Active Roles
Hybrid AD Management and Security
Hybrid Active Directory, simple and secure
Administrators struggle to keep up with requests to create, change or remove access with today’s hybrid AD environments and the limited capabilities of native tools of Microsoft Active Directory (AD) and Azure Active Directory (AAD). Thankfully, help has arrived. With One Identity Active Roles, you can solve your security issues and meet those never-ending compliance requirements by securing and protecting on-prem and cloud AD resources simply and efficiently.
- Overcomes native-tools limitations
- Manages identities for Exchange Online, Lync, SharePoint Online and many more
- Provides a single, intuitive tool for hybrid environment
Features
Hybrid AD-ready
Active Roles is optimized to serve the needs of both on-prem AD and Azure AD in a hybrid deployment. It offers a single console, unified workflows, and a consistent administrative experience across the entire hybrid environment. It eliminates the cumbersome, error-prone, and limited nature of using separate tools and manual processes.
Secure access
Active Roles provides comprehensive privileged account management for Active Directory and Azure Active Directory, enabling you to control access through delegation using a least-privilege model. Based on defined administrative policies and associated permissions, it generates and strictly enforces access rules, eliminating the errors and inconsistencies common with native approaches to hybrid AD management. Plus, robust and personalized approval procedures establish an IT process and oversight consistent with business requirements, with responsibility chains that complement the automated management of directory data.
Automate account creation
Active Roles automates a wide variety of tasks, including:
- Creating user and group accounts in AD and AAD
- Creating mailboxes in Exchange and Exchange Online
- Populating groups across AD and AAD
- Assigning resource in Windows
It also automates the process of reassigning and removing user access rights in AD, AAD and AD-joined systems (including user and group de-provisioning) to ensure an efficient and secure administrative process over the user and group lifecycles. When a user’s access needs to be changed or removed, updates are made automatically across all relevant systems and applications in the hybrid AD/AAD environment, as well as any AD-joined systems such as Unix, Linux and Mac OS X.
Day-to-day directory management
With Active Roles, you can easily manage all of the following for both the on-prem and Azure AD environments:
- Exchange recipients, including mailbox/OCS assignment, creation, movement, deletion, permissions and distribution list management
- Groups
- Computers, including shares, printers, local users and groups
- Active Directory and Azure Active Directory
Active Roles also includes intuitive interfaces for improving day-to- day administration and help-desk operations of the hybrid AD/AAD environment via both an MMC snap-in and a web interface.
Identity Analytics
Mitigate risks before an issue occurs through comprehensive insight into user entitlements in a hybrid AD environment. Starling Identity Analytics & Risk Intelligence (an add-on to Active Roles) provides an analysis of users’ rights in Active Directory, Azure Active Directory, and Active Roles itself to highlight areas of unacceptable-risk where those rights may be out of line with peers, organizational policy, or role definitions.
Manage groups and users in a hosted environment
Synchronize AD domain clients with a host AD domain in hosted environments. Active Roles enables user and group account management from the client domain to the hosted domain, while also synchronizing attributes and passwords. Utilize out-of-the-box connectors to synchronize your on-premises AD accounts to Microsoft Office 365, Lync Online and SharePoint Online.
Consolidate management points through integration
Active Roles complements your existing technology and identity and access management strategy. It simplifies and consolidates management points by ensuring easy integration with many One Identity products, including Identity Manager, Privileged Password Manager, Authentication Services, Defender, Password Manager, Cloud Access Manager and Quest ChangeAuditor. Active Roles also automates and extends the capabilities of PowerShell, ADSI, SPML and customizable web interfaces.
Active Roles comes with all the synchronization technology necessary to manage and secure:
- Lync
- Exchange
- SharePoint
- AD LDS
- Office 365
- Azure AD
- Microsoft SQL Server
- OLE DB (MS Access)
- Flat file
One Identity Hybrid Subscription
Expand the capabilities of Active Roles with the One Identity Hybrid Subscription, and get immediate access to cloud-delivered features and services, including all-you-can-eat Starling Two-Factor Authentication to protect administrative access, Starling Identity Analytics & Risk Intelligence so that you can pre-emptively detect risk; as well as Active Roles access analysis. These offerings can also be extended to additional target systems and use cases. A single subscription enables all One Identity solution deployments, including identity management, directory management, predictive analytics and more.
