WindowsServer

documentation.

Filter

reconciliation

FilterreconciliationenablestheActiveDirectoryAdaptertoreconcileusers,groups, containers, andmailstoresfromtheActiveDirectorybasedonthefiltersspecified forthereconciliation.

Toenable theActiveDirectoryAdapterforfilterreconciliation,set thevalue ofthe

Passsearch filtertoagentregistrykeytoTRUE.TosetthevalueofthePasssearch filterto agentregistrykey,usetheadapterconfigurationtool,agentCfg. Formore informationaboutusingtheagentCfgtool,seetheActiveDirectoryAdapter

Installationand ConfigurationGuideandsearchforthesection"Startingtheadapter configurationtool."

Thesearchfiltermust beaLightweight DirectoryAccessProtocol(LDAP)version 2 filter.For informationaboutspecifyingfilters,seetheTivoliIdentityManager informationcenter.

Supported attributes

Table1 onpage8liststheattributesontheActiveDirectoryaccountformthatthe adaptersupportsforfilterreconciliation.

Table1.Attributessupportedbytheadapterforfilterreconciliation v cn v description v erADAllowDialin v erADBadLoginCount v erADCallbackNumber v erADCountryCode v erADDialinCallback v erADDisplayName v erADEAlias v erADEDaysBeforeGarbage v erADEEnableStoreDeflts v erADEExtension1 v erADEExtension10 v erADEExtension11 v erADEExtension12 v erADEExtension13 v erADEExtension14 v erADEExtension15 v erADEExtension2 v erADEExtension3 v erADEExtension4 v erADEExtension5 v erADEExtension6 v erADEExtension7 v erADEExtension8 v erADEExtension9 v erADEForwardingStyle v erADEForwardTo v erADEHardLimit v erADEHideFromAddrsBk v erADEIncomingLimit v erADELanguages v erADEmployeeID v erADEOutgoingLimit v erADEOverQuotaLimit v erADEOverrideGarbage v erADEProxyAddresses v erADERecipientLimit v erADESMTPEmail v erADEStoreQuota v erADETargetAddress v erADEX400Email v erADfax v erADHomeDir v erADHomeDirDrive v erADHomePage v erADInitial v erADLoginScript v erADLoginWorkstations v erADNamePrefix v erADNameSuffix v erADOfficeLocations v erADOtherName v erADPasswordForceChange v erADPrimaryGroup v erADUPN v erCompany v erDepartment v erDivision v erMaxStorage v erProfile v eruid v givenName v homePhone v l v mail v mobile v pager v postalCode v postOfficeBox v sn v st v street v telephoneNumber v title

Note: Theadaptersupportsextendedattributeswiththefollowingsyntaxtypes:

v String

v Integer

v Boolean

Examplesofsupportedfilters

Example1:

Toretrieveuser accountsthathavethevalueof theemployeeIDattributeonthe Active Directoryaccountformas1,specifythefilteras(erADEmployeeID=1).

Example2:

Toretrieveuser accountsthathavethevalueof thecnattributeontheActive Directoryaccountformasthomas,specifythefilteras(cn=thomas).

Example3:

Toretrieveuser accountsthathavethevalueof theDepartment nameattributeas ibm and theCountryattributeasUnited States,specifythefilteras

(&(erADDepartment=ibm*)(erADCountryCode=840)).

Non-supportedattributes

Table2 liststheattributesontheActiveDirectoryaccountform thattheadapter doesnotsupportforfilterreconciliation.

Table2.Attributesnotsupportedbytheadapterforfilterreconciliation

v AllWTSattributes v erAccountStatus v eradallowencryptedpassword v eradcannotbedelegated v eradcontainer v eraddistinguishedname v eradeapplyontoallow v eradeapplyontodeny v eradeassociatedextacc v erADEAutoGenEmailAddrs v eradechgpermissions v eradedelegates v eradedelmailboxstorage v eradedenypermto1level v eradefullmailboxaccess v erADEGarbageAfterBckp v eradehomemdb v erademailboxstore v eradereadpermissions v erADERstrctAdrsFg v erADERstrctAdrsLs v erADEServerName v eradeshowinaddrbook v eradetakeownership v erADExpirationDate v erADIsAccountLocked v eradlastfailedlogin v eradlastlogoff v eradlastlogon v erADManager v erADNoChangePassword v eradpasswordlastchange v erADPasswordMinimumLength v erADPasswordNeverExpires v erADPasswordRequired v erADRequireUniquePassword v eradsmartcardrequired v eradtrustedfordelegation v ergroup v erLogonTimes v erPassword

Examplesofnon-supported filters

Thissectiongivesexamplesofnon-supported filters.

Example1: Filterreconciliationofattributesnotsupported

Theadapter doesnotsupportfilterreconciliationofattributes,suchasmanager,

distinguishedName,andmemberOf,becausethevaluesofthese attributesare stored inthedistinguishedname(DN)formatintheActiveDirectory.

