ActiveRoles How To Guide
ActiveRoles How To Guide
How-To Guide
Copyright 2021 One Identity LLC.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide
is furnished under a software license or nondisclosure agreement. This software may be used or copied
only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced
or transmitted in any form or by any means, electronic or mechanical, including photocopying and
recording for any purpose other than the purchaser’s personal use without the written permission of
One Identity LLC .
The information in this document is provided in connection with One Identity products. No license,
express or implied, by estoppel or otherwise, to any intellectual property right is granted by this
document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE
TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR
STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-
INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT
LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF
ONE IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity makes no
representations or warranties with respect to the accuracy or completeness of the contents of this
document and reserves the right to make changes to specifications and product descriptions at any
time without notice. One Identity does not make any commitment to update the information
contained in this document.
If you have any questions regarding your potential use of this material, contact:
One Identity LLC.
Attn: LEGAL Dept
4 Polaris Way
Aliso Viejo, CA 92656
Refer to our Web site (http://www.OneIdentity.com) for regional and international office information.
Patents
One Identity is proud of our advanced technology. Patents and pending patents may apply to this
product. For the most current information about applicable patents for this product, please visit our
website at http://www.OneIdentity.com/legal/patents.aspx.
Trademarks
One Identity and the One Identity logo are trademarks and registered trademarks of One Identity
LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit
our website at www.OneIdentity.com/legal. All other trademarks are the property of their
respective owners.
Legend
What’s New 1
What’s new in Active Roles 7.4.x 1
What’s new in Active Roles 7.3 4
What’s new in Active Roles from version 7.0 4
System Requirements 11
Ports Used by Active Roles 11
Product Licensing 19
Clean Installation 22
Installing the Active Roles service 22
Installing the Web interface 23
Synchronization Service 29
Capture Agent 31
Upgrade from Quick Connect 31
Limitations 32
Synchronization Service upgrade 32
Communication Ports 33
Customizations 38
Troubleshooting 39
Performance 39
Safe Mode 39
Error and Log resources 40
Active Roles Log Viewer 42
Replication 44
Service Account 49
Changing Active Roles service account credentials 49
Changing Service account credentials for SQL database connection 49
About us 51
Contacting us 51
Technical support resources 51
What’s New
For detailed information about new features, see the latest Active Roles What’s New Guide.
l Support for cloud remote mailboxes for on-premises users. Active Roles version 7.5
updates the behavior of the Azure Backsync workflow in the Active Roles
Synchronization Service, allowing administrators to set up cloud remote mailboxes
for on-premises users as well.
A new Remote Mailbox check box has been added to the Settings > Configure
Azure BackSync... > Configure BackSync operation in Azure with on-prem
Active Directory objects dialog, which, when selected, will create a new Azure
Backsync workflow (AutoCreated_ARRemoteMailbox) besides the existing AutoCreated_
AzureADBackSyncWorkFlow workflow. This new AutoCreated_ARRemoteMailbox workflow
will synchronize the on-premises users with their existing Exchange Online email
addresses (namely, the cloud UserPrincipalName property of the remote mailbox
with the on-premises edsvaMsExchangeRemoteMailRoutingAddress attribute stored in
Active Roles).
Enhancements
Silent Install
The Active Roles installer, Setup.exe has command-line options for a silent installation.
For more details, refer to KB 185799
Example:
Setup.exe /quiet /install ADDLOCAL=Service,Console /IAcceptActiveRolesLicenseTerms
Configuration Center
The Configuration Center unifies management of core configuration for the Active Roles
Administration Service and Web Interface, which allows administrators to perform the core
configuration tasks from a single location.
Highlights include:
l ActiveRolesManagementShell
l ActiveRolesConfiguration
ActiveRolesManagementShell
l Provides cmdlets for managing users, group, computers, and other objects in Active
Directory via Active Roles; managing digital certificates; and administering certain
Active Roles objects.
l Cmdlets are prefixed with QAD or QARS, such as New-QADUser, Add-QADCertificate, or
New-QARSAccessTemplateLink.
