Depending on the target system that you are using, perform the procedure described in one of the following sections:. You can use a Microsoft Windows Server Domain Controller administrator account for connector operations. Alternatively, you can create a user account and assign the minimum required rights to the user account. Microsoft Active Directory documentation for detailed information about performing this procedure.
You assign read permissions on the Security tab of the Properties dialog box for the user account. This tab is displayed only in Advanced Features view. You must create and use a user account that belongs to the Administrators group for performing connector operations. In a forest environment, if you are performing reconciliation by using the Global Catalog Server, then perform the procedure described in this section on all child domains. By default, user accounts that belong to the Account Operators group can manage only user and group objects.
To manage organizational units or custom object classes, you must assign the necessary permissions to a user account. In other words, you must delegate complete control for an organizational unit or custom object class to a user or group object. In addition, you need these permissions to successfully perform provisioning of custom object classes. This is achieved by using the Delegation of Control Wizard.
An example for managing organizational units is creating organizational units. In a parent-child deployment environment or forest topology, perform this procedure on all the child domains. Enter the name of the lookup definition in Oracle Identity Governance that must be populated with values fetched from the target system. Note: If the lookup name that you specify as the value of this attribute is not present in Oracle Identity Governance, then this lookup definition is created while the scheduled job is run.
Depending on the scenario in which you want to perform group reconciliation, perform one of the following procedures:. See Reconciling Target System Groups into Individual Organizations to reconcile each target system group into an organization of its own. See Reconciling Target System Groups a Single Organization to reconcile each target system group into a single organization.
Create an organizational unit in Oracle Identity Governance with the name of the group available in the target system , and then reconcile groups to this newly created organizational unit. In other words, suppose a scenario in which you want every target system group to be reconciled into an organization of its own. This procedure describes how to perform group reconciliation when all groups available on the target system must be reconciled under the same organizational unit in Oracle Identity Governance.
In other words, suppose a scenario in which you want all target system groups to be reconciled into a single organization. In the Organization Name attribute field, specify the name of an organizational unit under which all groups from the target system must be reconciled. In addition, as a best practice, ensure that all newly created OUs and other objects are fetched into OIM from the target system by performing a trusted resource reconciliation run.
Configure reconciliation jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Governance. Values either default or user-defined must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed. You can use the Scheduler Status page in Identity System Administration to either start, stop, or reinitialize the scheduler.
You provision or request for accounts on the Accounts tab of the User Details page. Learn about the objects that are used by the connector to perform group management operations such as create, update, and delete. Preconfigured Lookup Definitions for Group Operations. Reconciliation Scheduled Jobs for Groups Management. The lookup definitions for Groups are automatically created in Oracle Identity Governance after you create the application by using the connector.
The Lookup. Configuration lookup definition holds configuration entries that are specific to the group object type. This lookup definition is used during group management operations when your target system is configured as a target resource. Table lists the default entries in this lookup definition. Table Entries in the Lookup.
Configuration Lookup Definition. This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup. ProvAttrMap for more information about this lookup definition. This entry holds the name of the lookup definition that is used to configure validation of attribute values entered on the process form during provisioning operations.
See Configuring Validation of Data During Reconciliation and Provisioning for Groups and Organizational Units for more information about adding entries in this lookup definition. This entry holds the name of the lookup definition that maps fields on the group form and their default values. Defaults for more information about this lookup definition. This entry holds the name of the lookup definition that maps resource object fields and target system attributes.
ReconAttrMap for more information about this lookup definition. This entry holds the name of the lookup definition that is used to configure transformation of attribute values that are fetched from the target system during user reconciliation. See Configuring Transformation of Data During Reconciliation for Groups and Organizational Units for more information about adding entries in this lookup definition.
This entry holds the name of the lookup definition that is used to configure validation of attribute values that are fetched from the target system during reconciliation. Defaults for more information about adding entries in this lookup definition. ProvAttrMap lookup definition holds mappings between process form fields and target system attributes.