Agroup,group1, existsinsidetheorganizationunitTestunderthedomainadlab. ThisdomainliesinsidetheparentdomaincomthatexistsontheActiveDirectory. The GroupattributeontheActiveDirectoryaccountformismappedtothe

memberOfattributeoftheActive Directory.

IfyouspecifythevalueoftheGroupattributeontheActiveDirectoryaccount form asgroup1,then theadaptersetsthevalueofthememberOfattributeinthe DNformatasCN=group1,OU=Test,DC=adalb,DC=com.

Toretrieveusersthataremembersof thegroup,group1, specifythefilteras (ergroup=group1).Theadaptersearchesfor thevalue group1inthememberOf

attribute.BecausethevalueofthememberOfattributeisstored intheDNformat, theadapterfailstoretrieveusersthatare membersofthegroup,group1.

Example2: Bit-levelfilteringnot supported

The adapterdoesnotsupportbit-levelfiltering.TheuserAccountControlattribute inActiveDirectoryisa bit-mappedvalue attribute.TheActiveDirectoryAdapter retrieves thestatusofa useraccountfromtheuserAccountControlattributeonthe Active Directory.Theattributeisofdatatypeintegeranditsvaluecanbezero ora combinationof oneormoreofthepropertyflags.Formore informationaboutthe property flagsoftheuserAccountControlattribute,seetheMicrosoftWindows Server documentation.

Toreconcilestatusofuser accounts,specifythefilteras(eraccountstatus=1). Becausethevalue oftheuserAccountControlisa combinationofoneormore property flags,theadapter failstoretrieveanyoftheuser accounts.

Example3: Attributeformatdifferencesnotsupported

The adapterdoesnotsupportfilterreconciliationforattributesthathavetheir valuesstored intheActiveDirectoryinadifferentformatfromthosedisplayedon theActiveDirectoryaccountform.Forexample,if Indiaisspecifiedasthecountry ontheActiveDirectoryaccountform,theadaptersetsthethreedigitcode356as thevalue ofthecountryCodeattributeintheActiveDirectory.ThecountryCode

attributeontheActiveDirectoryismappedtotheCountryattributeontheActive Directoryaccountform.Toreconcileall objectsthathavetheCountryattributeset toIndia,specifythefilteras(eradcountrycode=India).Theadapter searchesfor thevalue IndiainthecountryCodeattribute.Becausethevalue ofthecountry Indiaisstoredas356inthecountryCodeattribute,theadapterreturnssuccess, but doesnotreconcileanyuser accounts.For asuccessfulreconciliation, specifythe countrycodeofIndiaas356inthefilterinthefollowingformat:

(eradcountrycode=356)

Example4: Notformatfilteringleadsto unexpectedresults

Afilterusingthenotformat(!(Attributename=Value))leadstounexpectedresults. Though theformatofthefilterisvalid,andthesearchissuccessful,theadapter retrieves entiresetsofdataforall objectsfor whichthespecifiedattributeisnot set. Forexample,toretrieveuseraccountsthathavetheempoyeeIDattributenot equal to1000,specifythefilteras(!(erADEmployeeID=1000)).Theadapter

retrieves:

v AlluseraccountsthathavetheemployeeIDattributenotequal to1000.

v AllcontainersbecausethecontainerobjectdoesnotcontaintheemployeeID

attribute.

v AllmailstoresbecausethemailstoresobjectdoesnotcontaintheemployeeID

attribute.

For asuccessfulreconciliation, specifytheobjectclasswiththeattributename. Therefore,toretrieveuseraccountsthathaveemployeeIDattributenotequal to 1000,specifytheerADAccountobjectclasswith theemployeeIDattributeinthe followingformat:

(&((!(erADEmployeeID=1000))(objectclass=erADAccount)))

Table3 liststheobjectsandtheircorrespondingobjectclassthatyoumustspecify inaddition totheattributenameforasuccessfulfilterreconciliation.

Table3.Objectsandtheircorrespondingobjectclass

Object Objectclass

Group erADGroup

Container erADContainer

Mailstore erADMailStore

User erADAccount

Adding

user

accounts

Perform theaddoperationfromTivoliIdentityManagertoadduseraccountsto theActiveDirectory.

Youcanadduseraccountsforeitheran existingperson intheorganizationora new personintheorganization.

For moreinformationaboutaddinguseraccounts,seetheTivoliIdentityManager informationcenter.

Attributes

for

adding

user

account

Specify avalue fortheUserIdattributetoaddauser accountontheActive Directory.Thisattributecancontain:

v Alphabets

v Unicodecharacters

v Numbers

v Specialcharacters,suchas#,+“ \<>

The UserIdattributecannotinclude controlcharacters,oranyotherspecial characters otherthan# ,+“ \<>.IftheUserIdattributecontainsnon-supported characters,theActiveDirectoryAdaptergivesanerrormessage.Theadapterstores thevalue oftheUserIdattributeinthesAMAccountNameattributeontheActive Directory.

Note: TheUserIdattributeistheonlyattributethatisrequiredtoaddanActive

Directoryaccount.

Toadda useraccount,if youspecifyonlytheUserIdattributeontheActive Directoryaccountform,thenthefollowingattributesareset ontheActive Directory.