ActiveRolesConfiguration
l Provides cmdlets for configuring Active Roles Administration Service instances and
Web Interface sites.
l Available on 64-bit (x64) systems only. It requires the Active Roles Administration
Service or Web Interface to be installed; otherwise, the module does not provide
all cmdlets.
l The cmdlets provided in this module have their noun prefixed with AR, such as New-
ARDatabase, New-ARService, or New-ARWebSite.
System Requirements
For the complete system requirements, please refer the latest Active Roles Release Notes.
The following are the important system requirements for Active Roles installation:
l Operating Systems Supported for Active Roles installation: Microsoft Windows 2008
R2 and later, including 2019
l SQL Server requirements: Microsoft SQL 2012 through SQL 2019
l Microsoft .NET Framework: .NET 4.7.2
l Other software required for Active Roles may be installed from the Redistributables
folder on the installation media.
Resource Usage
The sizing of disk space and the SQL database capacities are best planned out by using the
Resource Usage Calculator, which is found in the Documentation folder on the
installation disk or image.
The Resource Usage Calculator is included with the installation media and can be
found under:
Documentation\ ActiveRoles_7.4_ResourceUsageCalc.xls
For more information on the system requirements, please see the Pre-Installation and
Upgrade section for the Active Roles Diagnostic and System Readiness Checker tools.
This port is required if Active Roles is configured to access the domain by using SSL.
This port is required if Active Roles is configured to access the domain by using SSL.
l The TCP port allocated by RPC endpoint mapper for communication with the
domain controller
Active Directory domain controllers can be configured to use specific port numbers for RPC
communication. For instructions, see http://support.microsoft.com/kb/224196.
Exchange servers can be configured to use specific port numbers for RPC communication.
For instructions, see http://support.microsoft.com/kb/270836.
Computer restart
l Port 139 (SMB/CIFS on the servers that host home folders) TCP Inbound/Outbound
l Port 445 (SMB/CIFS on the servers that host home folders) TCP Inbound/Outbound
Active Roles uses SMTP port 25 by default. The default port number can be changed in the
properties of the Mail Configuration object in the Active Roles console. If Mail Configuration
specifies a different port, open that port rather than port 25.
l The TCP port specified when registering the AD LDS instance with Active Roles
If SQL Server that hosts the Active Roles database is located behind the firewall, open the
following ports between Active Roles Administration Service and SQL Server:
Open this port if the Active Roles database is on the default instance of SQL Server. If a
different port is assigned to the default instance, open that port rather than port 1433.
Open this port if the Active Roles database is on a named instance of SQL Server. In this
case Active Roles uses UDP port 1434 to determine the port assigned to the named
instance, open port 1434 along with the TCP port assigned to the named instance.
If a firewall is required between Active Roles clients, such as MMC Interface, Web
Interface, ADSI Provider or Management Shell, and Active Roles Administration Service,
open the following ports in the firewall:
If the Active Roles Web Interface will be accessed through a firewall, open the
following ports:
The Web Interface normally runs over port 80, or over port 443 if SSL is enabled (off
by default).
Synchronization Service
The Capture Agent requires this port to be open (on the Domain Controller):
As Active Roles performs operations on objects on behalf of delegated users, the Active
Roles service account requires adequate permissions. It is recommended that the Active
Roles proxy account be given the Domain Admin membership to ensure that Active Roles
has all the required access.
It is possible to separate the tasks managed by the service account from Domain
management by specifying distinct accounts for the service and for managing the Domain.
The service account credential has five main roles, two of which are optional:
NOTE: Contact One Identity Sales for any assistance in engaging One Identity Profes-
sional Services.
The service account must be a member of the local Administrators group on the computer
running Active Roles Administration service.