Specifications
Before installing Active Roles 7.1, ensure that your system meets the following minimum hardware and software requirements.
Active Roles includes the following components:
- Administration Service
- Web Interface
- Console (MMC Interface)
- Management Tools
- Synchronization Service
This section lists the hardware and software requirements for installing and running each of these components.
- Platform
Any of the following:
- Intel 64 (EM64T)
- AMD64
Processor speed: 2.0 GHz or faster
For best results, a multi-core processor recommended.
- Memory
At least 2 GB of RAM. The amount required depends on the total number of managed objects.
- Hard Disk Space
100 MB or more of free disk space. If SQL Server and Administration Service are installed on the same computer, the amount required depends on the size of the Active Roles database.
- Operating System
You can install Administration Service on a computer running:
- Microsoft Windows Server 2008 R2, Standard or Enterprise edition, Service Pack 1
- Microsoft Windows Server 2012, Standard or Datacenter edition
- Microsoft Windows Server 2012 R2, Standard or Datacenter edition
- Microsoft Windows Server 2016, Standard or Datacenter edition
- Microsoft .NET Framework
Administration Service requires Microsoft .NET Framework 4.5 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).
- SQL Server
You can host the Active Roles database on:
- Microsoft SQL Server 2008, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pac
- Microsoft SQL Server 2008 R2, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack
- Microsoft SQL Server 2012, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack
- Microsoft SQL Server 2014, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack
- Microsoft SQL Server 2012 Native Client is required on the computer running the Administration Service
- Microsoft SQL Server 2016, any edition
- Windows Management Framewor
On Windows Server 2008 R2, the Administration Service requires Windows Management Framework 3.0 (see “Windows Management Framework 3.0” at http://go.microsoft.com/fwlink/?LinkId=272757).
- Microsoft Exchange Server Management Tools
To manage Exchange 2007 recipients, Active Roles requires the Exchange 2007 SP3 management tools installed on the computer running the Administration Service. For installation instructions, see “How to Install the Exchange 2007 Management Tools” at http://go.microsoft.com/fwlink/?linkid=88090.
- Operating system on domain controllers
Active Roles retains all features and functions when managing Active Directory on domain controllers running any of these operating systems, any edition, with or without any Service Pack:
- Microsoft Windows Server 2008
- Microsoft Windows Server 2008 R2
- Microsoft Windows Server 2012
- Microsoft Windows Server 2012 R2
- Microsoft Windows Server 2016
NOTE:
- Active Roles does not support domain controllers running Microsoft Windows 2000 Server. Ensure that the Active Directory domains managed by Active Roles do not have Windows 2000 Server based domain controllers.
- Active Roles deprecates managed domains with the domain functional level lower than Windows Server 2008. We recommend that you raise the functional level of the domains managed by Active Roles to Windows Server 2008 or higher.
- Exchange Serve
- Microsoft Exchange Server 2007 Service Pack 3
- Microsoft Exchange Server 2010 Service Pack 3
- Microsoft Exchange Server 2013
NOTE: Microsoft Exchange Server 2003 is not supported.
Active Roles is capable of managing Exchange recipients on:
- Platform
Any of the following:
- Intel 64 (EM64T)
- AMD64
Processor speed: 2.0 GHz or faster
- Memory
At least 2 GB of RAM. The amount required depends on the total number of managed objects.
- Hard Disk Space
About 100 MB of free disk space.
- Operating System
You can install Web Interface on a computer running:
- Microsoft Windows Server 2008 R2, Standard or Enterprise edition, Service Pack 1
- Microsoft Windows Server 2012, Standard or Datacenter edition
- Microsoft Windows Server 2012 R2, Standard or Datacenter edition
- Microsoft Windows Server 2016, Standard or Datacenter edition
- Microsoft .NET Framework
Web Interface requires Microsoft .NET Framework 4.5 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).