Table4.ListofattributesandtheirdefaultvaluesontheActiveDirectory

Attribute Defaultvalue Setby

cn ValueoftheUserIdattributeontheActive Directoryaccountform.

ActiveDirectory Adapter

countryCode 0

IfcountryisspecifiedontheActiveDirectory accountform,thenthecorresponding three-digitcodeissetontheActiveDirectory

ActiveDirectory

lastLogoff 0 ActiveDirectory

lastLogon 0 ActiveDirectory

distinguishedName cn=RDN,cn=Users,domainname(ifnobase pointisspecifiedontheActiveDirectory Adapterserviceform)

cn=RDN,container,basepoint(ifbasepointis specifiedontheActiveDirectoryAdapter serviceform)

ActiveDirectory Adapter

primaryGroupID 513 ActiveDirectory

sAMAccountName ValueoftheUserIdattributeontheActive Directoryaccountform.

ActiveDirectory Adapter

Table4.ListofattributesandtheirdefaultvaluesontheActiveDirectory (continued)

Attribute Defaultvalue Setby

name ValueoftheUserIdattributeontheActive Directoryaccountform.

ActiveDirectory

userPrincipalName UserId@domain ActiveDirectory

Adapter

badPwdCount 0 ActiveDirectory

objectCategory CN=Person,CN=Schema,

CN=Configuration,DC=domainname

ActiveDirectory

Creating

a

distinguished

name

for

a

user

account

TheActiveDirectoryAdaptercomputes valuesofvariousattributes ontheActive Directoryaccountformtocreateadistinguishedname(DN)forauser account.To createa DN,theadapter:

1. Generatesa RelativeDistinguishedName(RDN)fortheuseraccount.

ThefollowingtableliststheorderinwhichtheActiveDirectoryAdapter checksthevaluesoftheattributes ontheActiveDirectoryaccountformto generateanRDN.

Table5.TheorderofattributesontheActiveDirectoryaccountformthattheadapterchecks togenerateanRDN

AttributesontheTivoliIdentityManager RDNvalue

FullName FullName

DisplayName DisplayName

First Name

Initial LastName FirstNameInitial.LastName

First Name

Initial FirstNameInitial.

First Name

LastName FirstNameLastName

FirstName FirstName

LastName LastName

UserId UserId

Thefollowingfigure displaysthedecisiontreefortheprocessof generatingan RDN.

Iftheadapterfindsan attributevalue,thatvalueisusedfor generatingthe RDN.Forexample,iftheFull Nameattributeisnotfound,then theadapter checksforthevalueintheDisplayNameattribute.Ifa valueisfound,the adapterusesthedisplaynameastheRDN;otherwisetheadapterchecksfor thenextattributevalue intheFirstNameattribute,andsoon.

UserId isthedefaultvalue ofanRDN.ThemaximumlengthofanRDNis64 characters.

2. Addsthestringcn=asaprefixtothegeneratedRDN.Forexample,cn=RDN.

3. Addsa containerthatcontainstheuseraccountasasuffixtocn=RDN. The

containerisseparatedbyacomma. Theadapteraddsthedefaultusercontainer cn=Usersasasuffix,if:

v YoudonotspecifytheContainerattributeontheActiveDirectoryaccount

form.

v YoudonotspecifytheBasePointDNattributeontheActiveDirectory

Adapter serviceform.

v Thebase pointthatyouspecifyontheActiveDirectoryAdapterservice form

doesnotcontainacontainer.

ContainersotherthantheUserscontainerare representedasou=organization

unit,whereorganizationunitisthenameofthecontainer.

4. Addsa domainnameasa suffixtocn=RDN,cn=Users.Thedomainnameis

separatedbya comma.Ifa basepointisspecifiedontheActiveDirectory Adapterserviceform,then thedomainnameisthespecifiedbasepoint. However, ifnobasepointisspecifiedontheActiveDirectoryAdapterservice form,then theadapterfindsthedefaultdomainnamewheretheadapteris running. Therefore,thedistinguishednameis: cn=RDN,cn=Users,domainname.

User

principal

name

of

a

user

account

User principalnameisanaccountnameofauser inane-mailaddressformat.A user principalnameconsistsoftwoparts:

v Useridentification:Containstheuserlog-onname

v Domain:Containsthedomainnamewheretheuser accountislocated

Auser principalnameiscomputedbyseparatingthesetwopartsbyan@symbol. For example,username@domainname.

IfyouspecifytheUserPrincipalNameattributeontheActiveDirectoryaccount form,then theadaptersetsthespecifiedvalue totheuserPrincipalNameattribute ontheActiveDirectory.IftheUserPrincipalNameattributeisnotspecified,then

Is Full Name specified? No Yes Is Display Name specified? Generate RDN= Full Name No Yes Is First Name specified? Generate RDN= Display Name No Is Last Name specified? Is Initial specified? Ye_s No Generate RDN= User Id Generate RDN= Last Name Yes Is Last Name specified? Is Last Name specified? No Generate RDN= First Name Generate RDN= First Name Last Name

Yes

No

Generate RDN= First Name Initial.

