Dell One Identity Manager Administration Guide for

Dell One Identity Manager Administration Guide for
Dell™ One Identity Manager 7.0
Administration Guide for Connecting to
Microsoft® Exchange
©
2015 Dell Inc. All rights reserved.
This product is protected by U.S. and international copyright and intellectual property laws. Dell™, the Dell
logo, and Dell™ One Identity Manager, Dell™ Active Roles, Dell™ One Identity Password Manager, and Dell™
One Identity Cloud Access Manager are trademarks of Dell Inc. in the United States and/or other jurisdictions.
Microsoft, Outlook, Active Directory, SharePoint, SQL Server, Forefront, Internet Explorer, Visual Studio,
Windows Server, Windows PowerShell, Windows Vista and Windows are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries. SAP, SAP R/3, SAP NetWeaver
Application Server, and BAPI are trademarks or registered trademarks of SAP AG (or an SAP affiliate company)
in Germany and other countries. IBM, Lotus Notes and LotusScript are registered trademarks of International
Business Machines Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other
countries. Oracle and Java are registered trademarks of Oracle and/or its affiliates. UNIX is a registered
trademark of The Open Group. Mono, and SUSE are registered trademarks of Novell, Inc. Apache and Apache
HTTP Server are trademarks of The Apache Software Foundation. Firefox is a registered trademark of the
Mozilla Foundation. Safari is a registered trademark of Apple Inc. Chrome and Google are trademarks or
registered trademarks of Google Inc., used with permission. All other marks and names mentioned herein may
be trademarks of their respective companies.
Legend
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions
are not followed.
WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.
IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.
One Identity Manager Administration Guide for Connecting to Microsoft® Exchange
Updated - November 2015
Version - 7.0
Contents
Managing a Microsoft® Exchange Environment
6
Architecture Overview
6
One Identity Manager Users for Managing a Microsoft® Exchange Environment
7
Setting Up Microsoft® Exchange Synchronization
8
Users and Permissions for Synchronizing with Microsoft® Exchange
9
Setting Up a Synchronization Server
10
Configuring Participating Servers for Remote Access through Windows PowerShell®
13
Testing Active Directory® Domain Trusts
15
Extensions for Creating Linked Mailboxes in a Microsoft® Exchange Resource Forest
15
Creating a Synchronization Project for initial Synchronization with Microsoft® Exchange
16
Show Synchronization Results
22
Recommendations for Synchronizing Microsoft® Exchange
23
Customizing Synchronization Configuration
26
How to Configure Microsoft® Exchange Synchronization
26
Update Schema
27
Post-Processing Outstanding Objects
28
Deactivating Synchronization
29
Base Data for Managing Microsoft® Exchange
31
Setting Up Account Definitions
31
Creating an Account Definition
32
Master Data for an Account Definition
32
Setting Up Manage Levels
34
Master Data for a Manage Level
36
Creating a Formatting Rule for IT Operating Data
37
Determining IT Operating Data
38
Assign Account Definition to Employees
39
Assign Account Definition to Departments, Cost Centers and Locations
40
Assign Account Definition to Business Roles
40
Assign Account Definition to all Employees
41
Assign Account Definition Directly to Employees
42
Assign Account Definition to System Roles
42
Assign Account Definition to a Target System
42
Deleting an Account Definition
43
Target System Managers
45
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
3
Microsoft® Exchange Structure
47
Microsoft® Exchange Organization
47
Microsoft® Exchange Mailbox Databases
49
Microsoft® Exchange Address Lists
50
Microsoft® Exchange Public Folder
52
Microsoft® Exchange Mailbox Server
53
Microsoft® ExchangeData Availability Groups
54
Sharing Policies
54
Retention Policies
55
Policies for Mobile Email Queries
56
Folder Administration Policies
57
Role Assignments Policies
58
Mailboxes
59
Entering Master Data for Mailboxes
60
General Master Data for a Mailbox
61
Calendar Settings for Mailboxes
63
Limits for Mailboxes
64
Archive Mailbox
65
Mailbox Retention
65
Mailbox Functions
66
Booking Resources
67
Disabling Mailboxes
69
Deleting and Restoring Mailboxes
70
Receive Restrictions for Mailboxes
70
Permission "Send on behalf of" for Mailboxes
71
E-Mail Users and E-Mail Contacts
72
Entering Master Data for E-Mail Users
72
Entering Master Data for E-Mail Contacts
74
Deleting and Restoring E-Mail Users
76
Deleting and Restoring E-Mail Contacts
77
Receive Restrictions for E-Mail Users
77
Receive Restrictions for E-Mail Contacts
78
Mail-enabled distribution groups
79
Entering Master Data for Mail-Enabled Distribution Groups
79
Receive Restrictions for Mail-Enabled Distribution Groups
81
Permission "Send on behalf of" for Mail-Enabled Distribution Groups
82
Assigning Administrators for Mail-Enabled Distribution Groups
83
Adding Dynamic Distribution Groups to a Mail-Enabled Distribution Group
83
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
4
Moderated Distribution Group Extensions
84
Deleting Mail-Enabled Distribution Groups
85
Dynamic Distribution Groups
86
Master Data for Dynamic Distribution Groups
86
Receive Restrictions for Dynamic Distribution Groups
88
Permission "Send on behalf of" for Dynamic Distribution Groups
88
Adding a Dynamic Distribution Group to Mail-Enabled Distribution Groups
89
Mail-enabled Public Folders
90
Appendix: Configuration Parameters for Managing an Microsoft® Exchange Environment 92
Appendix: Default Project Template for Microsoft® Exchange
93
Default Project Template for Microsoft® Exchange 2010
93
Default Project Template for Microsoft® Exchange 2013
94
About Dell
96
Contacting Dell
96
Technical support resources
96
Index
97
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
5
1
Managing a Microsoft® Exchange
Environment
The key aspects of administrating a Microsoft® Exchange system with One Identity Manager are:
l
Mailboxes
l
E-mail users
l
Email contacts
l
Mail-enabled distribution groups
The system information for the Microsoft® Exchange structure is loaded into the One Identity Manager
database during data synchronization. It is not possible to customize this system information in the One Identity
Manager due to the complex dependencies and far reaching effects of changes.
Architecture Overview
The following servers are used for managing a Microsoft® Exchange system in One Identity Manager:
l
Microsoft® Exchange server
Microsoft® Exchange server against which Microsoft® Exchange objects are executed. The
synchronization server connects to this server in order to access Microsoft® Exchange objects.
l
Synchronization server
The synchronization server for synchronizing the One Identity Manager database with the Microsoft®
Exchange system. The One Identity Manager Service is installed on this server with the Microsoft®
Exchange connector. The synchronization server connects to the Microsoft® Exchange server.
The One Identity Manager Microsoft® Exchange connector uses Windows® PowerShell to communicate with the
Microsoft® Exchange server.
Figure 1: Architecture for Synchronization
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Managing a Microsoft® Exchange Environment
6
One Identity Manager Users for
Managing a Microsoft® Exchange
Environment
The following users are used for setting up and administration of a Microsoft® Exchange environment.
Table 1: Users
User
Tasks
Target system
administrators
Target system administrators must be assigned to the application role Target
system | Administrators.
Users with this application role:
Target system managers
l
Administrate application roles for individual target systems.
l
Specify the target system manager.
l
Set up other application roles for target system managers if required.
l
Do not assume any administrative tasks within the target system.
Target system managers must be assigned to the application role Target
systems | Exchange or a child application role.
Users with this application role:
l
l
l
l
l
One Identity Manager
administrators
l
l
l
Assume administrative tasks for the target system.
Create, change or delete target system objects, like user accounts,
groups or container structures.
Prepare groups for adding to the IT Shop.
Configure synchronization in the Synchronization Editor and defines
the mapping for comparing target systems and One Identity Manager.
Edit the synchronization's target system types and outstanding
objects.
If required, create customized permissions groups for application roles
for role based login to administration tools in the Designer.
If required, create system users and permissions group for non-role
based login to administration tools.
Enable or disable additional configuration parameters in the Designer
as required.
l
Create custom processes in the Designer as required.
l
Create and configures schedules as required.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Managing a Microsoft® Exchange Environment
7
2
Setting Up Microsoft® Exchange
Synchronization
One Identity Manager is responsible for synchronizing data between the Microsoft® Exchange database and the
One Identity Manager Service. Synchronization prerequisites are:
l
Regular synchronization with the Active Directory® system
l
The Active Directory® forest is declared in One Identity Manager
l
Explicit Active Directory® domain trusts are declared in One Identity Manager
l
l
Implicit two-way trusts between domains in an Active Directory® forest are declared in One
Identity Manager
User account with password and domain controller on the Active Directory® client domain are entered
to create linked mailboxes within a Microsoft® Exchange resource forest topology
To load Microsoft® Exchange objects into the One Identity Manager database
1. Prepare a user account with sufficient permissions for synchronization.
2. One Identity Manager parts for managing Microsoft® Exchange systems are available if the configuration
parameter "TargetSystem\ADS\Exchange2000" is set.
l
l
Check whether the configuration parameter is set in the Designer. Otherwise, set the
configuration parameter and compile the database.