This lookup definition is preconfigured and is used during group provisioning operations. You can add entries in this lookup definitions if you want to map new target system attributes for provisioning. ReconAttrMap lookup definition holds mappings between resource object fields and target system attributes. This lookup definition is preconfigured and used for performing target resource group reconciliation runs. Table lists the group fields of the target system from which values are fetched during reconciliation.
The Active Directory Group Recon scheduled job is used to reconcile group data. You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation.
ProvValidation lookup definition is used to configure validation of attribute values entered on the process form during group provisioning operations.
See Configuring Validation of Data During Reconciliation and Provisioning for Groups and Organizational Units or more information about adding entries in this lookup definition.
ReconTransformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during user reconciliation. ReconValidation lookup definition is used to configure validation of attribute values that are fetched from the target system during group reconciliation.
Defaults lookup definition holds mappings between reconciliation fields for group and their default values. This lookup definition is used when there is a mandatory field on the group form, but no corresponding field in the target system from which values can be fetched during group reconciliation. This lookup definition is empty by default.
If you add entries to this lookup definition, then the Code Key and Decode values must be in the following format:. For example, assume a field named Group ID is a mandatory field on the group form. Suppose the target system contains no field that stores information about the group ID for an account. During reconciliation, no value for the Group ID field is fetched from the target system. However, as the Group ID field cannot be left empty, you must specify a value for this field.
This implies that the value of the Group ID field on the group form displays GRP for all accounts reconciled from the target system. GroupTypes lookup definition holds information about group types that you can select for the group that you create through Oracle Identity Governance.
The following is the format of the Code Key and Decode values in this lookup definition:. After you create an application, reconciliation scheduled jobs are automatically created in Oracle Identity Governance. You must configure these scheduled jobs to suit your requirements by specifying values for its attributes. Active Directory Group Recon. Active Directory Group Delete Recon. Use the Active Directory Group Recon scheduled job to reconcile group data from the target system.
Expression for filtering records. Note: While creating filters, ensure to use attributes specific to Groups. Enter the name of the target system attribute that holds last update-related number, non-decreasing value. For example, numeric or strings. The value in this attribute is used during incremental reconciliation to determine the newest or most youngest record reconciled from the target system.
Note: Do not change the value of this attribute. Enter the name of the IT resource for the target system installation from which you want to reconcile group or organization data. This attribute holds the value of the uSNChanged attribute of a domain controller that is used for reconciliation.
Note: The reconciliation engine automatically enters a value for this attribute. It is recommended that you do not change the value of this attribute. If you manually specify a value for this attribute, then only groups or organizational units whose uSNChanged value is greater than the Latest Token attribute value are reconciled. See Configuring and Running Group Reconciliation for more information on the usage of this attribute. Enter the container in which the search for group records must be performed during reconciliation.
Note: If you do not specify a value for this attribute, then the value specified as the value of the Container parameter of the IT resource is used as the value of this attribute. Enter subtree if you want the scope of the search for records to be reconciled to include the container specified by the Search Base attribute and all of its child containers. Enter onelevel if you want the scope of the search for records to be restricted to only the container specified by the Search Base attribute.
Child containers of the specified container are not included in the search. Note: If you want to enter onelevel, then ensure that you do not include a space between "one" and "level. This attribute must be left blank when you run delete reconciliation for the first time. This ensures that data about all records that are deleted from the target system are fetched into Oracle Identity Governance.
After the first delete reconciliation run, the connector automatically enters a value for this attribute in an XML serialized format. From the next reconciliation run onward, only data about records that are deleted since the last reconciliation run ended are fetched into Oracle Identity Governance.
A value of True in the preceding format specifies that the Global Catalog Server is used during delete reconciliation runs. A value of False specifies that the Global Catalog Server is not used during delete reconciliation runs. Enter the name of the organization to which data about all deleted groups fetched from the target system is linked.