For Active Roles clients to discover available Active Role services, the service account
must be able to publish itself in Active Directory. On the One Identity sub-container, under
the System container in the domain, grant the following rights:
The service account must have at least Read Permissions in any Managed Domain. In
addition, the service account must have Modify Permissions rights on the Active
Directory objects and containers where the Active Roles security synchronization feature
will be utilized.
Active Roles needs specific read access to be able to read fine-grained password policy
objects in Active Directory (AD). If it is unable to read them, it defaults to using the Default
Domain Policy, for example, for password expiry information and password generation.
To enable Active Roles to read fine-grained password policies in AD, you must assign the
Listand Read permissions in each managed domain where passwords are managed, on the
following container:
CN=Password Settings Container,CN=System,DC=<domain>
1. Add the account to the Recipient Management role group. For instructions, see
“Manage Role Group Members” at http://technet.microsoft.com/library/jj657492
(exchg.150).aspx.
2. Add the account to the Account Operators domain security group.
3. Enable the account to use remote Exchange Management Shell. For instructions, see
“Enable remote Shell for a user” in the topic “Manage Exchange Management Shell
Access” at http://technet.microsoft.com/library/dd638078(exchg.150).aspx.
4. Ensure that the account can read Exchange configuration data (see Permission to
read Exchange configuration data).
5. Restart the Administration Service after changing the configuration of the account:
Start Active Roles Configuration Center (see “Running Configuration Center” in the
Active Roles Administrator Guide), go to the Administration Service page in the
Configuration Center main window, and then click the Restart button at the top of the
Administration Service page.
To perform Exchange recipient management tasks, Active Roles requires Read access to
Exchange configuration data in Active Directory. This requirement is met if the service
account (or the override account, if specified) has administrator rights. For example the
service account , is a member of the Domain Admins or Organization Management group.
Otherwise, provide the account Read permission in the Microsoft Exchange container, using
the ADSI Edit console.
NOTE: The following instructions apply to the ADSI Edit console that ships with
Windows Server 2012 or Windows Server 2012 R2.
To provide Read access to the service account using the ADSI Edit console:
1. Open the ADSI Edit console, and connect to the Configuration naming context.
2. In the ADSI Edit console, navigate to the Configuration/Services container, right-
click Microsoft Exchange in that container, and then click Properties.
3. On the Security tab in the Properties dialog box that appears, click Advanced.
4. On the Permissions tab in the Advanced Security Settings dialog box, click Add.
5. On the Permission Entry page, configure the permission entry:
a. Click Select a principal, and select the desired account.
b. Ensure that the Type box indicates Allow.
c. Ensure that the Applies onto box indicates: This object and all
descendant objects.
d. In the Permissions area, select the List contents and Read all properties
check boxes.
e. Click OK.
6. Click OK to close the Advanced Security Settings dialog box, and then click OK to
close the Properties dialog box.
When performing Exchange recipient management tasks on Exchange Server 2013 or later,
Active Roles uses remote Exchange Management Shell to communicate with Exchange
Server. Hence, it is not required to install the Exchange management tools on the computer
running the Administration Service.
l TCP port 80 must be open between the computer running the Administration Service
and the remote Exchange server.
l The user account the Administration Service uses to connect to the remote Exchange
server (the service account or the override account) must be enabled for remote
Shell. To enable a user account for remote Shell, update that user account by using
the Set-User cmdlet with the RemotePowerShellEnabled parameter set to $True.
l Windows PowerShell script execution must be enabled on the computer running
the Administration Service. To enable script execution for signed scripts, run
the Set-ExecutionPolicy RemoteSigned command in an elevated Windows
PowerShell window.
Product Licensing
After installing Active Roles 7.x (or upgrade to Active Roles 7.x), no additional steps are
required to activate the purchased commercial license for Active Roles.
Product usage statistics may be used to verify Active Roles licensing compliance. For
further details, see Evaluating Product Usage in the Active Roles Administrator Guide.
Active Roles 7.4.x supports a direct upgrade from versions 6.9 and later including 7.2.1.
