Active Roles
03:13
Key benefits
Increase security
Deploy Zero Trust Least Privilege for AD
Delegate permissions based on role to ensure only those who should have access to a given application do, and only for as long as they need it. Find out more
Ensure data integrity and compliance
Maintain accurate data and reporting
Use automation to ensure accuracy and consistency. Audit capabilities provide compliance reporting at your fingertips.
Simplify the management of complex environments
Consolidate onto a single console
Consolidate all AD domains and Azure AD tenants onto a single console, ensuring better visibility and control over your entire AD/AAD environments.
Establish and maintain consistency
Synchronize Directories
Sync multiple data sources across the organization for data consistency and improved security and efficiency.
Bolster efficiency
Automate AD tasks and group management
Automate tasks to ensure accuracy and consistency and reduce manual demands. Easily manage identities and groups and move identities and objects among groups when needed, to accommodate role changes.
Capabilities
Hybrid AD ready
Secure access with role-based delegation and least-privilege access
Automates AD administration
Active Roles excels at automating provisioning of user access rights in AD, AAD and AD-joined systems (including user and group de-provisioning) to ensure an efficient and secure administrative process over the user and group lifecycles. Active Roles automates a wide variety of tasks, including:
- Creating user accounts and groups in AD and AAD
- Extending AD/AAD-based account administrative actions to non-Windows systems
- Creating mailboxes in Exchange and Exchange Online
- Populating groups across AD and AAD
- Assigning resources in Windows
When a user’s access needs to be changed or removed, updates are made automatically across all relevant systems and applications in the hybrid AD/AAD, and AD-joined environment. This includes UNIX, Linux and Mac OS X.
Simplifies administration and account lifecycle management and security
Active roles allows you to view and manage multiple AD domains, Azure AD and O365 tenants from a single pane of glass, simplifying administration across your identity ecosystem. With Active Roles, you can manage objects, users and groups, securely synchronizing attributes and passwords from the client domain to the hosted domain. The following can be managed for on-prem, cloud and hybrid environments:
- Exchange recipients, including mailbox/OCS assignment, creation, movement, deletion, permissions and distribution list management
- Groups
- Computers (including shares) printers
- Active Directory security
- Cloud-based Azure AD provisioning
Active Roles includes intuitive interfaces to optimize day-to- day administration and help-desk operations of the hybrid AD/AAD environment via both an MMC snap-in and a web interface.
Ensures AD data integrity and compliance
With Active Roles you can establish consistency and accountability through automation. Audit capabilities support compliance reporting. Along with modern authentication using OAUTH, Active Roles has robust and personalized approval procedures that establish an IT process and oversight consistent with business requirements, with responsibility chains that complement the automated management of directory data.
Active Roles allows you to Sync multiple data sources across the organization for consistency and improved security and efficiency.
Active Roles and OneLogin Workforce Identity Working Together
The powerful combination of Active Roles and OneLogin helps:
- Increase efficiency and consistency of user and group access management across legacy and cloud applications to help accelerate IT admin and user productivity
- Empower organizations to adopt a least-privilege model, strengthening overall security
- Provision role-based access to applications (OneLogin) based on real-time sync with AD (managed by Active Roles) to ensure AD admins and users have only the rights necessary to do their job
Integration with other AD-connected solutions
Secure Privilege Access Management for AD/AAD
Tour
Single Pane of Glass
Resources
Active Roles AD Mgmt
KuppingerCole Report Executive View on Active Roles
Kickstart Zero Trust with Active Roles and OneLogin MFA
10 Steps to enhance the agility, security and performance of Active Directory
IDC Spotlight: Fortify Active Directory to Improve Security and Efficiency
Unified hybrid Active Directory
Ransomware Has Become an Identity Problem
How to manage unwanted guests in Azure Active Directory
Get started now
Support and services
Specifications
Before installing Active Roles 7.4, ensure that your system meets the following minimum hardware and software requirements.
Active Roles includes the following components:
- Administration Service
- Web Interface
- Console (MMC Interface)
- Management Tools
- Synchronization Service
This section lists the hardware and software requirements for installing and running each of these components.
- Platform
Any of the following:
- Intel 64 (EM64T)
- AMD64
- Processor speed: 2.0 GHz or faster
For best results, a multi-core processor recommended.