There are two scenarios in which group reconciliation is performed. These scenarios are described in Configuring and Running Group Reconciliation. If you have configured the connector to perform group reconciliation in scenario 1, then you need not specify a value for this attribute.
In case you specify a value, it is ignored by the connector. If you have configured the connector to perform group reconciliation in scenario 2, then enter the same organization name specified for the Organization Name attribute of the Active Directory Group Recon scheduled job. Reconciliation rules are used by the reconciliation engine to determine the identity to which Oracle Identity Governance must assign a newly discovered account on the target system.
Reconciliation action rules define that actions the connector must perform based on the reconciliation rules. Reconciliation Rule for Groups. Reconciliation Action Rules for Groups. Viewing Reconciliation Rules.
Viewing Reconciliation Action Rules. Table lists the action rules for groups reconciliation. After you create the application by using the connector, you can view the reconciliation rule by performing the following steps:.
After you create the application by using connector, you can view the reconciliation action rules for groups by performing the following steps:. Learn about the objects that are used by the connector to perform organizational units management operations such as create, update, and delete.
The lookup definitions for Organizational Units are automatically created in Oracle Identity Governance after you create the application by using the connector. Configuration lookup definition holds configuration entries that are specific to the organizational unit object type.
This lookup definition is used during organizational unit management operations when your target system is configured as a target resource. This entry holds the name of the lookup definition that maps fields on the organizational unit form and their default values.
Trusted lookup definition holds configuration entries that are specific to the organizational unit object type. This lookup definition is used during trusted source reconciliation runs for organizational units. Trusted Lookup Definition. Trusted for more information about this lookup definition. This lookup definition is preconfigured and used during provisioning.
This lookup definition is preconfigured and used for performing target resource reconciliation runs for organizational units. Organization name with DN format. ProvValidation lookup definition is used to configure validation of attribute values entered on the process form during provisioning operations for organizational units. ReconTransformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during reconciliation of organizational units.
ReconValidation lookup definition is used to configure validation of attribute values that are fetched from the target system during reconciliation. Trusted lookup definition holds mappings between resource object fields and target system attributes. This lookup definitions is preconfigured and used during trusted source reconciliation runs for organizational units.
Table lists the default entries. Table Default Entries in the Lookup. Defaults lookup definition holds mappings between fields on the organizational unit form and their default values. This lookup definition is used when there is a mandatory field on the organizational unit form, but no corresponding field in the target system from which values can be fetched during organizational unit reconciliation.
For example, assume a field named Organization ID is a mandatory field on the organizational unit form. Suppose the target system contains no field that stores information about the organization ID for an account.
During reconciliation, no value for the Organization ID field is fetched from the target system. However, as the Organization ID field cannot be left empty, you must specify a value for this field.
This implies that the value of the Organization ID field on the organizational unit form displays ORG for all accounts reconciled from the target system. You use the Active Directory Organization Recon scheduled job to reconcile organization unit data from the target system. This scheduled job is automatically created in Oracle Identity Governance after you create an application. You must configure this scheduled job to suit your requirements by specifying values for its attributes.
Note: While creating filters, ensure to use attributes specific to Organizational Units. Enter the name of the IT resource for the target system installation from which you want to reconcile organization data. Enter the container in which the search for organization records must be performed during reconciliation. Reconciliation Rule for Organizational Units.
Reconciliation Action Rules for Organizational Units. Uninstalling the connector deletes all the account-related data associated with its resource objects. If you want to uninstall the connector for any reason, then run the Uninstall Connector utility. Before you run this utility, ensure that you set values for ObjectType and ObjectValues properties in the ConnectorUninstall.
For example, if you want to delete resource objects, scheduled tasks, and scheduled jobs associated with the connector, then enter "ResourceObject", "ScheduleTask", "ScheduleJob" as the value of the ObjectType property and a semicolon-separated list of object values corresponding to your connector for example, ActiveDirectory User; ActiveDirectory Group as the value of the ObjectValues property.