1. Install the Active Roles Diagnostic Tools, which consists of Active Roles System
Checker, which should be run in order to confirm that the server has adequate
resources to host and run Active Roles. Navigate to the installation media.
2. Go to Solutions | Diagnostic Tools.
3. Double-click to run ActiveRolesDiagnosticsTools_1.4.1.msi.
The Active Roles Diagnostic Tools Setup Wizard is displayed.
4. Click Next.
5. In the License Terms window, read and accept the license agreement and click Next.
6. In the Custom Setup window, select the appropriate tools to install. It is
recommended to install the Active Roles Log Viewer, Directory Changes Monitor, and
the Active Roles System Checker for later use. Click Next.
7. In the Ready to Install window, click Install.
8. After the tools are installed, click Finish.
1. From the Windows Applications, Start Menu, select Active Roles System Checker.
The Active Roles System Checker window is displayed.
9. On this screen, click the Additional Resources link to learn more about Active
Roles. Click Finish.
Clean Installation
For an installation demonstration, please refer to the following knowledge base article:
https://support.oneidentity.com/kb/258459
1. Run ActiveRoles.exe.
2. Accept the licensing agreement and click Next.
3. Select the desired components and click Next.
4. Review the summary and click Install.
By default, the I want to perform configuration option is selected.
Upgrading from Active Roles 6.9 to 7.x version is a side-by-side upgrade, which does not
interrupt operations or affect the configuration of the currently installed Active Roles
version. To ensure smooth upgrade to the new Active Roles version, upgrade the
Administration Service first, and then upgrade the Web Interface.
Active Roles 6.9 components are not used in the upgrade and neither are any components
from the earlier version uninstalled.
Before upgrading to the latest version of Active Roles, the add-ons of the earlier versions
must be uninstalled.
l After an upgrade of Active Roles components to Active Roles 7.4.x, the Office 365
add-on which was supported in the earlier versions of Active Roles, ceases to work.
Hence, it is recommended to uninstall the Office 365 add-on prior to the upgrade of
Active Roles.
l Office 365 add-on is not supported on Active Roles 7.3 or later and must be
uninstalled prior to the installation of Active Roles 7.1.
l Active Roles 7.4.x manages Office 365 and Azure AD natively.
For an upgrade demonstration, please refer to the following knowledge base article:
https://support.oneidentity.com/kb/257995
l There is no need to break replication when upgrading to Active Roles 7.4.x from 6.9
as Active Roles 7.3 or later does not support an in-place upgrade in this scenario. A
NOTE: During and post-installation of Active Roles 7.4.x, the existing install-
ation of Active Roles 6.9 will be available and fully functional. Hence, users will
not be affected during the upgrade process with the exception of Dynamic
Groups. For more details please review the knowledge base article, https://sup-
port.oneidentity.com/kb/211388.
l An upgrade of the Active Roles components may affect custom solutions. Custom
solutions (such as scripts and other modifications), which work fine as expected with
an earlier version of Active Roles may cease to work after the upgrade. Before
starting an upgrade, test the existing solutions with the new version of Active Roles
in a lab environment to verify that the solutions continue to work as expected after
the upgrade.
l If ERFM (Exchange Resource Forest Management) is installed on the Active Roles 6.9
version, it must be uninstalled before installing 7.4.x as ERFM is now part of the
product. Failure to uninstall ERFM beforehand may result in conflicts and issues.
l If Lync Add-On is installed, it must be uninstalled before installing Active Roles 7.4.x
as Lync is now an integrated product feature.
l If Office 365 Add-On is installed, it must be uninstalled before installing Active Roles
7.4.x as this functionality is replaced with the inbuilt Azure Active Directory Hybrid
Integration.
l For additional information, please review Solution 111679:
https://support.oneidentity.com/kb/111679
l Due to the design changes implemented in Active Roles 7.x in the Web Interface, any
Web Interfaces and customizations from Active Roles 6.9 may not function in Active
Roles 7.4.x. It is recommended not to import. Please refer to KB 189186 for
additional information:
https://support.oneidentity.com/kb/189186
1. In the Active Roles Configuration Center, click Import Management History under
Administration Service.
