Manage Active Directory Task Collections


(2.2) eControl 3 Admin Guide for Active Directory and Exchange > Configure the "Manage" Module > Manage Active Directory Task Collections

eControl is flexible enough to permit container level user account and group management. In our ACME company example, users and groups are created in location based containers. The network management plan calls for the following eControl roles and tasks for each eDirectory location container:

All Tasks Role - permits designated location administrators full tasks for their respective location container.
HelpDesk Role - permits help desk operators tasks to administer user accounts, assign users to groups, and reset user passwords and lock/unlock accounts. Certain tasks are not assigned.
Email Admins Role - permits assigned staff ability to reset passwords and manage email list memberships.
Reset User Role - permits assigned office staff to disable/enable accounts, lock/unlock accounts, and change passwords.
Office Manager Role - permits assigned office manager staff to modify personal identification information.

Enable Container Level eControl Management
- Create the Groups in the Location Container
- Create and Assign the Role and Task Collections

Enable Container Level eControl Management

For each container-based eControl role and tasks, the steps to implement it in eControl are:

Create the group structure in the location container
Create the role and task collection
Assign the role and task collection and define the search context

Create the Groups in the Location Container

Using Microsoft management Console (MMC):

Create an "eControl" container in the location container, e.g. ou=eControl.ou=Seattle.o=ACME
Create groups for each eControl role and task collection to be created, e.g. cn=Seattle-AD-All-Tasks.ou=eControl.ou=Seattle.o=ACME
Create test user accounts e.g. cn=edmonton5.ou=eControl.ou=Edmonton.o=ACME and assign a different user to each group created in the previous step. In our example the following group membership assignments were made:
- seattle6 assigned to Seattle-AD-AllTasks
- seattle5 assigned to Seattle-AD-HelpDesk
- seattle4 assigned to Seattle-AD-EmailAdmins
- seattle3 assigned to Seattle-AD-ResetUser
- seattle2 assigned to Seattle-OfficeManager

Create and Assign the Role and Task Collections

The next step is to create generic roles and task collections to support the network management plan. Since roles and tasks can be assigned to groups/search contexts, there is no need to create location specific roles and task collections. As long as the tasks are the same for all geographic locations, generic roles and task collections can be used.

Assign the Container All Tasks Role

The AD - All Tasks role and task collection created when the Active Directory Super Administrator was enabled can be used for the container All Tasks assingment.

Using eControl "Administration" panel, in the "Manage" page click the Add button in the "Groups" section.
In the "Add Group" window:
- Select the eDirectory tree for the "System Name".
- Click the "Group Context" browse button, navigate the eDirectory tree and select the container "eDir-AllTasks" group and click the OK button.
- Select the eDir - All Tasks task collection.
- Click the Add button.
In the "Groups" section double-click the location eDir-AllTasks group assignment that was just created.
In the "Group Information" window click the Add button in the "Search Contexts" section.
In the "Add Search Context" window:
- Select the eDirectory tree for the System Name.
- Click the "Path" browse button and select the location container being managed, e.g. ou=Edmonton.o=ACME.
- Ensure the Scope is set to Sub Tree.
- Click the Add button.
In the "Group Information" window click the Save button.

Create the Specific Container Roles and Tasks

Additional generic Active Directory container level Roles and Task Collections need to be created.

Using eControl "Administration" panel, in the "Manage" page click the Manage Task Collections button.
In the "Manage Task Collections" window click the Add button.
In the "Add Role" window specify the name for a new Role and click the Add button, e.g. AD - HelpDesk
Repeat steps 2 and 3 for each additional container Role that needs to be created.
Click on a Role and click on the Active Directory container for that Role.
Enable the specific tasks and rights for that Role.
Repeat steps 5 and 6 for each Role.
When all tasks and rights have been set for each container Role, click the Save button.

Assign the Specific Container Roles and Tasks

The next step is to assign the generic container Roles and Task Collections to corresponding groups and define the search contexts:

In the "Manage" page, click the Add button.
In the "Add Group" window:
- Select the eDirectory tree as the "System name".
- Click the "Group Context" browse button and select the eDirectory group that will be assigned the corresponding role, e.g. cn=Edmonton-eDir-HelpDesk.ou=eControl.ou=Edmonton.o=ACME.
- Select the corresponding "Task Collection" for this assignment, e.g. eDir - HelpDesk.
- Click the Add button.
Repeat step 2 above for each container Role and Task Collection assignment.
In the "Groups" section of the "Manage" page, double-click a group.
In the "Group Information" page click the Add button in the "Search Contexts" section.
In the "Add Search Context" window:
- Select the eDirectory tree as the "System name".
- Click the "Path" browse button and select the eDirectory container that will be the start point for the search context, e.g. ou=eControl.ou=Edmonton.o=ACME.
- For "Scope" change it to One level. This setting will exclude the "eControl" container from the search context of the group assigned to this Role and Task Collection.
- Click the Add button.
Repeat steps 4, 5 and 6 to configure the group assignment and search context for the other container specific Roles and Task Collections created earlier.
Click the Apply New Setting button to save the group assignments and search contexts configured above.