Yes Generate

RDN= First Name Initial. Last Name No

Ye_s

theadapterusesthevalueoftheUserIdattributeasuser principalname,and appends@domainname totheuserprincipalname.

Specifying

controls

for

a

user

account

Tospecifycontrolsfora useraccount,set thefollowingattributes ontheActive Directoryaccountform:

PasswordNeverExpires

Specifieswhethera passwordcaneverexpire

PasswordRequired

Specifieswhethera passwordisrequired

SmartCardRequired

Specifieswhethera smartcardisrequiredforlogin

UserCannotChangePassword

Specifieswhethertheusercanchangetheirpassword

Allow EncryptedPassword

Specifieswhetherencryptedpasswordsareallowed

Theseattributescorrespondtothepropertyflagsof theuserAccountControl

attributeontheActiveDirectory.Theattributenamesandtheircorresponding propertyflags arelistedin thefollowingtable.

Table6.AttributesontheActiveDirectoryaccountformandtheircorrespondingproperty flags

Attribute Propertyflag

Hexadecimal valueforthe propertyflag

Decimalvalueforthe propertyflag

PasswordNeverExpires DONT_EXPIRE_ PASSWORD

0x10000 65536 PasswordRequired PASSWD_NOTREQD 0x0000 0 SmartCardRequired SMARTCARD_

REQUIRED

0x40000 262144 UserCannotChange

Password PASSWD_CANT_ CHANGE 0x0040 64 AllowEncrypted Password ENCRYPTED_TEXT _PWD_ALLOWED 0x0080 128

Thevalue oftheuserAccountControlattributeisthesumofthevaluesofthe propertyflags thatareenabled.For moreinformationaboutpropertyflagsofthe

userAccountControlattribute,seetheMicrosoft WindowsServer documentation. Youcanforceauser accounttochangethepasswordonnext logonbyselecting theForcePasswordChange checkboxonthePASSWORDpageoftheActive Directoryaccountform.TheActiveDirectoryAdapter mapstheForcePassword Change attributetothepwdLastSetattributeontheActiveDirectory.Ifyouselect theForcePasswordChange checkbox,then theadaptersetsthevalueofthe

pwdLastSetattributeto-1.IfyoudonotselecttheForcePasswordChange check box,then theadaptersetsthevalueof thepwdLastSetattributeto0.

Creating

a

home

directory

for

a

user

account

Before youcreatea homedirectoryfora useraccount,ensurethatyouhave: v Createdashared directoryontheWindowsserver

v Providedfullaccessrightsonthatshared directorytotheuseraccountunder

whichActiveDirectoryAdapterisrunning

Tocreatea homedirectoryfora useraccount, setthevalueofthefollowing registrykeys toTRUE:

v CreateUNCHomeDirectories

v ManageHomeDirectories

Specify thefollowingattributes ontheActiveDirectoryaccountform: v HomeDirectory

v HomeDirectoryDrive

The HomeDirectoryattributemustbe intheUniversal NamingConvention (UNC)format.UNCisaformatforspecifyingthelocationofresourcesinaLocal AreaNetwork (LAN).UNCusestheformat:\\HOME_AD_SERVER\

SHARED_DIR\HOME DIR,where:

v HOME_AD_SERVERistheshared servername

v SHARED_DIRistheshareddirectory

v HOMEDIRisthenameofthehomedirectoryfortheuseraccount

For example,considera useraccountwiththefollowingattributesettingsonthe Active Directoryaccountform.

UserId Thomas

HomeDirectory \\H20\homedir\thomas

HomeDirectoryDrive F:

BecausethevaluesoftheregistrykeysCreateUNCHomeDirectoriesand

ManageHomeDirectories areTRUE,theadaptercreates aUNChomedirectory thomasonserverH20,insidetheshared directoryhomedir,andmapsthehome directory thomaswithdriveF.

Tospecifypermissionsonthehomedirectoryfora useraccount,set theHome DirectoryNTFSAccessattributefortheuserontheActiveDirectoryaccount form.The followingtable liststhevaluesof theHomeDirectoryNTFSAccess

attributeand theircorrespondingpermissionsonthehome directory.

Table7.HomeDirectoryNTFSAccessattributevaluesandtheircorrespondingpermissions onthehomedirectory

HomeDirectory NTFSAccess

attributevalue Permissions

Full Youhavefullcontroloverthehomedirectory.Youcan: v

Changepermissions

v

Takeownership

v

Deletesubfoldersandfiles

v

Table7.HomeDirectoryNTFSAccessattributevaluesandtheircorrespondingpermissions onthehomedirectory (continued)

HomeDirectory NTFSAccess

attributevalue Permissions

Change Youhavefollowingcontrolsoverfilesandsubfoldersinthehome directory:

v Read

v Write

v Modify

Enabling

a

user

account

for

mail

Therecanbe twotypesofuseraccounts:

Mail-enabled

AnActiveDirectoryuseraccountthathasane-mailaddressassociated with it,buthasnomailboxontheExchangeserver.Amail-enableduser cansendand receivee-mailusinganothermessagingsystem.Ifyousend messages toamail-enableduseraccount, thenthesemessages pass

through theExchangeserver,andare forwardedtoanexternale-mailIDof thatuser account.Forexample,Thomasisanemployeeofcompany1,with a mailboxontheExchangeserverofcompany1,andane-mailID

[email protected] ofcompany1havemail-enableduseraccountsinthedomainofcompany2. Thenew [email protected], Thomascansend andreceivemail withthenewe-mailID,butthemailbox forThomasisnotontheExchangeserverofcompany2.Itisonthe

Exchangeserverofcompany1.