2. Enter the Active Roles 6.9 source database and appropriate credentials and
click Next.
3. Select the destination database and click Next.
4. Choose the records to import and click Next.
5. Confirm the settings and click Import.
The progress screen is displayed, and after completion, the summary is displayed.
Office 365 Add-On that was previously available for Active Roles is no longer compatible
with Active Roles 7.4.x. Before proceeding with the upgrade starting from 7.0.x, the Office
365 Add-On must be uninstalled.
For an upgrade demonstration, please refer to the following knowledge base articles:
l https://support.oneidentity.com/kb/257996
l https://support.oneidentity.com/kb/257997
Before upgrading, it is recommended to back up the Active Roles database. For general
best practices, please refer to the following Microsoft article:
https://docs.microsoft.com/en-us/sql/relational-databases/backup-restore/create-a-full-
database-backup-sql-server
It is recommended to back up the current Web Interfaces if any customizations have been
implemented.
Any Web Interfaces that were created in Active Roles 7.2.x will continue to function in
7.4.x. However, it is recommended to thoroughly test before upgrading, as some
customizations may not work as expected in newer versions of Active Roles.
Synchronization Service
Formerly a standalone product called Quick Connect, the Synchronization Service is now
part of Active Roles 7.4.x.
With Synchronization Service, complete automation can be implemented to process data
synchronization between the data systems.
Synchronization Service increases the data management efficiency by allowing automation
of the creation, deprovision, and update operations between data systems. For example,
when an employee joins or leaves the organization, the related information in the data
systems managed by Synchronization Service is automatically updated, thereby reducing
the administrative workload and getting the new users up and running faster.
In order to synchronize identity data between external data systems, Synchronization
Service must be configured to connect to these data systems through connectors. A
connector enables Synchronization Service to access specific data system to read and
synchronize data in that system according its settings. Out of the box, Synchronization
Service includes a number of built-in connectors:
l Active Roles versions 7.4.x, 7.3, 7.2.x, 7.1, 7.0 and 6.9
l Identity Manager version 8.1, 8.0, or 7.0
l Quest One Identity Manager version 6.1 or 6.0
l Delimited text files
l Microsoft Active Directory Domain Services
l Microsoft Active Directory Lightweight Directory Services
l Microsoft Azure Active Directory
l Microsoft Exchange Server
l Microsoft Skype for Business Server
l Microsoft Office 365
l Microsoft SharePoint
l Microsoft SQL Server
l OLE DB-compliant relational database
l Generic LDAP Directory service
l MY SQL Database
Capture Agent
Synchronization Service Capture Agent allows password synchronization between Active
Directory domains managed by Synchronization Service and other connected data
systems. The following diagram shows how the Password Synchronization feature of
Synchronization Service works:
Capture Agent tracks changes to user passwords in the source Active Directory domain and
provides that information to Synchronization Service, which in turn synchronizes the
changes with target connected data systems by using the configured password
synchronization rules. To synchronize passwords, install a Capture Agent on each domain
controller in the Active Directory source domain.
Limitations
Synchronization Service is unable to run synchronization workflows that employ
connections to the following systems:
If it is necessary to synchronize data held in these systems, continue using Quick Connect
as not all connectors provided by Quick Connect are included with Synchronization Service.
Alternatively, One Identity Manager may support these systems.
Communication Ports
Table 2: Communication ports
Outbound
3269 TCP SSL (only required if SSL is used to connect to AD) Outbound
For further information regarding Synchronization Service, refer the latest Active
Roles Synchronization Service Administrator Guide included with the Active Roles
installation media.
Active Roles version 7.4.x supports integration with One Identity Starling services. The
Starling Join feature in Active Roles now enables you to connect to One Identity Starling,
the Software as a Service (SaaS) solution of One Identity. The Starling Join feature enables
access to the Starling services through Active Roles thus allowing to benefit from the
Starling services such as Two-factor Authentication and Identity Analytics and Risk
Intelligence.
