|
| |
| Sun Java[TM] System Identity Manager 7.1 Resources Reference | |
Windows NTThe Windows NT resource adapter is defined in the com.waveset.adapter.NTResourceAdapter class. It provides support for the following:
Resource Configuration Notes
This section describes Windows NT provisioning across multiple domains with two-way trusts.
The following constraints apply when managing multiple domains from a single domain.
These trusts must be established:
- The gateway domain needs to trust each domain in which a resource admin account is defined.
- The gateway does a local login using the resource admin account, so its domain needs to trust the domain that account lives in.
- The gateway domain needs to trust each domain for which you will be doing pass-through authentication.
- The gateway does a local login to authenticate user accounts, so its domain needs to trust the domain for those accounts.
- The resource admin account must be a member of the Account Operators group in each domain that it will be used to manage accounts. Each of these domains must trust the domain that contains the resource admin account.
- You cannot add an account to a local group unless the account's domain is trusted by the local group's domain.
- The domain of the service account must be trusted by the gateway domain.
When the gateway service is started, a local login of the service account is done. If any of the resource admin accounts are different than the service account or you will be doing pass-through authentication for any of the domains, then the service account needs the Act As Operating System and Bypass Travers Checking user rights in the gateway domain. These rights are required for the service account to login as and impersonate another.
If you will be creating home directories, then the resource admin account needs to be able to create directories on the file system on which the directories will be created. If the home directory will be created on a network drive, the resource admin account must have write access to that share.
If you will be running before, after, or resource actions, the resource admin account needs read and write access to the file system in the TEMP or TMP environment variables of the gateway process; or, if not defined, the gateway process' working directory (this is either WINNT or WINNT\system32).
The gateway writes the scripts and script output to one of these directories (the directory is selected in the order they are mentioned).
Configure a separate resource adapter for each domain. The same gateway host may be used.
It should be possible to manage multiple domains using a single resource by overriding any domain-specific resource attributes (the domain and possibly the administrator and password) for each user.
Identity Manager Installation Notes
The Windows NT adapter does not require any additional installation procedures.
Usage Notes
None
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses the Sun Identity Manager Gateway to communicate with this adapter.
Required Administrative Privileges
Administrators must have permissions to create and maintain users and groups on the resource.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature
Supported?
Enable/disable account
Yes
Rename account
Yes
Pass-through authentication
Yes
Before/after actions
Yes
Data loading methods
The following admininistrative privileges are required to support Active Directory pass-thru authentication for Windows 2003 running in Windows 2000 mode
- When configuring the Gateway to run as a user, that user must have the Act As Operating SystemUser Right to perform pass-through authentication for the Windows NT and Windows 2000/Active Directory resources. The user must also have the Bypass Traverse Checking User Right, but this right is enabled for all users by default.
- Accounts being authenticated must have the Access This Computer From The Network User Right on the Gateway system.
- When Identity Manager is updating Users Rights, there may be a delay before the security policy is propagated. Once the policy has been propagated, you must restart the Gateway.
- When performing account authentication, use the LogonUser function with the LOGON32_LOGON_NETWORK logon type and the LOGON32_PROVIDER_DEFAULT logon provider. (The LogonUser function is provided with the Microsoft Platform Software Development Kit.)
Account Attributes
The following table provides information about Windows NT account attributes.
Resource Object Management
Identity Manager supports the following objects:
Resource Object
Features Supported
Attributes Managed
Group
Create, update, delete
description, member, groupType
Identity Template
$accountId$
Sample Forms
Built-In
Windows NT Create Group Form
Windows NT Update Group Form
Also Available
NTForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.NTResourceAdapter