Mailbox-enabled

AnActiveDirectoryuseraccountthathasa mailboxontheExchange server.Amailbox-enabledusercansend andreceivemessages,andstore messages ontheExchangeservermailboxes.

Tocreatea mail-enableduseraccount,youmustspecifythevaluesoftheAlias

and theTarget Addressattributes ontheActiveDirectoryaccountform.

Tocreatea mailbox-enableduseraccount,youmustspecifythevaluesoftheAlias

and theMailbox StoreattributesontheActiveDirectoryaccountform.

TheExchangeserverusesthevalueof theAliasattributetogenerateane-mailID fora useraccount. Ifthevalue oftheAliasattributeofanotheruser account matches anexistingalias,thentheExchangeserverappendsa numbertothe e-mailIDoftheotheruser account.Forexample,a useraccountThomaswithalias thomas1 existsontheActiveDirectory.Thee-mailIDofThomasis

[email protected] aliasthomas1, then theExchangeservergenerates [email protected].

Note: Ifyouspecifyboththeattributes,MailboxStoreandTarget Address,then

theActiveDirectoryAdapter givesanerror.

Creating

a

proxy

address

for

a

user

account

By default,theExchangeserverassignsa primarySimpleMailTransferProtocol (SMTP) proxyaddress toauser accountwhena mailboxiscreated.

Tocreatemultiple proxyaddressesfora useraccountspecifytheProxyAddresses

attributeontheActiveDirectoryaccountform.Theprimaryproxyaddressofan SMTPaddress typecannotbedeleted.

Note: Alwaysspecifya primaryproxyaddressinuppercase andasecondary

proxyaddressinlowercase.

For example,auser accountThomasexistsontheActiveDirectorywiththe followingvaluesintheActive Directoryaccountform.

UserId Thomas

ProxyAddresses SMTP:[email protected] smtp:[email protected]

Inthisexample,SMTP:[email protected],and smtp:[email protected].

Note: TocreateanX.400proxyaddressfora useraccount, youmustspecifythe

primarySMTPproxyaddress.

Modifying

user

accounts

Youcanmodifyuser accountattributesinTivoliIdentityManager.Formore informationaboutmodifyinguseraccounts,seetheTivoliIdentityManager informationcenter.

Modifying

the

container

attribute

Ifyoudonotspecifyabase pointatthetimeofcreating anActiveDirectory service,theActive DirectoryAdapter,bydefault,createsnew usersintheUsers containerof theActiveDirectory.

ModifyingtheContainerattributemeansmovingauser fromonecontainerto another.Youcanmovea userbetween:

v Containersthatarestored atthespecifiedbasepoint

v Allcontainers,ifnobase pointisspecified

WhenyoumodifytheContainer attribute,thedistinguishednameofa user changes becausetheusermovestoa differentpositionintheActiveDirectory hierarchy.The followingexampleillustrates changesinthedistinguishednameofa user, whenyoumodifytheContainerattribute:

For example,auser accountwith thenameThomasDanielexistsontheActive Directory.TheActiveDirectoryhasthefollowingstructure.

ThedistinguishednameofThomasDanielis: cn=ThomasDaniel,cn=Users,dc=ibm,dc=com

Modify theContainerattributeonTivoliIdentityManagerfromcn=Usersto ou=Marketing.Afterthischange,thedistinguishednameofThomasDanielchanges tothefollowingvalue:

cn=ThomasDaniel,ou=Marketing,ou=Departments,dc=ibm,dc=com

Modifying

the

Home

Directory

attribute

TheActiveDirectoryAdaptersupportscreationanddeletionofhome directories onlyinthesharedfoldersontheWindowsserver.Theadapterdoesnotsupport thecreationand deletionof localhomedirectories.

Thefollowingexamples describethebehavioroftheActive DirectoryAdapter whenyoumodifytheattributesthatarerelatedtothehomedirectoryonthe Active Directoryaccountform,foranexistinguseraccount.

Example1:

Auser accountThomasDanielexistsontheActiveDirectorywiththefollowing valuesintheActive Directoryaccountform.