- Memory
At least 2 GB of RAM. The amount required depends on the total number of managed objects.
- Hard Disk Space
100 MB or more of free disk space. If SQL Server and Administration Service are installed on the same computer, the amount required depends on the size of the Active Roles database.
- Operating System
You can install Administration Service on a computer running:
- Microsoft Windows Server 2019, Standard or Datacenter edition
- Microsoft Windows Server 2016, Standard or Datacenter edition
- Microsoft Windows Server 2012 R2, Standard or Datacenter edition
- Microsoft Windows Server 2012, Standard or Datacenter edition
NOTE: Active Roles is not supported on Windows Server Core mode setup.
- Microsoft .NET Framework
Administration Service requires Microsoft .NET Framework 4.7.2 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).
- SQL Server
You can host the Active Roles database on:
- Microsoft SQL Server 2017, any edition
- Microsoft SQL Server 2016, any edition
- Microsoft SQL Server 2014, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack
- Microsoft SQL Server 2012, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack
- Microsoft OLE DB Driver for SQL Server (MSOLEDBSQL)
- Windows Management Framewor
On all supported operating systems, the Administration Service requires Windows Management Framework 5.1 (see “Windows Management Framework 5.1” at http://go.microsoft.com/fwlink/?LinkId=272757).
- Operating system on domain controllers
Active Roles retains all features and functions when managing Active Directory on domain controllers running any of these operating systems, any edition, with or without any Service Pack:
- Microsoft Windows Server 2019
- Microsoft Windows Server 2016
- Microsoft Windows Server 2012 R2
- Microsoft Windows Server 2012
Active Roles deprecates managed domains with the domain functional level lower than Windows Server 2012. We recommend that you raise the functional level of the domains managed by Active Roles to Windows Server 2012 or higher.
NOTE: Active Roles is not supported on Windows Server Core mode setup.
- Exchange Server
Active Roles is capable of managing Exchange recipients on:
- Microsoft Exchange Server 2019
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2010 Service Pack 3
- Microsoft Exchange 2013 CU11 is no longer supported. Refer KB article 202695.
- Platform
Any of the following:
- Intel 64 (EM64T)
- AMD64
- Processor speed: 2.0 GHz or faster
- Memory
At least 2 GB of RAM. The amount required depends on the total number of managed objects.
- Hard Disk Space
About 100 MB of free disk space.
- Operating System
You can install Web Interface on a computer running:
- Microsoft Windows Server 2019 Standard or Datacenter edition
- Microsoft Windows Server 2016, Standard or Datacenter edition
- Microsoft Windows Server 2012 R2, Standard or Datacenter edition
- Microsoft Windows Server 2012, Standard or Datacenter edition
NOTE:Active Roles is not supported on Windows Server Core mode setup.
- Microsoft .NET Framework
Web Interface requires Microsoft .NET Framework 4.7.2 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).
- Internet Services
On Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 Web Interface requires the Web Server (IIS) server role with the following role services:
- Web Server/Common HTTP Features/
- Default Document
- HTTP Errors
- Static Content
- HTTP Redirection
- Web Server/Security/
- Request Filtering
- Basic Authentication
- Windows Authentication
- Web Server/Application Development/
- .NET Extensibility
- ASP
- ASP.NET
- ISAPI Extensions
- ISAPI Filters
- Management Tools/IIS 6 Management Compatibility/
- IIS 6 Metabase Compatibility
- Handler Mappings
- Modules
Internet Information Services (IIS) must be configured to provide Read/Write delegation for the following features:
Use Feature Delegation in Internet Information Services (IIS) Manager to confirm that these features have delegation set to Read/Write.
- Web Server/Common HTTP Features/
- Web browser
You can access Web Interface using:
- Firefox 36 on Windows
- Google Chrome 61 on Windows
- Windows Internet Explorer 11
- Microsoft Edge on Windows 10
You can use a later version of Firefox, Google Chrome or Internet Explorer to access Web Interface; however, Web Interface 7.4 has been tested only against the browser versions listed above.
- Minimum screen resolution
Web Interface is optimized for screen resolutions of 1280 x 800 or higher. The minimum supported screen resolution is 1024 x 768.