Other configuration parameters are installed when the module is installed. Check the
configuration parameters and modify them as necessary to suit your requirements.
3. Install and configure a synchronization server and declare the server as Job server in One
Identity Manager.
4. Check whether the domain trusts are entered correctly.
5. Enter information for creating linked mailboxes with a resource forest.
6. Create a synchronization project with the Synchronization Editor.
Detailed information about this topic
l
Users and Permissions for Synchronizing with Microsoft® Exchange on page 9
l
Setting Up a Synchronization Server on page 10
l
Configuring Participating Servers for Remote Access through Windows PowerShell® on page 13
l
Testing Active Directory® Domain Trusts on page 15
l
Extensions for Creating Linked Mailboxes in a Microsoft® Exchange Resource Forest on page 15
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
8
l
Creating a Synchronization Project for initial Synchronization with Microsoft® Exchange on page 16
l
Deactivating Synchronization on page 29
l
Recommendations for Synchronizing Microsoft® Exchange on page 23
l
Customizing Synchronization Configuration on page 26
l
Appendix: Configuration Parameters for Managing an Microsoft® Exchange Environment on page 92
l
Default Project Template for Microsoft® Exchange 2010 on page 93
l
Default Project Template for Microsoft® Exchange 2013 on page 94
Users and Permissions for
Synchronizing with Microsoft®
Exchange
The following users are involved in synchronizing One Identity Manager with Microsoft® Exchange.
Table 2: Users for Synchronization
user
entitlement
User for accessing
Microsoft®
Exchange
You must provide a user account with the following permissions for full synchronization
of Microsoft® Exchange objects with the supplied One Identity Manager default
configuration.
User for creating
linked mailboxes
l
Member in role group "View only organization management"
l
Member in role group "Public folder management"
l
Member in role group "Recipient management".
The user account is required for adding linked mailboxes. The user account requires
read access in Active Directory®.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
9
user
entitlement
One Identity
Manager Service
user account
The user account for the One Identity Manager Service requires access rights to carry
out operations at file level (issuing user rights, adding directories and files to be
edited).
The user account must belong to the group "Domain Users".
The user account must have the extended access right "Log on as a service".
The user account requires access rights to the internal web service.
NOTE: If the One Identity Manager Service runs under the network service (NT
Authority\NetworkService), you can issue access rights for the internal web
service with the following command line call:
netsh http add urlacl url=http://<IP address>:<port number>/
user="NT AUTHORITY\NETWORKSERVICE"
The user account needs full access to the One Identity Manager Service installation
directory in order to automatically update the One Identity Manager.
In the default installation the One Identity Manager is installed under:
l
%ProgramFiles(x86)%\Dell (on 32-bit operating systems)
l
%ProgramFiles%\Dell (on 64-bit operating systems)
Setting Up a Synchronization Server
To setup synchronization with an Microsoft® Exchange environment a server has to be available that has the
following software installed on it:
l
Windows® operating system
Following versions are supported:
l
Windows Server® 2008 (non-Itanium based 64-bit) Service Pack 2 or later
l
Windows Server® 2008 R2 (non-Itanium based 64-bit) Service Pack 1 or later
l
Windows Server® 2012
l
Windows Server® 2012 R2
l
Microsoft® .NET Framework version 4.5.2
l
Windows® Installer (MSI service)
l
Windows® Management Framework 4.0
l
One Identity Manager Service, Microsoft® Exchange, connectors
l
Select the machine role "Microsoft Exchange" when installing One Identity Manager on
the server.
IMPORTANT: The One Identity Manager Microsoft® Exchange connector uses Windows PowerShell® to
communicate with the Microsoft® Exchange server. For communication, extra configuration is required
on the synchronization server and the Microsoft® Exchange server. For more information, see
Configuring Participating Servers for Remote Access through Windows PowerShell® on page 13.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
10
All One Identity Manager Service actions are executed against the target system environment on the
synchronization server. Entries which are necessary for synchronization and administration with the One
Identity Manager database are processed by the synchronization server. The synchronization server must be
declared as a Job server in One Identity Manager.
NOTE: If several target system environments of the same type are synchronized under the same
synchronization server, it is useful to set up a job server for each target system on performance
grounds. This avoids unnecessary swapping of connection to target systems because a job server only
has to process tasks of the same type (re-use of existing connections).
NOTE: If the server running the synchronization does not have a connection to the One Identity
Manager database, synchronization is aborted. Ensure that a direct connection to the One Identity
Manager database is possible!
Use the Server Installer to install the One Identity Manager Service. This program executes the
following steps.
l
Setting up a Job server.
l
Specifying machine roles and server function for the Job server.
l
Remote installation of One Identity Manager Service components corresponding to the machine roles.
l
Configures the .One Identity Manager Service
l
Starts the One Identity Manager Service.
NOTE: The program executes remote installation of the One Identity Manager Service. Local installation
of the service is not possible with this program.
To install and configure the One Identity Manager Service remotely on a server
1. Start the program Server Installer on your administrative workstation.
2. Enter valid data for connecting to One Identity Manager on the Database connection page
and click Next.
3. Specify on which server you want to install the One Identity Manager Service on the Server properties
page.
a. Select a job server in the Server menu.
- OR Click Add to add a new job server.
b. Enter the following data for the Job server.
Table 3: Job Servers Properties
Property Description
Server
Name of the Job servers.
Queue
Name of queue to handle the process steps. Each One Identity Manager Service
within the network must have a unique queue identifier. The process steps are
requested by the job queue using exactly this queue name. The queue identifier is
entered in the One Identity Manager Service configuration file.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
11
Property Description
Full
server
name
Full name of the server in DNS syntax.
Example:
<name of server>.<fully qualified domain name>
NOTE: Use the Advanced option to edit other job server properties. You can use the
Designer to change properties at a later date.
4. Specify which job server roles to include in One Identity Manager on the Machine role page. Installation
packages to be installed on the Job server are found depending on the selected machine role.
Select at least one of the following roles:
l
Microsoft Exchange
5. Specify the server's functions in One Identity Manager on the Server functions page. One Identity
Manager processes are handled depending on the server function.
The server's functions depend on which machine roles you have selected. You can limit the server's
functionality further here.
Select at least one of the following server functions:
l
Microsoft® Exchange connector
6. Check the One Identity Manager Service configuration on the Service settings page.
NOTE: The initial service configuration is already predefined. If further changes need to be
made to the configuration, you can do this later with the Designer.
7. To configure remote installations, click Next.
8. Confirm the security prompt with Yes.
9. Select the directory with the install files on the Select installation source page.
10. Enter the service's installation data on the Service access page.
Table 4: Installation Data
Data
Description
Computer
Server on which to install and start the service from.
To select a server
l
Enter the server name.
- OR -
l
Select an entry in the list.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
12
Data
Description
Service account
One Identity Manager Service user account data.
To enter a user account for the One Identity Manager Service
l
Enable the option Local system account.
This start the One Identity Manager Service under the account "NT
AUTHORITY\SYSTEM".
- OR -
l
Installation
account
Enter the user account, password and password retries.
Data for the administrative user account to install the service.
To enter an administrative user account for the installation
l
Enable the Advanced option.
l
Enable the option Current user.
Uses the user account of the current user
- OR-
l
Enter a user account, password or repeat password.
11. Click Next to start installing the service.
Installation of the service occurs automatically and may take some time.
12. Click Finish on the last page of the Server Installer.
NOTE: The One Identity Manager Service is entered with the name "Dell One Identity Manager
Service" in the server's service administration.
Related Topics
l
Configuring Participating Servers for Remote Access through Windows PowerShell® on page 13
Configuring Participating Servers for
Remote Access through Windows
PowerShell®
NOTE: Run the configuration steps on the Microsoft® Exchange server and the synchronization server.
To configure a server for remote access using Windows PowerShell®
1. Run Windows PowerShell® with administrator credentials from the context menu Run as
Administrator.
2. Enter this command at the prompt:
winrm quickconfig
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
13
This command prepares for remote access usage
3. Enter this command at the prompt:
Set-ExecutionPolicy unrestricted
This command allows you to execute all Windows PowerShell® commands (Cmdlets). The script must be
signed by a trusted publishers.
4. Enter this command at the prompt:
Set-Item wsman:\localhost\client\trustedhosts * -Force
This command customizes the list of trusted hosts to activate authentication.
The value “*” allows all connections. One Identity Manager uses the server's fully qualified domain
name for the connection. You can limit the value.
To test remote access through Windows PowerShell® from the synchronization server to the
Microsoft® Exchange server (sync.)
1. Run Windows PowerShell® on the Microsoft® Exchange synchronization server.
2. Enter this command at the prompt:
$creds = New-Object System.Management.Automation.PSCredential
("<domain>\<user>", (ConvertTo-SecureString "<password>" -AsPlainText -Force))
- OR$creds = Get-Credential
This command finds the access data required for making the connection.
3. Enter this command at prompt:
$session = New-PSSession -Configurationname Microsoft.Exchange -ConnectionUri
http://<ServerName as FQDN>/powershell -Credential $creds -Authentication
Kerberos
This commands creates a remote session.