By default, the Guest account password is left blank. A blank password allows the Guest account to be accessed without requiring the user to enter a password. The Guest account enables occasional or one-time users, who do not have an individual account on the computer, to sign in to the local server or domain with restricted rights and permissions.
The Guest account can be enabled, and the password can be set up if needed, but only by a member of the Administrator group on the domain. The Guest account has membership in the default security groups that are described in the following Guest account attributes table.
By default, the Guest account is the only member of the default Guests group, which lets a user sign in to a server, and the Domain Guests global group, which lets a user sign in to a domain. A member of the Administrators group or Domain Admins group can set up a user with a Guest account on one or more computers.
Because the Guest account can provide anonymous access, it is a security risk. It also has a well-known SID. For this reason, it is a best practice to leave the Guest account disabled, unless its use is required and then only with restricted rights and permissions for a very limited period of time.
When the Guest account is required, an Administrator on the domain controller is required to enable the Guest account. The Guest account can be enabled without requiring a password, or it can be enabled with a strong password. The Administrator also grants restricted rights and permissions for the Guest account. To help prevent unauthorized access:. Do not grant the Guest account the Shut down the system user right. When a computer is shutting down or starting up, it is possible that a Guest user or anyone with local access, such as a malicious user, could gain unauthorized access to the computer.
Do not provide the Guest account with the ability to view the event logs. After the Guest account is enabled, it is a best practice to monitor this account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.
Do not use the Guest account when the server has external network access or access to other computers. If you decide to enable the Guest account, be sure to restrict its use and to change the password regularly. As with the Administrator account, you might want to rename the account as an added security precaution. In addition, an administrator is responsible for managing the Guest account. The administrator monitors the Guest account, disables the Guest account when it is no longer in use, and changes or removes the password as needed.
The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending. HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it is initiated by invitation.
For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. This group includes all users who sign in to a server with Remote Desktop Services enabled.
This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default.
You must install Remote Assistance before it can be used. No Safe to move out of default container? Can be moved out, but we do not recommend it.
Safe to delegate management of this group to non-Service admins? This account cannot be deleted, and the account name cannot be changed. Windows Server Kerberos authentication is achieved by the use of a special Kerberos ticket-granting ticket TGT enciphered with a symmetric key. This key is derived from the password of the server or service to which access is requested.
Like any privileged service accounts, organizations should change these passwords on a regular schedule. The password for the KDC account is used to derive a secret key for encrypting and decrypting the TGT requests that are issued. The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets.
Resetting the password requires you either to be a member of the Domain Admins group, or to have been delegated with the appropriate authority. In addition, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
It is also a best practice to reset the KRBTGT account password to ensure that a newly restored domain controller does not replicate with a compromised domain controller. In this case, in a large forest recovery that is spread across multiple locations, you cannot guarantee that all domain controllers are shut down, and if they are shut down, they cannot be rebooted again before all of the appropriate recovery steps have been undertaken.
After you reset the KRBTGT account, another domain controller cannot replicate this account password by using an old password. An organization suspecting domain compromise of the KRBTGT account should consider the use of professional incident response services. The impact to restore the ownership of the account is domain-wide and labor intensive an should be undertaken as part of a larger recovery effort.
Resetting the KRBTGT password is similar to renewing the root CA certificate with a new key and immediately not trusting the old key, resulting in almost all subsequent Kerberos operations will be affected. All the TGTs that are already issued and distributed will be invalid because the DCs will reject them.
When the password changes, the tickets become invalid. All currently authenticated sessions that logged on users have established based on their service tickets to a resource such as a file share, SharePoint site, or Exchange server are good until the service ticket is required to re-authenticate.
Because it is impossible to predict the specific errors that will occur for any given user in a production operating environment, you must assume all computers and users will be affected. Rebooting a computer is the only reliable way to recover functionality as this will cause both the computer account and user accounts to log back in again. After an account is successfully authenticated, the RODC determines if a user's credentials or a computer's credentials can be replicated from the writable domain controller to the RODC by using the Password Replication Policy.