- Platform
Any of the following:
- Intel x86
- Intel 64 (EM64T)
- AMD64
- Processor speed: 1.0 GHz or faster
- Memory (RAM)
At least 1 GB of RAM. The amount required depends on the total number of managed objects.
- Hard Disk Space
About 100 MB of free disk space.
- Operating System
You can install Active Roles console on a computer running:
- Microsoft Windows Server 2019, Standard or Datacenter edition
- Microsoft Windows Server 2016, Standard or Datacenter edition
- Microsoft Windows Server 2012 R2, Standard or Datacenter edition
- Microsoft Windows Server 2012, Standard or Datacenter edition
- Microsoft Windows 8.1, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64)
- Microsoft Windows 7 Ultimate, Professional, or Enterprise edition, 32-bit (x86) or 64-bit (x64) Service Pack 1
- Microsoft Windows 10, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64)
NOTE: Active Roles is not supported on Windows Server Core mode setup.
- Microsoft .NET Framework
Active Roles console requires Microsoft .NET Framework 4.7.2 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).
- Web browser
Active Roles console requires Internet Explorer 11.
Management Tools is a composite component that includes the Active Roles Management Shell, ADSI Provider, and SDK. On a 64-bit (x64) system, Management Tools also include the Active Roles Configuration Center.
- Platform
Any of the following:
- Intel x86
- Intel 64 (EM64T)
- AMD64
- Processor speed: 1.0 GHz or faster
- Memory (RAM)
At least 1 GB of RAM.
- Hard Disk Space
About 100 MB of free disk space.
- Operating System
You can install Management Tools on a computer running:
- Microsoft Windows Server 2019, Standard or Datacenter edition
- Microsoft Windows Server 2012 R2, Standard or Datacenter edition
- Microsoft Windows Server 2012, Standard or Datacenter edition
- Microsoft Windows Server 2016, Standard or Datacenter edition
- Microsoft Windows 8.1, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64)
- Microsoft Windows 10, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64)
NOTE: Active Roles is not supported on Windows Server Core mode setup.
- Microsoft .NET Framework
Management Tools require Microsoft .NET Framework 4.7.2 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).
- Windows Management Framework
On all supported operating systems, Management Tools require Windows Management Framework 5.1 (see “Windows Management Framework 5.1” at https://www.microsoft.com/en-us/download/details.aspx?id=54616).
- Remote Server Administration Tools (RSAT)
To manage Terminal Services user properties by using Active Roles Management Shell, Management Tools require Remote Server Administration Tools (RSAT) for Active Directory. See Microsoft’s documentation for instructions on how to install Remote Server Administration Tools appropriate to your operating system.
- Platform
Any of the following:
- Intel 64 (EM64T)
- Processor speed: 2.0 GHz or faster
- AMD64
For best results, a multi-core processor recommended.
- Memory
At least 2 GB of RAM. The amount required depends on the number of objects being synchronized.
- Hard disk space
250 MB or more of free disk space. If SQL Server and Synchronization Service are installed on the same computer, the amount required depends on the size of the Synchronization Service database.
- Operating System
You can install the Synchronization Service on a computer running:
- Microsoft Windows Server 2019, Standard or Datacenter edition
- Microsoft Windows Server 2016, Standard or Datacenter edition
- Microsoft Windows Server 2012 R2, Standard or Datacenter edition
- Microsoft Windows Server 2012, Standard or Datacenter edition
NOTE:Active Roles is not supported on Windows Server Core mode setup.
- Microsoft .NET Framework
Synchronization Service requires Microsoft .NET Framework 4.7.2 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).
- SQL Server
You can host the Synchronization Service database on:
- Microsoft SQL Server 2017, any edition
- Microsoft SQL Server 2016, any edition
- Microsoft SQL Server 2014, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack
- Microsoft SQL Server 2012, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack
- Windows Management Framework
On all supported operating systems, the Synchronization Service requires Windows Management Framework 5.1 (see “Windows Management Framework 5.1” at https://www.microsoft.com/en-US/download/details.aspx?id=54616).
- Supported connections
The Synchronization Service can connect to:
- Microsoft Active Directory Domain Services with the domain or forest functional level of Windows Server 2012 or higher
- Microsoft Active Directory Lightweight Directory Services running on any Windows Server operating system supported by Microsoft
- Microsoft Exchange Server version 2019, 2016, 2013, or 2010
NOTE: Microsoft Exchange 2013 CU11 is no longer supported. Refer KB article 202695.