NOTE: One Identity Manager creates a connection using the Microsoft® Exchange server’s fully
qualified domain name. The server name must therefore be in the list configured with trusted
hosts.
4. Enter this command at prompt:
Import-PsSession $session
This command imports the remote session so that the connection can be accessed.
5. Test the functionality with any Microsoft® Exchange command. For example, enter the following
command at the prompt:
Get-Mailbox
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
14
Testing Active Directory® Domain
Trusts
In order to synchronize with a Microsoft® Exchange system, Active Directory® domain trusts must be declared
in One Identity Manager. Users can access resources in other domains depending on the domain trusts.
l
l
Explicit trusts are loaded into Active Directory® by synchronizing with One Identity Manager. Domains
which are trusted by the currently synchronized domains are found.
To declare implicit two-way trusts between domains within an Active Directory® forest in One Identity
Manager, ensure that the parent domain is entered in all child domains.
To enter the parent domain
1. Select the category Active Directory® | Domains.
2. Select the domain in the result list and run the task Change master data.
3. Enter the parent domain.
4. Save the changes.
Implicit trusts are created automatically.
To test trusted domain
1. Select the category Active Directory® | Domains.
2. Select the domain in the result list and run the task Specify trust relationships.
This shows domains which trust the selected domain.
Related Topics
l
Dell One Identity Manager Administration Guide for Connecting to Active Directory®
Extensions for Creating Linked
Mailboxes in a Microsoft® Exchange
Resource Forest
To create linked mailboxes in a Microsoft® Exchange resource forest, you must declare the user account with
which the linked mailboxes are going to be created as well as the Active Directory® domain controller for each
Active Directory® client domain.
To edit master data for a domain
1. Select the category Active Directory® | Domains.
2. Select the domain in the result list and run the task Change master data.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
15
3. Enter the following information on the Exchange tab.
Table 5: Master Data of a Domain for Creating Linked Mailboxes
Property
Description
User (linked mailbox)
User account used to create linked mailboxes.
Password
User account password.
Password confirmation
Confirmation of the user account password.
DC (linked mailbox)
Active Directory® Domain controller for create linked mailboxes.
4. Save the changes.
Related Topics
l
Users and Permissions for Synchronizing with Microsoft® Exchange on page 9
l
Dell One Identity Manager Administration Guide for Connecting to Active Directory®
Creating a Synchronization Project for
initial Synchronization with Microsoft®
Exchange
Use the Synchronization Editor to configure synchronization between the One Identity Manager database and
Microsoft® Exchange. The following describes the steps for initial configuration of a synchronization project.
NOTE: Take note of the recommendations for setting up synchronization in Recommendations for
Synchronizing Microsoft® Exchange on page 23.
IMPORTANT: Each Microsoft® Exchange environment should have its own synchronization project.
After the initial set up you can customize and configure workflows within the synchronization project. Use the
workflow wizard in the Synchronization Editor for this. The Synchronization Editor offers different configuration
options for a synchronization project.
IMPORTANT: It must be possible to reach Microsoft® Exchange servers by DNS query for successful
authentication. If the DNS cannot be resolved, the target system connection is refused.
Prerequisites for Setting Up a Synchronization Project
l
Regular synchronization with the Active Directory® system
l
The Active Directory® forest is declared in One Identity Manager
l
Explicit Active Directory® domain trusts are declared in One Identity Manager
l
l
Implicit two-way trusts between domains in an Active Directory® forest are declared in One
Identity Manager
User account with password and domain controller on the Active Directory® client domain are entered
to create linked mailboxes within a Microsoft® Exchange resource forest topology
Have the following information available for setting up a synchronization project.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
16
Table 6: Information Required for Setting up a Synchronization Project
Data
Explanation
Microsoft®
Exchange
version
One Identity Manager supports synchronization with the Microsoft® Exchange versions 2010
Service Pack 3 or later and 2013 Service Pack 1 or later.
Server (fully
qualified)
Fully qualified name (FQDN) of the Microsoft® Exchange server against which the
synchronization server connects to access Microsoft® Exchange objects.
Example:
Server.Docu.Testlab.dd
User account
and password
for logging in
Fully qualified name (FQDN) of the user account and password for logging in on the
Microsoft® Exchange.
Example:
[email protected]
domain.com\user
Make a user account available with sufficient permissions. For more information, see Users
and Permissions for Synchronizing with Microsoft® Exchange on page 9.
Synchronization
server for
Microsoft®
Exchange
The One Identity Manager Service with the Microsoft® Exchange connector must be
installed on the synchronization server.
Table 7: Additional Properties for the Job Server
Property
Value
Server Function
Microsoft® Exchange connector
Machine role
Server/Job Server/Active Directory/Microsoft Exchange
For more information, see Setting Up a Synchronization Server on page 10.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
17
Data
Explanation
One Identity
Manager
Database
Connection
Data
SQL Server®:
l
Database server
l
Database
l
Database user and password
l
Specifies whether Windows® authentication is used.
This type of authentication is not recommended. If you decide to use it anyway,
ensure that your environment supports Windows® authentication.
Oracle:
l
Specifies whether access is direct or by Oracle client
The necessary connection data depends on how this option is set.
Remote
connection
server
l
Database server
l
Oracle instance port
l
Service name
l
Oracle database user and password
l
Data source (TNS alias name from TNSNames.ora)
To configure synchronization with a target system, One Identity Manager must load the
data from the target system. One Identity Manager communicates directly with target
system to do this. If it is not possible to access the workstation on which the
Synchronization Editor is installed, for example, because of the firewall configuration, you
can set up a remote connection.
Configuring the remote connection server:
l
One Identity Manager Service is started
l
RemoteConnectPlugin is installed
l
Microsoft® Exchange connector is installed
The remote connection server must be declared as a Job server in One Identity Manager.
The Job server name is required.
For more information, see the Dell One Identity Manager Target System Synchronization
Reference Guide.
NOTE: The following sequence describes how you configure a synchronization project if the
Synchronization Editor is:
l
In default mode
l
Started from the launchpad
Additional settings can be made if the project wizard is run in expert mode or is started directly from
the Synchronization Editor. Follow the project wizard instructions through these steps.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
18
To set up initial synchronization project for Microsoft® Exchange
1. Start the Launchpad and log into the One Identity Manager database.
2. Select target system type Microsoft® Exchange. Click Start.
This starts the Synchronization Editor's project wizard.
3. Select the connector on the Select target system page.
l
Select Microsoft® Exchange 2010 connector for synchronizing with Microsoft® Exchange 2010.
l
Select Microsoft® Exchange 2013 connector for synchronizing with Microsoft® Exchange 2013.
4. On the System Access page, specify how One Identity Manager can access the target system.
l
l
If you have access from the workstation from which you started the Synchronization Editor, do
not set anything.
If you do have not access from the workstation from which you started the Synchronization
Editor, you can set up a remote connection.
In this case, set the option Connect using remote connection server and select, under Job
server, the server you want to use for the connection.
5. Enter the information about the Microsoft® Exchange server on the Select Microsoft® Exchange server
page against which the synchronization server connects to access Microsoft® Exchange objects.
a. Enter the fully qualified name (FQDN) in the Microsoft® Exchange server in Server. To check the
data, click DNS query.
NOTE: If you only know the IP address of the server, enter the IP address in Server and
click DNS query. The server's fully qualified name is found and entered.
b. In Max. concurrent connections, enter the number of connection that can be used at
the same time.
A maximum 4 simultaneous connection are recommended. Synchronization tries to use this many
connections. The number may not always be reached depending on the load. Warnings are given
respectively.
A default timeout is defined for connecting. The timeout is 5 minutes long for the first
connection and 30 seconds for all following connections. The connections are closed if the
connection is idle for the duration.
6. Enter login data on the Enter connection credentials page to connect to Microsoft® Exchange.
Table 8: Connection data to
Table Column Outside Table:
Table Column Outside Table:
Microsoft® Exchange
Property
Description
User name ([email protected])
Fully qualified name (FQDN) of the user account for logging in.
Example:
[email protected]
domain.com\user
Password
User account password.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
19
7. Specify on the Recipient scope page whether the recipient of any domain or complete Microsoft®
Exchange organization should be taken into account.
l
l
To synchronize Microsoft® Exchange organization recipients, select the option Entire
organization (recommended). As prerequisite the trusted Active Directory® domains must be
declared in One Identity Manager.
Select the option Only recipients of the following domain to synchronize recipients with
specific domains and select a domain. The target system domain is listed as a minimum.
8. Enter the database connection data on the One Identity Manager connection page.
Table 9: SQL Server® Database Connection Data
Input
Description
server
Database server.
Windows
authentication
Specifies whether Windows® authentication is used.
Users
Database user.
Password
Database user password.
Database
Database.
This type of authentication is not recommended. If you decide to use it anyway,
ensure that your environment supports Windows® authentication.
Table 10: Oracle Database Connection Data
Input
Description
Direct access (without Oracle
client)
Set this option for direct access.
Disable this option for access through Oracle Client Tools.