To start the wizard, click Configure in the One Identity Starling area on the Dashboard page
in the Configuration Center main window. For further information and step-by-step
instructions, see the “Initial configuration” topic in the “Installing and configuring the Web
Interface” section in the Active Roles Quick Start Guide.
A video demonstration is available in the following knowledge base article:
https://support.oneidentity.com/kb/258341
In order to use Starling Two-Factor Authentication with Active Roles, you must first
join One Identity Starling to Active Roles on the Active Roles Configuration Center. The
Join to One Identity Starling wizard also includes links, which provide assistance for
using Starling:
l The Online link displays information about the Starling product and the benefits you
can take advantage of by subscribing to Starling services.
l The Trouble Joining link displays the Starling support page with information on the
requirements and process for joining with Starling.
Reports
Reporting is an optional component of Active Roles. To use Active Roles reports, the
following components are required:
l Microsoft SQL Server Reporting Services (SSRS) must be installed and configured.
NOTE: If the SQL Server service and SRSS are on different hosts, a “Double-
Hop” authentication issue may occur. For more information, see the knowledge
base article, https://support.oneidentity.com/kb/69693.
l The Active Roles service account must have sufficient permissions to create and
write to a database on the SQL Server.
l The Active Roles service account must have sufficient permission to publish reports
on the SRS server.
NOTE: Quest Knowledge Portal is no longer included with Active Roles 7.x. To
view reports, use the native SQL Server Report URL.
Customizations
Custom solutions (scripts or other modifications) may not function properly after an
upgrade due to compatibility issues. Prior to attempting an upgrade, test existing
customizations with the new version of Active Roles in a lab or test environment to verify
that the customizations function as expected. If compatibility issues arise during the test
process, please contact One Identity Sales to arrange assistance from One Identity
Professional Services.
Troubleshooting
l Performance
l Safe Mode
Performance
For Active Roles performance, please refer to the following knowledge base article:
https://support.oneidentity.com/kb/185471
Safe Mode
Active Roles provides a troubleshooting option, referred to as safe mode, which starts the
Administration Service in a limited state. When safe mode is enabled, the Administration
Service disregards the following:
l Custom policies
l Workflows
l Scripts
l Scheduled tasks
l Other customizations that may block Active Roles from starting and operating
normally, and rejects connections from any user other than an Active Roles Admin.
Active Roles Admin can connect to the Administration Service and make changes in order
to fix or remove customizations that cause issues, and then disable safe mode.
1. Log on to the computer running the Administration Service with a user account that
has administrator rights on that computer.
NOTE: Local administrator rights are required to enable or disable safe mode.
In versions earlier to Active Roles 7.0, after the logs are generated, the logs are sent to
One Identity Support for analysis as the logs on their own can be difficult to read.
l Errors encountered by the Administration Service and recorded in the log file
l Requests processed by the Administration Service and traced in the log file
l All trace records found in the diagnostic log file
l All events found in the event log file
Select an error in the list, and choose a command to look for the solution in Knowledge
Base. The command performs a search in One Identity Software Knowledge Base to list the
Knowledge Articles that can provide helpful information on how to troubleshoot the
selected error. Log Viewer can be used to:
l Search the list for a particular text string, such as an error message
l Filter the list by various conditions, to narrow the set of list items of interest
l View detailed information about each list item, such as error details, request details
or stack trace
The logs grow in size quickly. Therefore, it is recommended to enable logging right before
and disable logging immediately after the issue has been reproduced.
The file captures any activity being performed by the service, including the tasks
performed by connected users while debug logging is enabled.
In some scenarios, it may be required to leave the logging on for a specific period of time.
Due to the logs getting stored on the computer running Active Roles, sufficient hard drive
space may not be available. In this event, the following solution can help to set logging for
a specific interval and move the logs to another drive or network share:
https://support.oneidentity.com/kb/8617
For the Web Interface, there is a separate log file,<name of Site>.log.