- Microsoft Lync Server version 2013 with limited support
- Microsoft Skype for Business 2019, 2016 or 2015
- Microsoft Windows Azure Active Directory using the Azure AD Graph API version 1.6.
- Microsoft Office 365 directory
- Microsoft Exchange Online service
- Microsoft Skype for Business Online service
- Microsoft SharePoint Online service
- Microsoft SQL Server, any version supported by Microsoft
- Microsoft SharePoint 2019, 2016, or 2013
- Active Roles version 7.4, 7.3, 7.2, 7.1, 7.0, and 6.9
- One Identity Manager version 7.0 (D1IM 7.0)
- One Identity Manager version 8.0
- Support for Generic LDAP Connector, MY SQL Connector, Open LDAP Connector, IBM Db2 Connector, Salesforce Connector, Service now Connector, and RACF Connector.
- Data sources accessible through an OLE DB provider
- Delimited text files
- Legacy Active Roles ADSI Provider
To connect to Active Roles version 6.9, the Active Roles ADSI Provider of the respective version must be installed on the computer running the Synchronization Service. For installation instructions, see the Quick Start Guide for the appropriate Active Roles version.
- Microsoft Exchange Server Management Tools
To connect to Exchange Server 2007, the Exchange 2007 SP3 management tools must be installed on the computer running the Synchronization Service. For installation instructions, see “How to Install the Exchange 2007 Management Tools” at http://go.microsoft.com/fwlink/?linkid=88090.
- Azure AD Module for Windows PowerShell Version 2
To connect to the Office 365 directory, the following module must be installed on the computer running the Synchronization Service:
- Azure Active Directory Module for Windows PowerShell
For installation instructions, see “Install the Azure AD Module” at https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0.
- Windows PowerShell Module for Skype for Business Online
To connect to the Lync Online service, Windows PowerShell Module for Lync Online must be installed on the computer running the Synchronization Service. For installation instructions, see “Windows PowerShell Module for Lync Online” at http://go.microsoft.com/fwlink/?LinkId=294688.
- SharePoint Online Management Shell
To connect to the SharePoint Online service, SharePoint Online Management Shell must be installed on the computer running the Synchronization Service. For installation instructions, see “SharePoint Online Management Shell” at http://go.microsoft.com/fwlink/?LinkId=255251.
- One Identity Manager API
To connect to One Identity Manager 7.0, One Identity Manager Connector must be installed on the computer running the Synchronization Service. This connector works with RESTful web service and SDK installation is not required.
- Internet Connection
To connect to cloud directories or online services, the computer running the Synchronization Service must have a reliable connection to the Internet.
- Microsoft .NET Framework
Synchronization Service requires Microsoft .NET Framework 4.7.2 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=294688
- Additional Requirements
To synchronize passwords from an Active Directory domain to some other connected data system, you must install the Sync Service Capture Agent on all domain controllers in the source Active Directory domain.
The domain controllers on which you install Sync Service Capture Agent must run one of the following operating systems with or without any Service Pack (both x86 and x64 platforms are supported):
- Microsoft Windows Server 2019
- Microsoft Windows Server 2016
- Microsoft Windows Server 2012 R2
- Microsoft Windows Server 2012
For more information, see the Active Roles Synchronization Service Administrator Guide.
For instructions on how to upgrade Active Roles, refer to the Active Roles Quick Start Guide.
When performing the upgrade, keep in mind that the components of the earlier version may not work in conjunction with the components you have upgraded. To ensure smooth upgrade to the new version, you should first upgrade the Administration Service and then upgrade the client components (Console and Web Interface).
Custom solutions (scripts or other modifications) that rely on the functions of Active Roles may fail to work after an upgrade due to compatibility issues. Prior to attempting an upgrade, you should test your existing solutions with the new version of the product in a lab environment to verify that the solutions continue to work.
The following table shows the version upgrade path that you can take from one version of the product to another. Source version refers to the current product version that you have installed. Destination version refers to the highest version of the product to which you can upgrade.
Source version
Destination version
6.9.0
7.4
7.0
7.4
7.1
7.4
7.2
7.4
7.3
7.4