The connection data required depends on how this option is
set.
server
Database server.
Port
Oracle instance port.
Service name
Service name.
user
Oracle database user.
Password
Database user password.
Data source
TNS alias name from TNSNames.ora.
9. The wizard loads the target system schema. This may take a few minutes depending on the type of
target system access and the size of the target system.
10. Specify how system access should work on the page Restrict target system access. You have the
following options:
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
20
Table 11: Specifying Target System Access
Option
Meaning
The target system is
only loaded.
Specifies whether a synchronization workflow should be set up to initially
load the target system into the One Identity Manager database.
The synchronization workflow has the following characteristics:
l
l
Changes are also made
to the target system.
Synchronization is in the direction of "One Identity Manager".
Processing methods in the synchronization steps are only defined in
synchronization direction "One Identity Manager".
Specifies whether a provisioning workflow should be set up in addition to
the synchronization workflow to initially load the target system.
The provisioning workflow has the following characteristics:
l
l
l
Synchronization is in the direction of "target system".
Processing methods are only defined in the synchronization steps in
synchronization direction "target system".
Synchronization steps are only created for such schema classes
whose schema types have write access.
11. Select the synchronization server to execute synchronization on the Synchronization server page.
If the synchronization server is not declare as a job server in the One Identity Manager database yet,
you can add a new job server.
l
Click
to add a new job server.
l
Enter a name for the job server and the full server name conforming to DNS syntax.
l
Click OK.
The synchronization server is declared as job server for the target system in the One Identity
Manager database.
NOTE: Ensure that this server is set up as the synchronization server after saving the
synchronization project.
12. Click Finish to complete the project wizard.
A default schedule for regular synchronization is created and allocated.
The synchronization project is created, saved and enabled immediately.
NOTE: If the synchronization project should not be executed immediately, set the option
Activate and save the new synchronization project automatically. In this case, save the
synchronization project manually before closing the Synchronization Editor.
NOTE: The target system connection data is saved in a variable set, which you can change in the
Synchronization Editor under Configuration | Variables if necessary.
To synchronize on a regular basis
1. Select the category Configuration | Start configuration.
2. Select a start up configuration in the document view and click Edit schedule....
3. Edit the schedule properties.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
21
4. To enable the schedule, click Activate.
5. Click OK.
To start initial synchronization manually
1. Select the category Configuration | Start configuration.
2. Select a start up configuration in the document view and click Execute.
3. Confirm the security prompt with Yes.
Related Topics
l
Setting Up a Synchronization Server on page 10
l
Users and Permissions for Synchronizing with Microsoft® Exchange on page 9
l
Testing Active Directory® Domain Trusts on page 15
l
Show Synchronization Results on page 22
l
Recommendations for Synchronizing Microsoft® Exchange on page 23
l
Customizing Synchronization Configuration on page 26
l
Default Project Template for Microsoft® Exchange 2010 on page 93
l
Default Project Template for Microsoft® Exchange 2013 on page 94
Show Synchronization Results
Synchronization results are summarized in the synchronization log. You can specify the extent of the
synchronization log for each system connection individually. One Identity Manager provides several reports in
which the synchronization results are organized under different criteria.
To display a synchronization log
1. Open the synchronization project in the Synchronization Editor.
2. Select the category Logs.
3. Click
in the navigation view toolbar.
Logs for all completed synchronization runs are displayed in the navigation view.
4. Select a log by double-clicking on it.
An analysis of the synchronization is show as a report. You can save the report.
To display a provisioning log.
1. Open the synchronization project in the Synchronization Editor.
2. Select the category Logs.
3. Click
in the navigation view toolbar.
Logs for all completed provisioning processes are displayed in the navigation view.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
22
4. Select a log by double-clicking on it.
An analysis of the provisioning is show as a report. You can save the report.
The log marked in color in the navigation view. This mark shows you the execution status of the
synchronization/provisioning.
Synchronization logs are stored for a fixed length of time. The retention period is set in the configuration
parameter "DPR\Journal\LifeTime". By default, synchronization logs are stored for 30 and then deleted.
To modify the retention period for synchronization logs
l
Edit the value of the configuration parameter "DPR\Journal\LifeTime" in the Designer. Enter a retention
period in days.
Recommendations for Synchronizing
Microsoft® Exchange
The following scenarios for synchronizing Microsoft® Exchange are supported.
Scenario: Synchronizing Microsoft® Exchange infrastructure including all Microsoft® Exchange
organization recipients
It is recommended on principal that you synchronize the Microsoft® Exchange infrastructure including all
Microsoft® Exchange organization recipients.
The Microsoft® Exchange infrastructure elements (server, address lists, policies, for example) and recipients
(mailboxes, mail-enabled distribution groups, e-mail users, e-mail contacts) of the entire Microsoft® Exchange
organization are synchronized.
l
Set up a synchronization project and use the recipient scope Complete organization.
For more information, see Creating a Synchronization Project for initial Synchronization with Microsoft®
Exchange on page 16.
Scenario: Synchronizing Microsoft® Exchange infrastructure and recipients of a select Active
Directory® domain in the Microsoft® Exchange organization.
It is possible to synchronize Microsoft® Exchange infrastructure and recipients separately if synchronization of
the entire Microsoft® Exchange organization is not possible due to the large number of recipients.
First the Microsoft® Exchange infrastructure elements (server, address lists, policies, for example) are loaded.
Then recipients (mailboxes, mail-enabled distribution groups, e-mail users, e-mail contacts) are synchronized
from the given Active Directory® domain in the Microsoft® Exchange organization.
The following synchronization project configuration is recommended in this case:
NOTE: User the Synchronization Editor expert mode for the following configurations.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
23
1. Set up the synchronization project for synchronizing the entire Microsoft® Exchange infrastructure.
l
Select Complete organization in the recipient scope.
l
Customize the synchronization workflow.
l
Disable synchronization steps of all schema types representing recipients. These are:
Mailbox
MailContact
MailUser
DistributionList
DynamicDistributionList
MailPublicFolder
l
Check that all schema types, not representing recipients, are synchronized. These are:
ActiveSyncMailboxPolicy
DatabaseAvailabilityGroup
MailboxDatabase
ManagedFolderMailboxPolicy (Microsoft® Exchange 2010)
OfflineAddressBook
Organization
PublicFolder
PublicFolderDatabase (Microsoft® Exchange2010)
RetentionPolicy
RoleAssingmentPolicy
Server
SharingPolicy
AddressList
GlobalAddressList
2. Set up the synchronization project for synchronizing recipient of an Active Directory® domain.
l
l
Check Only recipients of the following domain on the recipient scope page and select an
Microsoft® Exchange domain.
Customize the synchronization workflow.
l
Disable synchronization steps of all schema types that do not represent recipients. These
are:
ActiveSyncMailboxPolicy
DatabaseAvailabilityGroup
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
24
MailboxDatabase
ManagedFolderMailboxPolicy (Microsoft® Exchange 2010)
OfflineAddressBook
Organization
PublicFolder
PublicFolderDatabase (Microsoft® Exchange2010)
RetentionPolicy
RoleAssingmentPolicy
Server
SharingPolicy
AddressList
GlobalAddressList
l
Check that all schema types that represent recipients, are synchronized. These are:
Mailbox
MailContact
MailUser
DistributionList
DynamicDistributionList
MailPublicFolder
3. Specify more base objects for the remaining Active Directory® domains.
l
Open the first synchronization project for synchronizing recipients in the Synchronization Editor.
l
Create a new base object for every domain. Use the wizards to attach a base object.
l
Select the Microsoft® Exchange connector in the wizard and declare the connection
parameter. The connection parameters are saved in a special variable set.
NOTE: Take note of the following when setting up the connection:
l
l
l
Select a Microsoft® Exchange server in the domain as server if possible.
Select Only recipients of the following domain again in the recipient
scope.
Create a new start up configuration for each domain. Use the new variable sets in the start up
configuration.
l
Run a consistency check.
l
Activate the synchronization project.
4. Customize the synchronization schedule.
IMPORTANT: Set up the synchronization schedules such that the Microsoft® Exchange infrastructure is
synchronized before Microsoft® Exchange recipients.
Several synchronization runs maybe necessary before all the data is synchronized depending on
references between the Microsoft® Exchange organization domains.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
25
For more information, see the Dell One Identity Manager Target System Synchronization Reference Guide.
Customizing Synchronization
Configuration
You have used the Synchronization Editor to set up a synchronization project for initial synchronization with
Microsoft® Exchange. You can use this synchronization project to load Microsoft® Exchange objects into the
One Identity Manager database.
You must customize the synchronization configuration in order to compare the One Identity Manager database
with the Microsoft® Exchange regularly and to synchronize changes.
l
l
l
You can use variables to create generally applicable synchronization configurations which contain the
necessary information about the synchronization objects when synchronization starts. Variables can be
implemented in base objects, schema classes or processing method, for example.
To specify which Microsoft® Exchange objects and database object are included in synchronization, edit
the scope of the target system connection and the One Identity Manager database connection. To
prevent data inconsistencies, define the same scope in both systems. If no scope is defined, all objects
will be synchronized.