Attribute Value

HomeDirectory \\H20\shareddir\thomas

HomeDirectoryDrive F:

HomeDirectoryShare homedirshare1

Valuesoftheregistrykeysare: v ManageHomeDirectories=TRUE

v DeleteUNCHomeDirectories=FALSE

v CreateUNCHomeDirectories= TRUE

Delete valuesoftheattributes thatarerelatedtothehome directory.Becausethe value oftheregistrykeyDeleteUNCHomeDirectoriesisFALSE,theadapter: v Doesnotdeletethehomedirectory thomasfromtheserverH20

v Doesnotremovethesharehomedirshare1

v DeletesvaluesoftheHomeDirectoryand theHomeDirectoryDriveattributes

ontheActiveDirectory

dc=ibm,dc=com Users Thomas Daniel Nancy Kerry Departments Sales Marketing

Figure2.ExampleofanActiveDirectorystructure

Example2:

Auser accountThomasDanielexistsontheActiveDirectorywiththefollowing valuesintheActiveDirectoryaccountform.

Attribute Value

HomeDirectory \\H20\shareddir\thomas

HomeDirectoryDrive F:

HomeDirectoryShare homedirshare1

Valuesoftheregistrykeysare: v ManageHomeDirectories=TRUE

v DeleteUNCHomeDirectories=TRUE

v CreateUNCHomeDirectories=TRUE

Delete valuesoftheattributes thatarerelatedtothehome directory.Becausethe value oftheregistrykeyDeleteUNCHomeDirectoriesisTRUE,theadapterdeletes thehomedirectory thomasfromtheserverH20.

Example3:

Auser accountThomasDanielexistsontheActiveDirectory.Thisuser account doesnotcontainvaluesoftheattributesthatarerelatedtothehomedirectoryon theActiveDirectoryaccountform.

Valuesoftheregistrykeysare: v ManageHomeDirectories=TRUE

v DeleteUNCHomeDirectories=TRUE

v CreateUNCHomeDirectories=FALSE

Specify valuesforthefollowingattributesthatare relatedto thehome directoryon theActiveDirectoryaccountform.

Attribute Value

HomeDirectory \\H20\shareddir\thomas

HomeDirectoryDrive F:

HomeDirectoryShare homedirshare1

Becausethevalue oftheregistrykeyCreateUNCHomeDirectoriesisFALSE,the adapter:

v Doesnotcreatethehome directorythomasandthehomedirectoryshare

homedirshare1ontheserverH20

v SetsvaluesoftheattributesHomeDirectoryandHomeDirectoryDriveonthe

ActiveDirectory

Example4:

Auser accountThomasDanielexistsontheActiveDirectory.Thisuser account doesnotcontainvaluesoftheattributesthatarerelatedtothehomedirectoryon theActiveDirectoryaccountform.

v ManageHomeDirectories=TRUE

v DeleteUNCHomeDirectories=TRUE

v CreateUNCHomeDirectories= TRUE

Specify valuesforthefollowingattributesthatare relatedtothehomedirectory on theActiveDirectoryaccountform.

Attribute Value

HomeDirectory \\H20\shareddir\thomas

HomeDirectoryDrive F:

HomeDirectoryShare homedirshare1

Becausethevalue oftheregistrykeys CreateUNCHomeDirectoriesand

ManageHomeDirectories isTRUE,theadapter:

v CreatesthehomedirectorythomasontheserverH20

v Mapsthehome directorywiththedriveF

v Assignstheshare namehomedirshare1 tothehome directory

v Assignsaccessrightstothehomedirectoryandthehomedirectory share

Example5:

Auser accountThomasDanielexistsontheActiveDirectorywiththefollowing valuesintheActive Directoryaccountform.

Attribute Value

HomeDirectory \\H20\shareddir\thomas

HomeDirectoryDrive F:

HomeDirectoryShare homedirshare1

Valuesoftheregistrykeysare: v ManageHomeDirectories=TRUE

v DeleteUNCHomeDirectories=TRUE

v CreateUNCHomeDirectories= TRUE

ChangevaluesoftheattributesontheActiveDirectoryaccountformtothe followingvalues.

Attribute Value

HomeDirectory \\H20\shareddir\Peter\thomas

HomeDirectoryDrive G:

HomeDirectoryShare homedirshare2

Changethevalue oftheregistrykeyDeleteUNCHomeDirectoriestoFALSE. Inthisexample,themodifyoperationfailsbecausetheadaptercannotcreate nested directories;thatis, thedirectory thomasinsidethedirectory Peter.The adapterignorestheotherattributesthatarerelatedtothehomedirectory.

Modifying

user

password

Youcanchangethepasswordof anyoftheActive Directoryaccountsthatexiston TivoliIdentityManager.Forinformationaboutchangingpasswords,seetheTivoli IdentityManagerinformationcenter.

Whenyouchangethepasswordofadomain userfromTivoliIdentityManager, thenew passwordissynchronizedwith theotheraccountsmanagedbyTivoli IdentityManagerforthatdomainuser.ThePasswordSynchronizationplug-in enablesconnectivitybetweenTivoliIdentityManagerandtheWindowssystem runningtheActiveDirectory.For moreinformationaboutthePassword

Synchronization plug-in,seethePasswordSynchronizationforActiveDirectory Plug-in Installationand ConfigurationGuide.