Each default local account in Active Directory has a number of account settings that you can use to configure password settings and security-specific information, as described in the following table. After the default local accounts are installed, these accounts reside in the Users container in Active Directory Users and Computers.
You can use Active Directory Users and Computers to assign rights and permissions on a given local domain controller, and that domain controller only, to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a computer, such as backing up files and folders or shutting down a computer.
In contrast, an access permission is a rule that is associated with an object, usually a file, folder, or printer, that regulates which users can have access to the object and in what manner.
For more information about creating and managing local user accounts in Active Directory, see Manage Local Users. You can also use Active Directory Users and Computers on a domain controller to target remote computers that are not domain controllers on the network. You can obtain recommendations from Microsoft for domain controller configurations that you can distribute by using the Security Compliance Manager SCM tool.
For more information, see Microsoft Security Compliance Manager. Some of the default local user accounts are protected by a background process that periodically checks and applies a specific security descriptor, which is a data structure that contains security information that is associated with a protected object. This means, when you want to modify the permissions on a service administrator group or on any of its member accounts, you are also required to modify the security descriptor on the AdminSDHolder object.
This approach ensures that the permissions are applied consistently. Be careful when you make these modifications, because this action can also affect the default settings that are applied to all of your protected administrative accounts. Restricting and protecting domain accounts in your domain environment requires you to adopt and implement the following best practices approach:.
Member accounts in the Administrators, Domain Admins, and Enterprise Admins groups in a domain or forest are high-value targets for malicious users. It is a best practice to strictly limit membership to these administrator groups to the smallest number of accounts in order to limit any exposure.
Restricting membership in these groups reduces the possibility that an administrator might unintentionally misuse these credentials and create a vulnerability that malicious users can exploit. Moreover, it is a best practice to stringently control where and how sensitive domain accounts are used. Restrict the use of Domain Admins accounts and other administrator accounts to prevent them from being used to sign in to management systems and workstations that are secured at the same level as the managed systems.
When administrator accounts are not restricted in this manner, each workstation from which a domain administrator signs in provides another location that malicious users can exploit.
Create dedicated workstation hosts for administrators. Note that, to provide for instances where integration challenges with the domain environment are expected, each task is described according to the requirements for a minimum, better, and ideal implementation. As with all significant changes to a production environment, ensure that you test these changes thoroughly before you implement and deploy them.
Then stage the deployment in a manner that allows for a rollback of the change in case technical issues occur. Restrict Domain Admins accounts and other sensitive accounts to prevent them from being used to sign in to lower trust servers and workstations.
Restrict and protect administrator accounts by segregating administrator accounts from standard user accounts, by separating administrative duties from other tasks, and by limiting the use of these accounts. Create dedicated accounts for administrative personnel who require administrator credentials to perform specific administrative tasks, and then create separate accounts for other standard user tasks, according to the following guidelines:. Privileged account. Allocate administrator accounts to perform the following administrative duties only:.
Create separate accounts for domain administrators, enterprise administrators, or the equivalent with appropriate administrator rights in the domain or forest.
Use accounts that have been granted sensitive administrator rights only to administer domain data and domain controllers. Create separate accounts for administrators that have reduced administrative rights, such as accounts for workstation administrators, and accounts with user rights over designated Active Directory organizational units OUs. Create multiple, separate accounts for an administrator who has a variety of job responsibilities that require different trust levels.
Set up each administrator account with significantly different user rights, such as for workstation administration, server administration and domain administration, to let the administrator sign in to given workstations, servers and domain controllers based strictly on his or her job responsibilities. Standard user account. Grant standard user rights for standard user tasks, such as email, web browsing, and using line-of-business LOB applications. These accounts should not be granted administrator rights.
Ensure that sensitive administrator accounts cannot access email or browse the Internet as described in the following section. Administrators need to manage job responsibilities that require sensitive administrator rights from a dedicated workstation because they do not have easy physical access to the servers.
0コメント