- Internet Services
On Windows Server 2008 R2, Web Interface requires the Web Server (IIS) server role with the following role services:
- Web Server/Common HTTP Features/
- Static Content
- Default Document
- HTTP Errors
- HTTP Redirection
- Web Server/Application Development/
- ASP.NET
- .NET Extensibility
- ASP
- ISAPI Extensions
- ISAPI Filters
- Web Server/Security/
- Basic Authentication
- Windows Authentication
- Request Filtering
- Management Tools/IIS 6 Management Compatibility/
- IIS 6 Metabase Compatibility
On Windows Server 2012 or Windows Server 2012 R2, Web Interface requires the Web Server (IIS) server role with the following role services:
- Web Server/Common HTTP Features/
- Default Document
- HTTP Errors
- Static Content
- HTTP Redirection
- Web Server/Security/
- Request Filtering
- Basic Authentication
- Windows Authentication
- Web Server/Application Development/
- .NET Extensibility 4.5
- ASP
- ASP.NET 4.5
- ISAPI Extensions
- ISAPI Filters
- Management Tools/IIS 6 Management Compatibility/
- IIS 6 Metabase Compatibility
Internet Information Services (IIS) must be configured to provide Read/Write delegation for the fo;llowing features:
- Handler Mappings
- Modules
Use Feature Delegation in Internet Information Services (IIS) Manager to confirm that these features have delegation set to Read/Write.
- Web Server/Common HTTP Features/
- Web browser
You can access Web Interface using:
- Firefox 36 on Windows
- Google Chrome 41 on Windows
- Windows Internet Explorer 11
- Microsoft Edge on Windows 10
You can use a later version of Firefox, Google Chrome or Internet Explorer to access Web Interface; however, Web Interface 7.1 has been tested only against the browser versions listed above.
- Minimum screen resolution
Web Interface is optimized for screen resolutions of 1280 x 800 or higher. The minimum supported screen resolution is 1024 x 768.
- Platform
Any of the following:
- Intel x86
- Intel 64 (EM64T)
- AMD64
Processor speed: 1.0 GHz or faster
- Memory (RAM)
At least 1 GB of RAM. The amount required depends on the total number of managed objects.
- Hard Disk Space
About 100 MB of free disk space.
- Operating System
You can install Active Roles console on a computer running:
- Microsoft Windows Server 2008 R2, Standard or Enterprise edition, Service Pack 1
- Microsoft Windows Server 2012, Standard or Datacenter edition
- Microsoft Windows Server 2012 R2, Standard or Datacenter edition
- Microsoft Windows 7, Ultimate, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64), Service Pack 1
- Microsoft Windows 8, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64)
- Microsoft Windows 8.1, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64)
- Microsoft Windows 10, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64)
- Microsoft Windows Server 2016, Standard or Datacenter edition
- Microsoft .NET Framework
Active Roles console requires Microsoft .NET Framework 4.5 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).
- Web browser
Active Roles console requires Internet Explorer 11.
Management Tools is a composite component that includes the Active Roles Management Shell, ADSI Provider, and SDK. On a 64-bit (x64) system, Management Tools also include the Active Roles Configuration Center.
- Platform
Any of the following:
- Intel x86
- Intel 64 (EM64T)
- AMD64
Processor speed: 1.0 GHz or faster
- Memory (RAM)
At least 1 GB of RAM.
- Hard Disk Space
About 100 MB of free disk space.
- Operating System
You can install Management Tools on a computer running:
- Microsoft Windows Server 2008 R2, Standard or Enterprise edition, Service Pack 1
- Microsoft Windows Server 2012, Standard or Datacenter edition
- Microsoft Windows Server 2012 R2, Standard or Datacenter edition
- Microsoft Windows 7, Ultimate, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64), Service Pack 1
- Microsoft Windows 8, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64)
- Microsoft Windows 8.1, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64)
- Microsoft Windows 10, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64)
- Microsoft Windows Server 2016, Standard or Datacenter edition
- Microsoft .NET Framework
Management Tools require Microsoft .NET Framework 4.5 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).
- Windows Management Framework
On Windows Server 2008 R2 or Windows 7, Management Tools require Windows Management Framework 3.0 (see “Windows Management Framework 3.0” at http://go.microsoft.com/fwlink/?LinkId=272757).
- Remote Server Administration Tools (RSAT)
To manage Terminal Services user properties by using Active Roles Management Shell, Management Tools require Remote Server Administration Tools (RSAT) for Active Directory. See Microsoft’s documentation for instructions on how to install Remote Server Administration Tools appropriate to your operating system.