Duringthepasswordchangeoperation:

v Ifthevalue oftheUnlockOnPasswordResetregistrykeyisFALSEandtheuser

accountislocked,theActiveDirectoryAdapterchangestheuser account password,buttheusercannotlogontothedomainusingthenewpassword. v Ifthevalue oftheUnlockOnPasswordResetregistrykeyisTRUE,theActive

DirectoryAdapterunlockstheuser account,andtheusercanlogontothe domainusingthenew password.

Modifying

the

Mailbox

Store

attribute

ModifyingtheMailboxStoreattributemeansmovingauser mailboxfromone mailboxstoretoanother.Youcanmovea mailboxeitherwithin thesameExchange serverorto adifferentExchangeserverinthesame domain.For moreinformation aboutmovinga mailboxfromonemailboxstoretoanother,seetheMicrosoft Exchangeserverdocumentation.

WhenyoumodifytheMailbox Storeattribute,thevalueofthehomeMDB

attributechanges becausetheusermailboxmovesfromonemailboxstore to another.Thefollowingexampleillustrateschanges inthevalue ofthehomeMDB

attribute,whenyoumodifytheMailboxStoreattribute.

For example,auser accountwith thenameThomasDanielexistsontheActive Directory(domainnameisibm.com). ConsiderThomasDanielhasa mailboxin theFirstMailboxStoreoftheExchangeserver(ps2330)asshowninthefollowing figure.

Thevalue ofthehomeMDBattributeis:

cn=First MailboxStore,cn=FirstStorageGroup,cn=Information

Store,cn=ps2330,cn=Servers,cn=FirstAdministrativeGroup,cn=Administrative Groups,cn=FirstOrganization(Exchange),cn=Microsoft

Exchange,cn=Services,cn=Configuration,dc=ibm,dc=com

WhenyoumovethemailboxofThomasDanielfromFirstMailboxStoretoSecond MailboxStore,thevalue ofthehomeMDBattributechangestothefollowing value:

cn=Second MailboxStore,cn=FirstStorageGroup,cn=Information

Store,cn=ps2330,cn=Servers,cn=FirstAdministrativeGroup,cn=Administrative Groups,cn=FirstOrganization(Exchange),cn=Microsoft

Exchange,cn=Services,cn=Configuration,dc=ibm,dc=com

Suspending

user

accounts

Whenyoususpenda useraccount,thestatusoftheuseraccountonTivoliIdentity Manager becomesinactive,and theuser accountbecomesunavailable foruse. Suspendinga useraccountdoesnotremovetheuseraccountfromTivoliIdentity Manager.For moreinformationaboutsuspendinguseraccounts,seetheTivoli IdentityManagerinformationcenter.

Whenyoususpenda useraccountfromTivoliIdentityManager,theActive DirectoryAdaptersetsthepropertyflagACCOUNTDISABLEofthe

userAccountControlattributeontheActiveDirectory.For moreinformationabout propertyflags oftheuserAccountControlattribute,seetheMicrosoftWindows Server documentation.

First Organization (Exchange)

Global Settings Recipients Servers

ps2330

First Storage Group

First Mailbox Store

Logons Mailboxes Full-Text Indexing

Second Mailbox Store Logons Mailboxes Full-Text Indexing

Figure3.Exchangeserverorganizationtree

Restoring

user

accounts

The restoreoperationreinstatesthesuspendeduser accountstoTivoliIdentity Manager.Afterrestoringauser account,thestatusoftheuseraccountonTivoli IdentityManagerbecomesactive.Formoreinformationaboutrestoringuser accounts,seetheTivoliIdentityManagerinformationcenter.

WhenyourestoreauseraccountfromTivoliIdentityManager,theActive DirectoryAdaptermodifiesthepropertyflagACCOUNTDISABLEofthe

userAccountControlattributeontheActiveDirectory.For moreinformationabout property flagsoftheuserAccountControlattribute,seetheMicrosoftWindows Server documentation.

Deleting

user

accounts

Use thedeprovisionfeatureofTivoliIdentityManagertodeleteuseraccountsfrom theActiveDirectory.Formoreinformationaboutdeletinguseraccounts,seethe TivoliIdentityManagerinformationcenter.

Whenyoudeprovisionauser accountfromTivoliIdentityManager,theActive DirectoryAdapter:

v DeletestheuseraccountfromtheActiveDirectory

v Deletesthemailboxoftheuser accountfromtheExchangeserver,iftheuser

accountisenabledfora mailbox

v Removesthemembershipoftheuser accountfromthegroupsthattheuser

accountisamemberof

v Deletesthehomedirectory oftheuser account,ifthevalue ofthe

delUNCHomeDirOnDeprovisionregistryisTRUE

v Deletestheprofileoftheuseraccount,if thevalue ofthe

delRoamingProfileOnDeprovisionisTRUE

v DeletestheWTShomedirectory oftheuser account,ifthevaluesofthe

delUNCHomeDirOnDeprovisionand theWtsEnabledregistrykeysare TRUE v DeletestheWTSprofileoftheuseraccount,if thevaluesofthe

delRoamingProfileOnDeprovisionand theWtsEnabled registrykeysareTRUE

Note: TheActive DirectoryAdapterdoesnotsupport thedeletionof localhome

directories.