Update the schema in the synchronization project, if the One Identity Manager schema or target system
schema has changed. Then you can add the changes to the mapping.
Detailed information about this topic
l
l
l
How to Configure Microsoft® Exchange Synchronization on page 26
Update Schema on page 27
Dell One Identity Manager Target System Synchronization Reference Guide
How to Configure Microsoft® Exchange
Synchronization
To create a synchronization configuration for synchronizing Microsoft® Exchange
1. Open the synchronization project in the Synchronization Editor.
2. Check whether existing mappings can be used for synchronizing the target system. Create new maps
if required.
3. Create a new workflow with the workflow wizard.
This adds a workflow for synchronizing in the direction of the target system.
4. Create a new start up configuration. Use the new workflow to do this.
5. Save the changes.
6. Run a consistency check.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
26
Related Topics
l
Dell One Identity Manager Target System Synchronization Reference Guide
Update Schema
All the schema data (schema types and schema properties) of the target system schema and the One Identity
Manager schema are available when you are editing a synchronization project. Only a small part of this data is
really needed for configuring synchronization. If a synchronization project is finished, the schema is
compressed to remove unnecessary data from the synchronization project. This can speed up loading the
synchronization project.
Deleted schema data can be added to the synchronization configuration again at a later point. If the target
system schema or the One Identity Manager schema has changed, these changes must also be added to the
synchronization configuration. Then the changes can be added to the schema property mapping.
To include schema data that have been deleted through compressing and schema modifications in the
synchronization project, update each schema in the synchronization project. This may be necessary if:
l
l
A schema was changed, by:
l
Changes to a target system schema
l
Customizations to the One Identity Manager schema
l
An One Identity Manager update migration
A schema in the synchronization project was compressed, by:
l
Activating the synchronization project
l
Initial saving of the synchronization project
l
Compressing a schema
To update a system connection schema
1. Open the synchronization project in the Synchronization Editor.
2. Select the category Configuration | Target system.
- OR Select the category
Configuration | One Identity Manager connection.
3. Select the view General and click Update schema.
4. Confirm the security prompt with Yes.
This reloads the schema data.
To edit a mapping
1. Open the synchronization project in the Synchronization Editor.
2. Select the category Mappings.
3. Select a mapping in the navigation view.
Opens the Mapping Editor. For more information, see the Dell One Identity Manager Target System
Synchronization Reference Guide.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
27
NOTE: The synchronization is deactivated if the schema of an activated synchronization project is
updated. Reactivate the synchronization project to synchronize.
Post-Processing Outstanding Objects
Objects, which do not exist in the target system, can be marked as outstanding in One Identity Manager by
synchronizing. This prevents objects being deleted because of an incorrect data situation or an incorrect
synchronization configuration.
Objects marked as outstanding:
l
Cannot be edited in One Identity Manager.
l
Are ignored by subsequent synchronization.
l
Must be post-processed separately in One Identity Manager.
Start target system synchronization to do this.
To post-process outstanding objects
1. Select the category Active Directory® | Target system synchronization: Exchange.
All tables assigned to the target system type Microsoft® Exchange as synchronization tables are
displayed in the navigation view.
2. Select the table whose outstanding objects you want to edit in the navigation view.
This opens the target system synchronization form. All objects are shown here that are marked as
outstanding.
TIP:
To display object properties of an outstanding object
a. Select the object on the target system synchronization form.
b. Open the context menu and click Show object.
3. Select the objects you want to post-process. Multi-select is possible.
4. Click one of the following icons in the form's toolbar to run the respective method.
Table 12: Methods for handling outstanding objects
Icon Method
Delete
Description
The object is immediately deleted from the One Identity Manager database.
Deferred deletion is not taken into account. The "outstanding" label is removed from
the object.
You cannot delete indirect memberships.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
28
Icon Method
Publish
Description
The object is inserted in the target system. The "outstanding" label is removed from
the object.
The method triggers the event "HandleOutstanding". This means a target systems
specific process is executed which triggers the provisioning process for the object.
Prerequisites:
Reset
status
l
The table containing the object is allowed to be published.
l
The target system connector has write access to the target system.
The "outstanding" label is removed from the object.
5. Confirm the security prompt with Yes.
You must customize synchronization to synchronize custom tables.
To add custom tables to the target system synchronization.
1. Select the category Active Directory® | Basic configuration data | Target system types.
2. Select the target system type Microsoft® Exchange in the result list.
3. Select Assign synchronization tables in the task view.
4. Assign custom tables whose outstanding objects you want to handle in Add assignments.
5. Save the changes.
6. Select Configure tables for publishing.
7. Select custom tables whose outstanding objects can be published in the target system and set the
option Publishable.
8. Save the changes.
NOTE: The target system connector must have write access to the target system in order to publish
outstanding objects that are being post-processed. That means, the option Connection is read only
must no be set for the target system connection.
Detailed information about this topic
l
Dell One Identity Manager Target System Synchronization Reference Guide
Deactivating Synchronization
Regular synchronization cannot be started until the synchronization project and the schedule are active.
To prevent irregular synchronization
l
Select the start up configuration and deactivate the configured schedule.
Now you can only start synchronization manually.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
29
An activated synchronization project can only be edited to a limited extend. The schema in the synchronization
project must be updated if schema modifications are required. The synchronization project is deactivated in
this case and can be edited again.
Furthermore, the synchronization project must be deactivated if synchronization should not be started by any
means (not even manually).
To deactivate the loaded synchronization project
1. Select General on the start page.
2. Click Deactivate project.
Detailed information about this topic
l
Creating a Synchronization Project for initial Synchronization with Microsoft® Exchange on page 16
l
Dell One Identity Manager Target System Synchronization Reference Guide
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Setting Up Microsoft® Exchange Synchronization
30
3
Base Data for Managing Microsoft®
Exchange
To manage an Microsoft® Exchange environment in One Identity Manager, the following data is relevant.
l
Configuration parameter
Use configuration parameters to configure the behavior of the system's basic settings. One Identity
Manager provides default settings for different configuration parameters. Check the configuration
parameters and modify them as necessary to suit your requirements.
Configuration parameters are defined in the One Identity Manager modules. Each One Identity Manager
module can also install configuration parameters. You can find an overview of all configuration
parameters in the category Base data | Configuration parameters in the Designer.
For more information, see Appendix: Configuration Parameters for Managing an Microsoft® Exchange
Environment on page 92.
l
Account Definitions
One Identity Manager has account definitions for automatically allocating user accounts to employees
during working hours. You can create account definitions for every target system. If an employee does
not have a user account in the target system, a new user account is created. This is done by assigning
account definitions to an employee using the integrated inheritance mechanism followed by process
handling. For more information, see Setting Up Account Definitions on page 31.
l
Target system types
Target system types are required for configuring target system comparisons. Tables containing
outstanding objects are maintained on target system types.
For more information, see Post-Processing Outstanding Objects on page 28.
l
Target system managers
In One Identity Manager, you can assign employees to every target system that can edit this target
system's objects in One Identity Manager. A default application role exists for the target system
manager in the One Identity Manager. Assign this application to employees who are authorized to edit
the Microsoft® Exchange organization in One Identity Manager. Create more application roles if
required. For more information, see Target System Managers on page 45.
Setting Up Account Definitions
One Identity Manager has account definitions for automatically allocating user accounts to employees during
working hours. You can create account definitions for every target system. If an employee does not have a user
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Base Data for Managing Microsoft® Exchange
31
account in the target system, a new user account is created. This is done by assigning account definitions to an
employee using the integrated inheritance mechanism followed by process handling.
The data for the user accounts in the respective target system comes from the basic employee data. The
assignment of the IT operating data to the employee’s user account is controlled through the primary
assignment of the employee to a location, a department, a cost center, or a business role (template
processing). Processing is done through templates. There are predefined templates for determining the data
required for user accounts included in the default installation. You can customize templates as required.
For more information about the basics see Dell One Identity Manager Target System Base Module
Administration Guide.
The following steps are necessary to implement an account definition:
l
Creating an Account Definition
l
Setting Up Manage Levels
l
Creating a Formatting Rule for IT Operating Data
l
Determining IT Operating Data
l
Assign Account Definition to Employees
l
Assign Account Definition to a Target System
Creating an Account Definition
To create a new account definition
1. Select the category Active Directory® | Basic configuration data | Account definitions | Account
definitions.
2. Select an account definition in the result list. Select Change master data in the task view. - OR Click
in the result list toolbar.
3. Enter the account definition's master data.
4. Save the changes.
Detailed information about this topic
l
Master Data for an Account Definition on page 32
Master Data for an Account Definition
Enter the following data for an account definition:
Table 13: Master Data for an Account Definition
Property
Description
Account
definition
Account definition name.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Base Data for Managing Microsoft® Exchange
32
Property
Description
User account
table
Table in the One Identity Manager schema which maps user accounts.
Target
system
Target system to which the account definition applies.
Required
account
definitions
Required account definitions. Define the dependencies between account definitions. When
this account definition is requested or assigned, the required account definition is
automatically requested or assigned with it.
Enter the account definition of the associated Active Directory® domain.