- Platform
Any of the following:
- Intel 64 (EM64T)
- AMD64
Processor speed: 2.0 GHz or faster
For best results, a multi-core processor recommended.
- Memory
At least 2 GB of RAM. The amount required depends on the number of objects being synchronized.
- Hard disk space
250 MB or more of free disk space. If SQL Server and Synchronization Service are installed on the same computer, the amount required depends on the size of the Synchronization Service database.
- Operating System
You can install the Synchronization Service on a computer running:
- Microsoft Windows Server 2008 R2, Standard or Enterprise edition, Service Pack 1
- Microsoft Windows Server 2012, Standard or Datacenter edition
- Microsoft Windows Server 2012 R2, Standard or Datacenter edition
- Microsoft Windows Server 2016, Standard or Datacenter edition
- Microsoft .NET Framework
Synchronization Service requires Microsoft .NET Framework 4.5 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).
- SQL Server
You can host the Synchronization Service database on:
- Microsoft SQL Server 2008, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack
- Microsoft SQL Server 2008 R2, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack ;
- Microsoft SQL Server 2012, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack
- Microsoft SQL Server 2014, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack
- Microsoft SQL Server 2016, any edition
- Windows Management Framework
On Windows Server 2008 R2, the Synchronization Service requires Windows Management Framework 3.0 (see “Windows Management Framework 3.0” at http://go.microsoft.com/fwlink/?LinkId=272757).
- Supported connections
The Synchronization Service can connect to:
- Microsoft Active Directory Domain Services with the domain or forest functional level of Windows Server 2008 or higher
- Microsoft Active Directory Lightweight Directory Services running on any Windows Server operating system supported by Microsoft
- Microsoft Exchange Server version 2013, 2010 or 2007
- Microsoft Lync Server version 2013 or 2010
- Microsoft Windows Azure Active Directory using the Azure AD Graph API version 2013-04-05
- Microsoft Office 365 directory
- Microsoft Exchange Online service
- Microsoft Lync Online service
- Microsoft SharePoint Online service
- Microsoft SQL Server, any version supported by Microsoft
- Active Roles version 7.1, 7.0, and 6.9
- Quest One Identity Manager version 6.1 or 6.0 (Q1IM 6.01 or 6.0)
- One Identity Manager version 7.0 (D1IM 7.0)
- Data sources accessible through an OLE DB provider
- Delimited text files
- Legacy Active Roles ADSI Provider
To connect to Active Roles version 6.9, 6.8 or 6.7, the Active Roles ADSI Provider of the respective version must be installed on the computer running the Synchronization Service. For installation instructions, see the Quick Start Guide for the appropriate Active Roles version.
- Microsoft Exchange Server Management Tools
To connect to Exchange Server 2007, the Exchange 2007 SP3 management tools must be installed on the computer running the Synchronization Service. For installation instructions, see “How to Install the Exchange 2007 Management Tools” at http://go.microsoft.com/fwlink/?linkid=88090.
- Azure AD Module for Windows PowerShell
To connect to the Office 365 directory, the following software must be installed on the computer running the Synchronization Service:
- Microsoft Online Services Sign-In Assistant for IT Professionals
- Azure Active Directory Module for Windows PowerShell
For installation instructions, see “Install the Azure AD Module” at http://go.microsoft.com/fwlink/?linkid=320628.
- Windows PowerShell Module for Lync Online
To connect to the Lync Online service, Windows PowerShell Module for Lync Online must be installed on the computer running the Synchronization Service. For installation instructions, see “Windows PowerShell Module for Lync Online” at http://go.microsoft.com/fwlink/?LinkId=294688.
- SharePoint Online Management Shell
To connect to the SharePoint Online service, SharePoint Online Management Shell must be installed on the computer running the Synchronization Service. For installation instructions, see “SharePoint Online Management Shell” at http://go.microsoft.com/fwlink/?LinkId=255251.
- One Identity Manager API
To connect to One Identity Manager 7.0, One Identity Manger Connector must be installed on the computer running the Synchronization Service. This connector works with RESTful web service and SDK installation is not required.