Deleting

a

mailbox

Delete theAliasattributeontheActiveDirectoryaccountform todeletethe mailboxofa useraccountontheExchangeserver.

Whenthemailboxfora useraccountisdeleted,creatinganothermailboxforthe same useraccountwiththesamealiascreatesa newmailbox.Theadapter does notpermanentlydeletethemailboxfromtheExchangeserver.Adeletedmailboxis flaggedasdisconnectedbytheExchangeserver.

By default,theExchangeserverpreservesthedeletedmailboxforaspecific duration.An administratorcanconfigurethis duration.

Youcanconnectthedisconnectedmailboxtoa useraccount. Thenameofthe mailboxischangedaccordingtotheuseraccountname.Formore information aboutconnecting adisconnectedmailboxtoauser account,seetheMicrosoft Exchangeserverdocumentation.

Chapter

4.

Troubleshooting

the

Active

Directory

Adapter

errors

Thissectionlists theerrormessagesthatmight occurwhileperformingtheActive DirectoryAdapterusertasks andthecorrespondingrecommendedactionsthatyou cantaketoresolvethose errors.

Whenever anoperationfails,thecorrespondingerrormessagesarelogged inthe WinADAgent.logfilethatyoucanfindintheAgentsinstallationdirectory.The log filecontains errormessages withcorrespondingerrorcodes.For informationabout errorcodes andtheirdescription,seetheMicrosoftWindowsServer

documentationandsearchfor"ADSIErrorCodes." Table8.TroubleshootingtheActiveDirectoryAdaptererrors

Errormessage Recommendedaction

Unabletobindtobasepoint Ensurethat:

v Thebasepointiscorrectlyspecifiedon

theadapterserviceform. v

TheuserIDiscorrectlyspecifiedonthe

adapterserviceform.

v Thepasswordiscorrectlyspecifiedonthe

adapterserviceform. v

TheActiveDirectoryisreachablefromthe

workstationwheretheadapterisinstalled. Unabletodeterminedefaultdomain ThiserroroccurswhentheActiveDirectory

Adapterfailsto: v

BindtorootDSE

v Getthedefaultnamingcontext

Ensurethat: v

Thebasepointiscorrectlyspecifiedon

theadapterserviceform.

v TheuserIDiscorrectlyspecifiedonthe

adapterserviceform. v

Thepasswordiscorrectlyspecifiedonthe

adapterserviceform.

v TheActiveDirectoryisreachablefromthe

workstationwheretheadapterisinstalled. ErrorbindingtoDN:DNString ThiserroroccurswhentheActiveDirectory

Adapterfailstobindtoauserobjectofthe ActiveDirectoryforprocessing.

Ensurethattheuserbeingprocessedinthe ActiveDirectoryisnotdeletedbyanyother processsimultaneously.

Table8.TroubleshootingtheActiveDirectoryAdaptererrors (continued)

Errormessage Recommendedaction

Extendedattributeattributenamehas unsupportedsyntax

TheActiveDirectoryAdapterdoesnot supportthedatatypeusedfortheextended attribute.

Useoneofthefollowingdatatypes: v Boolean

v Integer

v Casesensitivestring

v Caseinsensitivestring

v Numericalstring

v Unicodestring

v Distinguishedname

v UTCcodedtime

Formoreinformationaboutcustomizingthe adaptertousetheextendedattributes,see theActiveDirectoryAdapterInstallationand ConfigurationGuideandsearchforthe section"CustomizingtheActiveDirectory Adapter."

Extendedattributeattributenamenotfound inActiveDirectoryschema

Theextendedattributespecifiedinthe exschema.txtfiledoesnotexistonthe ActiveDirectory.

Eitherremovetheattributenamefromthe exschema.txtfileoraddtheattributetothe ActiveDirectory.

Errorbindingtoschemacontainererrorcode.

Loadingofextendedschemaattribute

attributenamefailed.

TheseerrorsoccurwhentheActive

DirectoryAdapterfailstoextracttheschema oftheextendedattributes.

v EnsurethattheActiveDirectoryis

reachablefromtheworkstationwherethe adapterisinstalled.

v Verifythattheextendedattributeis

correctlydefinedandaddedtotheuser class.

Errorgettingparentofschemaerrorcode.

Loadingofextendedschemaattribute

attributenamefailed.

ErrorbindingtoDNofschemaerrorcode.

Loadingofextendedschemaattribute

attributenamefailed.

Unabletoconnecttodefaultdomain. Loadingofextendedschemaattribute

attributenamefailed.

Extendedschemafilenotfound.No extensionsloaded.

Thisinformationmessageoccurswhenthe ActiveDirectoryAdapterfailstofindthe extendedschemafile(exschema.txt)orfails toopenthefile.

Unabletobindtouserusername ThiserroroccurswhentheActiveDirectory Adapterfailstoconnecttoauserobjectin theActiveDirectoryforprocessing. Ensurethattheuserusernameexistsonthe ActiveDirectory.