Description
Spare text box for additional explanation.
Default
manage level
Manage level to use by default when you add new user accounts.
Risk index
Value for evaluating the risk of account definition assignments to employees. Enter a value
between 0 and 1. This property is only visible when the configuration parameter
QER\CalculateRiskIndex is set.
For more information, see the Dell One Identity Manager Identity Management Base Module
Administration Guide.
Service item
Service item through which you can request the account definition in the IT Shop. Assign an
existing service item or add a new one.
IT Shop
Specifies whether the account definition can be requested through the IT Shop. The account
definition can be ordered by an employee over the Web Portal and distributed using a
defined approval process. The account definition can still be directly assigned to employees
and roles outside the IT Shop.
Only for use
in IT Shop
Specifies whether the account definition can only be requested through the IT Shop. The
account definition can be ordered by an employee over the Web Portal and distributed using
a defined approval process. This means, the account definition cannot be directly assigned to
roles outside the IT Shop.
Automatic
assignment to
employees
Specifies whether the account definition is assigned automatically to all internal employees.
The account definition is assigned to every employee not marked as external, on saving. New
employees automatically obtain this account definition as soon as they are added.
IMPORTANT: Only set this option if you can ensure that all current internal
employees in the database and all pending newly added internal employees obtain a
user account in this target system.
Disable this option to remove automatic assignment of the account definition to all
employees. The account definition cannot be reassigned to employees from this point on.
Existing account definition assignments remain intact.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Base Data for Managing Microsoft® Exchange
33
Property
Description
Retain
account
definition if
permanently
disabled
Specifies the account definition assignment to permanently disabled employees.
Retain
account
definition if
temporarily
disabled
Specifies the account definition assignment to temporarily disabled employees.
Retain
account
definition if
permanently
disabled
Specifies the account definition assignment on deferred deletion of employees.
Retain
account
definition on
security risk
Specifies the account definition assignment to employees posing a security risk .
Option set: the account definition assignment remains in effect. The user account stays the
same.
Option not set: the account definition assignment is not in effect.The associated user
account is deleted.
Option set: the account definition assignment remains in effect. The user account stays the
same.
Option not set: the account definition assignment is not in effect.The associated user
account is deleted.
Option set: the account definition assignment remains in effect. The user account stays the
same.
Option not set: the account definition assignment is not in effect.The associated user
account is deleted.
Option set: the account definition assignment remains in effect. The user account stays the
same.
Option not set: the account definition assignment is not in effect.The associated user
account is deleted.
Resource
type
Resource type for grouping account definitions.
Spare field 01
- spare field
10
Additional company specific information. Use the Designer to customize display names,
formats and templates for the input fields.
For more information, see the Dell One Identity Manager Identity Management Base Module
Administration Guide.
Setting Up Manage Levels
Specify the manage level for an account definition for managing user accounts. The user account’s manage
level specifies the extent of the employee’s properties that are inherited by the user account. This allows an
employee to have several user accounts in one target system, for example:
l
l
Default user account that inherits all properties from the employee
Administrative user account that is associated to an employee but should not inherit the properties
from the employee.
The One Identity Manager supplies a default configuration for manage levels:
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Base Data for Managing Microsoft® Exchange
34
l
Unmanaged
User accounts with a manage level of “Unmanaged” become linked to an employee but do not inherit
any other properties. When a new user account is added with this manage level and an employee is
assigned, some of the employee's properties are transferred initially. If the employee properties are
changed at a later date, the changes are not passed onto the user account.
l
Full managed
User accounts with a manage level of “Full managed” inherit specific properties from the
assigned employee.
NOTE: The manage levels “Full managed” and “Unmanaged” are evaluated in the templates. You can
customize the supplied templates in the Designer.
You can define other manage levels depending on your requirements. You need to amend the
templates to include manage level approaches.
Specify the effect of temporarily or permanently disabling, deleting or the security risk of an employee on its
user accounts and group memberships for each manage level. For more information, see the Dell One Identity
Manager Target System Base Module Administration Guide.
l
l
Employee user accounts can be locked when they are disabled, deleted or rated as a security risk so
that permissions are immediately withdrawn. If the employee is reinstated at a later date, the user
accounts are also reactivated.
You can also define group membership inheritance. Inheritance can be discontinued if desired when,
for example, the employee’s user accounts are disabled and therefore cannot be members in groups.
During this time, no inheritance processes should be calculated for this employee. Existing group
memberships are deleted!
To assign manage levels to an account definition
1. Select the category Active Directory® | Basic configuration data | Account definitions | Account
definitions.
2. Select an account definition in the result list.
3. Select Assign manage level in the task view.
4. Assign manage levels in Add assignments.
- OR Remove assignments to manage levels in Remove assignments.
5. Save the changes.
IMPORTANT: The manage level "Unmanaged" is assigned automatically when an account definition is
assigned and cannot be removed.
To edit a manage level
1. Select the category Active Directory® | Basic configuration data | Account definitions |
Manage level.
2. Select the manage level in the result list. Select Change master data in the task view. - OR Click
in the result list toolbar.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Base Data for Managing Microsoft® Exchange
35
3. Edit the manage level's master data.
4. Save the changes.
Detailed information about this topic
l
Master Data for a Manage Level on page 36
Master Data for a Manage Level
Enter the following data for a manage level.
Table 14: Master Data for a Manage Level
Property
Description
Manage level
Name of the manage level.
Description
Spare text box for additional explanation.
IT operating data overwrites
Specifies whether user account data formatted from IT operating data is
automatically updated. Permitted values are:
Never
Data is not updated
Always
Data is always updated
Only initially
Data is only initially determined.
Retain groups if temporarily
disabled
Specifies whether user accounts of temporarily disabled employees retain
their group memberships.
Lock user accounts if
temporarily disabled
Specifies whether user accounts of temporarily disabled employees are
locked.
Retain groups if
permanently disabled
Specifies whether user accounts of temporarily disabled employees retain
group memberships.
Lock user accounts if
permanently disabled
Specifies whether user accounts of permanently disabled employees are
locked.
Retain groups on deferred
deletion
Specifies whether user accounts of employees marked for deletion retain
their group memberships.
Lock user accounts if
deletion is deferred
Specifies whether user accounts of employees marked for deletion are locked.
Retain groups on security
risk
Specifies whether user accounts of employees posing a security risk retain
their group memberships.
Lock user accounts if
security is at risk
Specifies whether user accounts of employees posing a security risk are
locked.
Retain groups if user
account disabled
Specifies whether locked user accounts retain their group memberships.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Base Data for Managing Microsoft® Exchange
36
Creating a Formatting Rule for IT Operating Data
An account definition specifies which rules are used to form the IT operating data and which default values will
be used if no IT operating data can be found through the employee's primary roles.
The following IT operating data is used in the One Identity Manager default configuration for automatic creating
and modifying of user accounts for an employee in the target system.
l
Microsoft® Exchange mailbox database
To create a mapping rule for IT operating data
1. Select the category Active Directory® | Basic configuration data | Account definitions | Account
definitions.
2. Select an account definition in the result list.
3. Select the task Edit IT operating data mapping.
4. Enter the following data:
Table 15: Mapping Rule for IT Operating Data
Property Description
Column
Property of the user account for which the value is set.
Source
Specifies which roles to use in order to find the user account properties. You have the
options:
l
Primary department
l
Primary location
l
Primary cost center
l
Primary business role
NOTE: Only use the primary business role if the Business Roles Module is
installed.
l
n.a.
If you select a role, you must specify a default value and set the option Always use
default value.
Default
value
Default value of the property for an employee's user account if the value is not
determined dynamically from the IT operating data.
Always
use
default
value
Specifies whether user account properties are always filled with the default value. IT
operating data is not determined dynamically from a role.
Notify
when
applying
the
standard
Specifies whether email notification to a defined mailbox is sent when the default value is
used. Use the mail template "Employee - new user account with default properties
created". To change the mail template, alter the configuration parameter
"TargetSystem\ADS\Exchange2000\Accounts\MailTemplateDefaultValues" .
5. Save the changes.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Base Data for Managing Microsoft® Exchange
37
Related Topics
l
Determining IT Operating Data on page 38
Determining IT Operating Data
In order for an employee to create user accounts with the manage level “Full managed”, the necessary IT
operating data must be determined. The operating data required to automatically supply an employee with IT
resources is shown in the departments, locations, cost centers, and business roles. An employee is assigned to
one primary location, one primary department, one primary cost center or one primary business role. The
necessary IT operating data is ascertained from these assignments and used in creating the user accounts.
Default values are used if valid IT operating data cannot be found over the primary roles.
You can also specify IT operating data directly for a specific account definition.
Example:
Normally, each employee in department A obtains a default user account in domain A. In addition, certain
employees in department A obtain administrative user accounts in domain A.
Create an account definition A for the standard domain A user account and an account definition B for the
administrative domain A user account. Specify the property "Department" in the IT operating data formatting
rule for the account definitions A and B in order to determine the valid IT operating data.
Specify effective domain A IT operating data for department A. This IT operating data is used for standard user
accounts. In addition, specify the effective account definition B IT operating data for department A. This IT
operating data is used for administrative user accounts.
