Sun Java System Identity Manager 6.0 Resources Reference 2005Q4M3 |
Windows NTThe Windows NT resource adapter is defined in the com.waveset.adapter.NTResourceAdapter class. It provides support for the following:
Resource Configuration Notes
This section describes Windows NT provisioning across multiple domains with
two-way trusts.The following constraints apply when managing multiple domains from a single domain.
Note Terms referenced this section are:
These trusts must be established:
- The gateway domain needs to trust each domain in which a resource admin account is defined.
- The gateway does a local login using the resource admin account, so its domain needs to trust the domain that account lives in.
- The gateway domain needs to trust each domain for which you will be doing pass-through authentication.
- The gateway does a local login to authenticate user accounts, so its domain needs to trust the domain for those accounts.
- The resource admin account must be a member of the Account Operators group in each domain that it will be used to manage accounts. Each of these domains must trust the domain that contains the resource admin account.
- You cannot add an account to a local group unless the account's domain is trusted by the local group's domain.
- The domain of the service account must be trusted by the gateway domain.
When the gateway service is started, a local login of the service account is done. If any of the resource admin accounts are different than the service account or you will be doing pass-through authentication for any of the domains, then the service account needs the Act As Operating System and Bypass Travers Checking user rights in the gateway domain. These rights are required for the service account to login as and impersonate another.
If you will be creating home directories, then the resource admin account needs to be able to create directories on the file system on which the directories will be created. If the home directory will be created on a network drive, the resource admin account must have write access to that share.
If you will be running before, after, or resource actions, the resource admin account needs read and write access to the file system in the TEMP or TMP environment variables of the gateway process; or, if not defined, the gateway process' working directory (this is either WINNT or WINNT\system32).
The gateway writes the scripts and script output to one of these directories (the directory is selected in the order they are mentioned).
We recommend that a separate resource adapter be configured for each domain. The same gateway host may be used.
It should be possible to manage multiple domains using a single resource by overriding any domain-specific resource attributes (the domain and possibly the administrator and password) for each user.
Notes:
- Since a domain trusts itself, some of the trust relationships do not need to be made explicit when the two domains in questions are really the same domain.
- You can use the same account for the resource admin account for all managed domains, as well as the service account, if you set up the appropriate trust relationships, group membership, and user rights.
Identity Manager Installation Notes
The Windows NT adapter does not require any additional installation procedures.
Usage Notes
None
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses the Sun Identity Manager Gateway to communicate with this adapter.
Required Administrative Privileges
Administrators must have permissions to create and maintain users and groups on the resource.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature
Supported?
Enable/disable account
Yes
Rename account
Yes
Pass-through authentication
Yes
Before/after actions
Yes
Data loading methods
Import from resource
Reconciliation
Note The following admininistrative privileges are required to support Active Directory pass-thru authentication for Windows 2003 running in Windows 2000 mode:
Account Attributes
The following table provides information about Windows NT account attributes.
Resource Object Management
Identity Manager supports the following objects:
Resource Object
Features Supported
Attributes Managed
Group
Create, update, delete
description, member, groupType
Identity Template
$accountId$
Sample Forms
Built-In
Windows NT Create Group Form
Windows NT Update Group Form
Also Available
NTForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.NTResourceAdapter