Replication
For a video demonstration, please refer to the following knowledge base article:
https://support.oneidentity.com/kb/234198
For additional information and troubleshooting, please refer the latest Active Roles
Administration Guide.
The Management History feature provides information on who did what and when it was
done with regard to the Active Directory management tasks performed using Active Roles.
This feature provides a clear log, documenting the changes that have been made to a given
object, such as a user or group object. The log includes entries regarding actions
performed, success or failure of the actions, as well as which attributes were changed.
The Management History feature can be used to examine:
l Change History Information on changes that were made to directory data via
Active Roles.
l User Activity Information on management actions that were performed by a
given user.
Both Change History and User Activity use the same source of information—the
Management History log, also referred to as the Change Tracking log. For information on
the configuration settings of the Change Tracking log, see the Management History
configuration section.
Active Roles also includes reports to examine management history by collecting and
analysing event log records. For more information on reports, see the Active Roles
Reporting section. However, the process of retrieving and consolidating records from the
event log may be time-consuming and inefficient.
NOTE: You must import the Management History from the old version after an
upgrade in order to perform Deprovisioning operations and Undo Temporal Group
operations.
l Who made the most recent changes to a given user or group object?
l Who modified a given user or group object during the last X days?
l What changes were made to a given user object last night (yesterday, the
day before)?
l Have any planned modifications of a given user or group object actually been
performed?
l What objects did a given delegated administrator modify during the last X days?
l Excessive increase in the log size significantly increases the time required to build
and display Change History and User Activity results.
l As the log size grows, so does the size of the configuration database. This
considerably increases the time required to back up and restore the database, and
causes high network traffic replicating the database when an additional
Administration Service is joined to Active Roles replication.
l The GUI is not suitable to represent large volumes of Management History results in
a manageable fashion. Since there is no filtering or paging capabilities, it may be
difficult to sort through the results.
To address these limitations, Active Roles provides different means for change auditing,
change-tracking reports, included with the Active Roles Report Pack. These reports are
designed to answer the following questions:
Change-tracking reports are based on data collected from event logs. A separate log is
stored on each computer running the Administration Service, and each log contains events
generated by one Administration Service only. Therefore, to use reports, the events from
all event logs need to be consolidated to form a complete audit trail. The process of
consolidating events, referred to as the data collection process, is performed by a separate
Active Roles component—Collector. The Collector wizard can be configured to execute data
collection jobs, and schedule them to run on a regular basis. The main limitation of change-
tracking reports is the fact that the information needs to be collected and consolidated in a
separate database before the reports can be built. The data collection process exhibits the
following disadvantages:
l Collecting data may be a very lengthy operation and the database size may grow
unacceptable when collecting all events that occurred within a long period of time in
a large environment.
l Collecting data is impossible over slow WAN links. This limitation is inherent to the
Active Roles component intended to collect data for reporting.
Reference
Management History is being synchronized, the Active Roles service is unavailable:
https://support.oneidentity.com/kb/103363
Management History Wizard:
https://support.oneidentity.com/kb/90375
Important Considerations
The Management History Migration Wizard was designed for a "one-to-one" database
migration for an Active Roles upgrade. It was designed to speed up the upgrade process as
Service Account
Active Roles 7.0 introduced the Configuration Center, which provides a simple method for
changing or updating the Active Roles service account.
To start using the new credentials, you must restart the service. Restart the service
immediately or later, at a more convenient time.
To start using the new credentials, you must restart the service. Restart the service
immediately or later, at a more convenient time.
About us
One Identity solutions eliminate the complexities and time-consuming processes often
required to govern identities, manage privileged accounts and control access. Our solutions
enhance business agility while addressing your IAM challenges with on-premises, cloud and
hybrid environments.
Contacting us
For sales or other inquiries, visit https://www.oneidentity.com/company/contact-us.aspx
or call +1-800-306-9329.