To specify IT operating data
1. Select the role in the category Organizations or Business roles.
2. Select Edit IT operating data mapping in the task view.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Base Data for Managing Microsoft® Exchange
38
3. Enter the following data:
Table 16: IT operating data
Property
Description
Organization/Business
role
Department, cost center, location or business role for which the IT operating
data is valid.
Effects on
IT operating data application scope. The IT operating data can be used for a
target system or a defined account definition.
To specify an application scope
a. Click
next to the text box.
b. Select the table which maps the target system or the table
TSBAccountDef for an account definition in Table.
c. Select the concrete target system or concrete account definition
under Effects on.
d. Click OK.
Column
User account property for which the value is set.
Columns using the script template TSB_ITDataFromOrg in their template
are listed. For more information, see the Dell One Identity Manager Target
System Base Module Administration Guide.
Value
Concrete value which is assigned to the user account property.
4. Save the changes.
Related Topics
l
Creating a Formatting Rule for IT Operating Data on page 37
Assign Account Definition to Employees
Account definitions are assigned to company employees. Indirect assignment is the default method for assigning
account definitions to employees. Account definitions are assigned to departments, cost centers, locations or
roles. The employees are categorized into these departments, cost centers, locations or roles depending on
their function in the company and this obtain their account definitions. To react quickly to special requests,
you can assign individual account definitions directly to employees. You can automatically assign special
account definitions to all company employees. It is possible to assign account definitions to the IT Shop as
requestable products. A department manager can then request user accounts from the Web Portal for his
staff. It is also possible to add account definitions to system roles. These system roles can be assigned to
employees through hierarchical roles or directly or added as products in the IT Shop.
In the One Identity Manager default installation, the processes are checked at the start to see if the employee
already has a user account in the target system that has an account definition. If no user account exists, a new
user account is created with the account definition’s default manage level.
NOTE: If a user account already exists and is disabled, then it is re-enabled. You have to alter the user
account manage level afterward in this case.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Base Data for Managing Microsoft® Exchange
39
Prerequisites for indirect assignment of account definitions to employees
l
Assignment of employees and account definitions is permitted for role classes (department, cost
center, location or business role).
For more information, see the Dell One Identity Manager Identity Management Base Module
Administration Guide.
Detailed information about this topic
l
Assign Account Definition to Departments, Cost Centers and Locations on page 40
l
Assign Account Definition to Business Roles on page 40
l
Assign Account Definition to all Employees on page 41
l
Assign Account Definition Directly to Employees on page 42
l
Assign Account Definition to a Target System on page 42
Assign Account Definition to Departments, Cost Centers
and Locations
To add account definitions to hierarchical roles
1. Select the category Active Directory® | Basic configuration data | Account definitions | Account
definitions.
2. Select an account definition in the result list.
3. Select Assign organizations.
4. Assign organizations in Add assignments.
l
Assign departments on the Departments tab.
l
Assign locations on the Locations tab.
l
Assign cost centers on the Cost center tab.
- OR Remove organizations in Remove assignments.
5. Save the changes.
Related Topics
l
Assign Account Definition to Business Roles on page 40
l
Assign Account Definition to all Employees on page 41
l
Assign Account Definition Directly to Employees on page 42
Assign Account Definition to Business Roles
Installed Module: Business Roles Module
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Base Data for Managing Microsoft® Exchange
40
To add account definitions to hierarchical roles
1. Select the category Active Directory® | Basic configuration data | Account definitions | Account
definitions.
2. Select an account definition in the result list.
3. Select Assign business roles in the task view.
4. Assign business roles in Add assignments.
- OR Remove business roles in Remove assignments.
5. Save the changes.
Related Topics
l
Assign Account Definition to Departments, Cost Centers and Locations on page 40
l
Assign Account Definition to all Employees on page 41
l
Assign Account Definition Directly to Employees on page 42
Assign Account Definition to all Employees
To assign an account definition to all employees
1. Select the category Active Directory® | Basic configuration data | Account definitions | Account
definitions.
2. Select an account definition in the result list.
3. Select Change master data in the task view.
4. Set the option Automatic assignment to employees on the General tab.
IMPORTANT: Only set this option if you can ensure that all current internal employees in the
database and all pending newly added internal employees obtain a user account in this target
system.
5. Save the changes.
The account definition is assigned to every employee that is not marked as external. New employees
automatically obtain this account definition as soon as they are added. The assignment is calculated by the
DBQueue Processor.
NOTE: Disable the option Automatic assignment to employees to remove automatic assignment of the
account definition to all employees. The account definition cannot be reassigned to employees from this
point on. Existing assignments remain intact.
Related Topics
l
Assign Account Definition to Departments, Cost Centers and Locations on page 40
l
Assign Account Definition to Business Roles on page 40
l
Assign Account Definition Directly to Employees on page 42
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Base Data for Managing Microsoft® Exchange
41
Assign Account Definition Directly to Employees
To assign an account definition directly to employees
1. Select the category Active Directory® | Basic configuration data | Account definitions | Account
definitions.
2. Select an account definition in the result list.
3. Select Assign to employees in the task view.
4. Assign employees in Add assignments.
- OR Remove employees from Remove assignments.
5. Save the changes.
Related Topics
l
Assign Account Definition to Departments, Cost Centers and Locations on page 40
l
Assign Account Definition to Business Roles on page 40
l
Assign Account Definition to all Employees on page 41
Assign Account Definition to System Roles
Installed Module: System Roles Module
NOTE: Account definitions which have the option Only use in IT Shop set, can only be assigned to
system roles that also have this option set.
To add account definitions to a system role
1. Select the category Active Directory® | Basic configuration data | Account definitions | Account
definitions.
2. Select an account definition in the result list.
3. Select Assign system roles in the task view.
4. Assign system roles in Add assignments.
- OR Remove assignments to system roles in Remove assignments.
5. Save the changes.
Assign Account Definition to a Target System
The following prerequisites must be fulfilled if you implement automatic assignment of user accounts and
employees resulting in administered user accounts (state "Linked configured"):
l
The account definition is assigned to the target system.
l
The account definition has the default manage level.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Base Data for Managing Microsoft® Exchange
42
User account are only linked to the employee (state "Linked") if no account definition is given. This is the case
on initial synchronization, for example.
To assign the account definition to a target system
1. Select the domain in the category Active Directory® | Domains.
2. Select Change master data in the task view.
3. Enter the account definition on the Exchange tab.
a. Select the account definition for mailboxes from Mailbox definition (initial).
b. Select the account definition for contacts from E-mail contact definition (initial).
c. Select the account definition for e-mail users from E-mail user definition (initial).
4. Save the changes.
Related Topics
l
Assign Account Definition to Employees on page 39
Deleting an Account Definition
You can delete account definitions if they are not assigned to target systems, employees, hierarchical roles or
any other account definitions.
NOTE: If an account definition is deleted, the user accounts arising from this account definition are
deleted.
To delete an account definition
1. Remove automatic assignments of the account definition from all employees.
a. Select the category Active Directory® | Basic configuration data | Account definitions |
Account definitions.
b. Select an account definition in the result list.
c. Select Change master data in the task view.
d. Disable the option Automatic assignment to employees on the General tab.
e. Save the changes.
2. Remove direct assignments of the account definition to employees.
a. Select the category Active Directory® | Basic configuration data | Account definitions |
Account definitions.
b. Select an account definition in the result list.
c. Select Assign to employees in the task view.
d. Remove employees from Remove assignments.
e. Save the changes.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Base Data for Managing Microsoft® Exchange
43
3. Remove the account definition's assignments to departments, cost centers and locations.
a. Select the category Active Directory® | Basic configuration data | Account definitions |
Account definitions.
b. Select an account definition in the result list.
c. Select Assign organizations from the task view.
d. Remove the account definition's assignments to departments, cost centers and locations in
Remove assignments.
e. Save the changes.
4. Remove the account definition's assignments to business roles.
a. Select the category Active Directory® | Basic configuration data | Account definitions |
Account definitions.
b. Select an account definition in the result list.
c. Select Assign business roles in the task view.
Remove business roles in Remove assignments.
d. Save the changes.
5. If the account definition was requested through the IT Shop, it must be canceled and removed from all
IT Shop shelves. For more information, see the Dell One Identity Manager IT Shop Administration Guide.
6. Remove the account definition assignment as required account definition for another account definition.
As long as the account definition is required for another account definition, it cannot be deleted. Check
all the account definitions.
a. Select the category Active Directory® | Basic configuration data | Account definitions |
Account definitions.
b. Select an account definition in the result list.
c. Remove the account definition from the Required resource menu.
d. Save the changes.
7. Remove the account definition's assignments to target systems.
a. Select the domain in the category Active Directory® | Domains.
b. Select Change master data in the task view.
c. Remove the assigned account definitions on the General tab.
d. Save the changes.