To connect to One Identity Manager 6.0, the Quest One Identity Manager Connector must be installed on the computer running the Synchronization Service. This connector works only when the Q1IM API SDK is installed on the system. For installation instructions, see Knowledge Article 100525 at https://support.oneidentity.com/kb/SOL100525.
- Internet Connection
To connect to cloud directories or online services, the computer running the Synchronization Service must have a reliable connection to the Internet.
- Microsoft .NET Framework
Microsoft .NET Framework 4.5
- Additional Requirements
To synchronize passwords from an Active Directory domain to some other connected data system, you must install the Sync Service Capture Agent on all domain controllers in the source Active Directory domain.
The domain controllers on which you install Sync Service Capture Agent must run one of the following operating systems with or without any Service Pack (both x86 and x64 platforms are supported):
- Microsoft Windows Server 2016
- Microsoft Windows Server 2012 R2
- Microsoft Windows Server 2012
- Microsoft Windows Server 2008 R2
For more information, see the Active Roles Synchronization Service Administrator Guide.
For instructions on how to upgrade Active Roles, refer to the Active Roles Quick Start Guide.
When performing the upgrade, keep in mind that the components of the earlier version may not work in conjunction with the components you have upgraded. To ensure smooth upgrade to the new version, you should first upgrade the Administration Service and then upgrade the client components (Console and Web Interface).
Custom solutions (scripts or other modifications) that rely on the functions of Active Roles may fail to work after an upgrade due to compatibility issues. Prior to attempting an upgrade, you should test your existing solutions with the new version of the product in a lab environment to verify that the solutions continue to work.
Impact on add-ons
After an upgrade of Active Roles components to the Active Roles 7.1, the add-ons which were supported in the earlier versions of Active Roles, cease to work. Hence, it is recommended to uninstall the add-ons prior to the upgrade of Active Roles.
Note: Office 365 add-ons are not supported on the Active Roles 7.1.
Source version
Destination version
6.9.0
7.1
7.0
7.1
The following table shows the version upgrade path that you can take from one version of the product to another. Source version refers to the current product version that you have installed. Destination version refers to the highest version of the product to which you can upgrade.
Resources
Active Roles
Simplify the security of your Active Directory
EBook - The top five ways to relieve the pain of managing hybrid AD environments
Managing on-prem AD is hard enough, but when you throw Azure AD into the mix things can get out of control quickly. This eBook discusses the top five challenges facing those with a hybrid AD environment and offers actionable solutions to ease the pain.
Future-Proof Your Tactical IAM Projects.
It’s often thought that identity and access management (IAM) is a term that is reserved for large-scale, strategic projects that focus on governance, enterprise provisioning and privileged account management (PAM). Without question, these things are very
The 12 essential tasks for managing Active Directory Domain Services
Learn how to efficiently manage Active Directory domain services with the whitepaper "The 12 Essential Tasks of Active Directory Domain Services"
Use Active Directory groups to manage access control
Learn how to more effectively manage Active Directory access using the techniques described in the whitepaper "Access Control Is Easy: Use Active Directory Groups and Manage Them Well"
Active Roles help the University of West Scotland delivers fast, low impact systems migration
The university needed to streamline IT management by migrating 22,000 users from legacy environments to Active Directory® and Microsoft® Exchange Server. Active Roles provided flexible delegation of AD permissions and role-based security features
Keep Active Directory secure by separating administration roles
Learn how to improve Active Directory security using the techniques described in the whitepaper "The Keys to the Kingdom: Limiting Active Directory Administrators" sponsored by One Identity.
How to Mitigate the Insider Threat
This eBook provides solutions to stop insider threats, manage privileged accounts, simplify GPO management and administration.
- More Resources
- Communities
- Events & Demos
- Research Docs
- Videos
- Customer Stories
Take the next step
Related Products
Identity Manager
Streamline user identity management, privilege access and security
Authentication Services
Extend the compliance and security of Active Directory to your enterprise
Defender
Enhance security with two-factor authentication.
Password Manager
Give users the power to reset forgotten passwords securely
Cloud Access Manager
Get unified and secure access to overcome your most-pressing challenges
Support & Services
Product Support
Self-service tools will help you to install, configure and troubleshoot your product.
Support Offerings
Find the right level of support to accommodate the unique needs of your organization.
Training & Certification
Training courses delivered through online web-based, on-site or virtual instructor-led.