Windows NT

Previous Contents Next
Sun Java System Identity Manager 6.0 Resources Reference 2005Q4M3

Windows NT

The Windows NT resource adapter is defined in the com.waveset.adapter.NTResourceAdapter class. It provides support for the following:

Full support of users and groups on Microsoft Windows NT 4.0.

Support for local users and groups on Microsoft Windows 2000 and 2003.

Resource Configuration Notes

This section describes Windows NT provisioning across multiple domains with
two-way trusts.

The following constraints apply when managing multiple domains from a single domain.

Note  Terms referenced this section are:

Gateway domain — Domain that the gateway machine is a member of.

Resource admin account — Administrative account defined in the Identity Manager resource.

Service account — Account that the gateway service is running as.

These trusts must be established:

The gateway domain needs to trust each domain in which a resource admin account is defined.

The gateway does a local login using the resource admin account, so its domain needs to trust the domain that account lives in.

The gateway domain needs to trust each domain for which you will be doing pass-through authentication.

The gateway does a local login to authenticate user accounts, so its domain needs to trust the domain for those accounts.

The resource admin account must be a member of the Account Operators group in each domain that it will be used to manage accounts. Each of these domains must trust the domain that contains the resource admin account.

You cannot add an account to a local group unless the account's domain is trusted by the local group's domain.

The domain of the service account must be trusted by the gateway domain.

When the gateway service is started, a local login of the service account is done. If any of the resource admin accounts are different than the service account or you will be doing pass-through authentication for any of the domains, then the service account needs the Act As Operating System and Bypass Travers Checking user rights in the gateway domain. These rights are required for the service account to login as and impersonate another.

If you will be creating home directories, then the resource admin account needs to be able to create directories on the file system on which the directories will be created. If the home directory will be created on a network drive, the resource admin account must have write access to that share.

If you will be running before, after, or resource actions, the resource admin account needs read and write access to the file system in the TEMP or TMP environment variables of the gateway process; or, if not defined, the gateway process' working directory (this is either WINNT or WINNT\system32).

The gateway writes the scripts and script output to one of these directories (the directory is selected in the order they are mentioned).

We recommend that a separate resource adapter be configured for each domain. The same gateway host may be used.

It should be possible to manage multiple domains using a single resource by overriding any domain-specific resource attributes (the domain and possibly the administrator and password) for each user.

Notes:

Since a domain trusts itself, some of the trust relationships do not need to be made explicit when the two domains in questions are really the same domain.

You can use the same account for the resource admin account for all managed domains, as well as the service account, if you set up the appropriate trust relationships, group membership, and user rights.

Identity Manager Installation Notes

The Windows NT adapter does not require any additional installation procedures.

Usage Notes

None

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

Identity Manager uses the Sun Identity Manager Gateway to communicate with this adapter.

Required Administrative Privileges

Administrators must have permissions to create and maintain users and groups on the resource.

Provisioning Notes

The following table summarizes the provisioning capabilities of this adapter.

Feature

Supported?

Enable/disable account

Yes

Rename account

Yes

Pass-through authentication

Yes

Before/after actions

Yes

Data loading methods

  Import from resource

  Reconciliation

Note  The following admininistrative privileges are required to support Active Directory pass-thru authentication for Windows 2003 running in Windows 2000 mode:

  When configuring the Gateway to run as a user, that user must have the Act As Operating SystemUser Right to perform pass-through authentication for the Windows NT and Windows 2000/Active Directory resources. The user must also have the Bypass Traverse Checking User Right, but this right is enabled for all users by default.

  Accounts being authenticated must have the Access This Computer From The Network User Right on the Gateway system.

  When Identity Manager is updating Users Rights, there may be a delay before the security policy is propagated. Once the policy has been propagated, you must restart the Gateway.

  When performing account authentication, use the LogonUser function with the LOGON32_LOGON_NETWORK logon type and the LOGON32_PROVIDER_DEFAULT logon provider. (The LogonUser function is provided with the Microsoft Platform Software Development Kit.)

Account Attributes

The following table provides information about Windows NT account attributes.

Resource
User Attribute

Tab/NT Field

Attribute Type

AccountLocked

General/Account is locked out

Boolean

description

General/Description

String

fullname

General/Full Name

String

groups

Member Of/Member of

String

HomeDirDrive

Profile/Connect

String

HomeDirectory

Profile/Local Path

String

LoginScript

Profile/Login script

String

PasswordNeverExpires

General/Password never expires

Boolean

Profile

Profile/Profile path

String

userPassword

Password

Encrypted

WS_PasswordExpired

General/User must change password at next login

Boolean

PasswordAge

Not displayed by default. Indicates the amount of time since the last password change. To implement use the java.util.Date class to convert the value into a human-readable format.

Int

Resource Object Management

Identity Manager supports the following objects:

Resource Object

Features Supported

Attributes Managed

Group

Create, update, delete

description, member, groupType

Identity Template

$accountId$

Sample Forms

Built-In

Windows NT Create Group Form

Windows NT Update Group Form

Also Available

NTForm.xml

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following class:

com.waveset.adapter.NTResourceAdapter

Previous      Contents      Next

Copyright 2006 Sun Microsystems, Inc. All rights reserved.

Feature	Supported?
Enable/disable account	Yes
Rename account	Yes
Pass-through authentication	Yes
Before/after actions	Yes
Data loading methods	Import from resource Reconciliation

Resource User Attribute	Tab/NT Field	Attribute Type
AccountLocked	General/Account is locked out	Boolean
description	General/Description	String
fullname	General/Full Name	String
groups	Member Of/Member of	String
HomeDirDrive	Profile/Connect	String
HomeDirectory	Profile/Local Path	String
LoginScript	Profile/Login script	String
PasswordNeverExpires	General/Password never expires	Boolean
Profile	Profile/Profile path	String
userPassword	Password	Encrypted
WS_PasswordExpired	General/User must change password at next login	Boolean
PasswordAge	Not displayed by default. Indicates the amount of time since the last password change. To implement use the java.util.Date class to convert the value into a human-readable format.	Int