8. Delete the account definition.
a. Select the category Active Directory® | Basic configuration data | Account definitions |
Account definitions.
b. Select an account definition in the result list.
c. Click
, to delete the account definition.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Base Data for Managing Microsoft® Exchange
44
Target System Managers
In One Identity Manager, you can assign employees to every target system that can edit this target system's
objects in One Identity Manager. A default application role exists for the target system manager in the One
Identity Manager. Assign this application to employees who are authorized to edit the Microsoft® Exchange
organization in One Identity Manager. Create more application roles if required.
Table 17: Default Application Roles for Target System Managers
User
Tasks
Target system
managers
Target system managers must be assigned to the application role Target systems |
Exchange or a child application role.
Users with this application role:
l
l
l
l
l
Assume administrative tasks for the target system.
Create, change or delete target system objects, like user accounts, groups or
container structures.
Prepare groups for adding to the IT Shop.
Configure synchronization in the Synchronization Editor and defines the mapping for
comparing target systems and One Identity Manager.
Edit the synchronization's target system types and outstanding objects.
TIP: If you want to limit access permissions for target system managers to individual target systems,
define child application roles for these organizations.
To specify a target system manager
1. Use an application role from Target system | Administrators to log in to the Manager.
2. Select the category Active Directory® | Exchange system administration.
3. Select the organization from the result list.
4. Select Change master data in the task view.
5. Select the application role on the General tab in the Target system manager menu.
- OR Click
l
l
next to the Target system manager menu to create a new application role.
Enter the application role name and assign the parent application role Target system |
Exchange.
Click OK to add the new application role.
6. Save the changes.
7. Assign the application role to employees who are authorized to edit the organization in One
Identity Manager.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Base Data for Managing Microsoft® Exchange
45
To add employees to an application role
1. Use an application role from Target system | Administrators to log in to the Manager.
2. Select the application role in the category Active Directory® | Basic configuration data | Target
system managers | Exchange.
3. Select Assign employees in the task view.
4. Assign the employees you want and save the changes.
Related Topics
l
Microsoft® Exchange Organization on page 47
l
Dell One Identity Manager Identity Management Base Module Administration Guide
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Base Data for Managing Microsoft® Exchange
46
4
Microsoft® Exchange Structure
Structure elements in Microsoft® Exchange that are not server dependent, are matched by each Microsoft®
Exchange Server. This effects the organization, global address lists, offline address lists and folders. Double
entries are avoided by running a check routine immediately before entry in the One Identity Manager
database. Microsoft® Exchange structure objects below server level are only matched by the respective
server itself. This effects mailbox databases and public folder databases.
The names and frequency of the structure objects listed below can vary depending on the version of the
Microsoft® Exchange server in use.
NOTE: The system information for the Microsoft® Exchange structure is loaded into the One Identity
Manager database during data synchronization. It is not possible to customize this system information in
the One Identity Manager due to the complex dependencies and far reaching effects of changes.
Detailed information about this topic
l
Microsoft® Exchange Organization on page 47
l
Microsoft® Exchange Mailbox Databases on page 49
l
Microsoft® Exchange Address Lists on page 50
l
Microsoft® Exchange Public Folder on page 52
l
Microsoft® Exchange Mailbox Server on page 53
l
Microsoft® ExchangeData Availability Groups on page 54
l
Sharing Policies on page 54
l
Retention Policies on page 55
l
Policies for Mobile Email Queries on page 56
l
Folder Administration Policies on page 57
l
Role Assignments Policies on page 58
Microsoft® Exchange Organization
A Microsoft® Exchange organization is specified during installation of the Microsoft® Exchange server. The
global settings for message delivery are not made in the One Identity Manager.
To edit organization master data
1. Select the category Active Directory® | Exchange system administration.
2. Select the organization from the result list.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Microsoft® Exchange Structure
47
3. Select Change master data in the task view.
4. Save the changes.
Table 18: Organization Master Data
Property
Description
Name
Name of the organization.
Distinguished
name
Distinguished name of the organization.
Canonical
name
Canonical of the organization.
Administrative
description
An administrative description about the organization.
LDAP Path
Path to the organization in LDAP notation.
Exchange
version
Version of Microsoft® Exchange implemented.
Forest
The name of the forest to which the domain belongs.
Organization
in mixed mode
Specifies whether the organization works in mixed or single mode.
Target system
manager
Application role in which target system managers are specified for the organization. Target
system managers only edit the organization objects assigned to them. Therefore, each
organization can have a different target system manager assigned to it.
Select the One Identity Manager application role whose members are responsible for
administration of this organization. Use the
synchronized
by
button to add a new application role.
NOTE: You can only specify the synchronization type when adding a new
organization. No changes can be made after saving.
"One Identity Manager" is used when you create a organization with the
Synchronization Editor.
Type of synchronization through which the data is synchronized between the organization
and One Identity Manager.
Table 19: Permitted Values
Value
Synchronization by
Provisioned by
One Identity
Manager
Microsoft® Exchange connector
Microsoft® Exchange connector
FIM
Microsoft® Forefront® Identity
Manager
Microsoft® Forefront® Identity
Manager
No
synchronization
none
none
NOTE: If you select “No synchronization” you can define custom processes to
exchange data between One Identity Manager and the organization.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Microsoft® Exchange Structure
48
Related Topics
l
Target System Managers on page 45
Microsoft® Exchange Mailbox Databases
Mailbox data is stored in the mailbox database (messages received, attachments, folders, documents).
To display mailbox database master data
1. Select the category Active Directory® | Exchange system administration | <organization> |
Organization configuration | Mailbox databases.
2. Select a mailbox database in the result list.
3. Select Change master data in the task view.
To display the mailbox server of a mailbox database master data
1. Select the category Active Directory® | Exchange system administration | <organization> |
Organization configuration | Mailbox databases.
2. Select a mailbox database in the result list.
3. Select Change master data in the task view.
Table 20: Mailbox Database Master Data
Property
Description
Exchange
organization
Name of the organization.
identifier
Name of the mailbox database.
Administrative
description
Administrative description of the mailbox database.
Master
Specifies where to find the mailbox database master. A server or a database availability
group can be entered. This property is available from Microsoft® Exchange Server 2010 or
later.
Master type
Type of mailbox database master. This property is available from Microsoft® Exchange
Server 2010 or later.
Exchange
database
Storage location of the server.
Store
Name of the storage group.
Public folder
database
Name of the public folder database.
offline address
list
Name of the default offline address list.
Store deleted
mailboxes
[days]
Number of days the deleted mailboxes stay on the server before they are finally removed.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Microsoft® Exchange Structure
49
Property
Description
Store deleted
objects [days]
Number of days the deleted objects (email message for example) remain on the server
before being removed.
Warn at [KB]
Global setting for the maximum size of mailboxes in KB. If this size is exceeded the user is
sent a warning that messages must be deleted in the archive mailbox.
Prohibit send
at [KB]
Global setting for the size of mailboxes in KB above which, sending messages is prohibited. If
this size is exceeded the user is sent a message that messages must be deleted in the
archive mailbox. The user is not able to send more messages until the size of the mailbox
has been reduced.
Prohibit
Global setting for the size of mailboxes in KB above which, sending and receiving messages
transfer at [KB] is prohibited.
Warning
interval
Interval for warnings for mailbox databases.
Do not delete
permanently
before a
backup is made
Specifies whether objects are allowed to be deleted after a final backup is run.
Journal
recipient
All messages sent using the mailbox database are logged in this mailbox or distribution
group.
Maintenance
schedule
Maintenance schedule for the database.
Mounted
Status of the database. Specifies whether the database is linked in or not.
Circular
logging
Specifies whether the log data are reused or new.
Microsoft® Exchange Address Lists
Microsoft® Exchange offers you the possibility to manage address lists for your Microsoft® Exchange
organization. Members in address lists can be mailboxes, email users, email contacts or email enabled
distribution groups and email enabled public folders. Offline address lists allow a mailbox user to get the
address list data and work with it offline.
To display address list master data
1. Select the category Active Directory® | Exchange System administration | <organization> |
Organization configuration | Address lists.
2. Select the address list in the result list.
3. Select Change master data in the task view.
Table 21: Address List Master Data
Property
Description
Exchange organization
Name of the organization.
Name
Address list name.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Microsoft® Exchange Structure
50
Property
Description
Parent address list
Name of the parent address list.
Display name
Display name of the address list. This name is used to display the address lists in
clients, for example, Outlook®.
Administrative
description
Administrative description of the mailbox database.
Container
Container for the address list.
Condition
Additional condition for the filter rule.
Filter rules
Filter rules for finding members in the address list.
Global address list
Specifies whether the list is global.
All recipient types
Specifies whether all recipient types are permitted in the address list.
User mailboxes
Specifies whether user mailboxes are permitted in the address list.
E-mail users
Specifies whether email users are permitted in the address list.
Email contacts
Specifies whether email contacts are permitted in the address list.
Mail-enabled
distribution groups
Specifies whether mail-enabled distribution groups are permitted in the address
list.
Resource mailboxes
Specifies whether resource mailboxes are permitted in the address list.
None
Specifies whether any recipients are permitted in the address list.
To display master data of an offline address list
1. Select the category Active Directory® | Exchange System administration | <organization> |
Organization configuration | Offline address lists.
2. Select the offline address list in the result list.
3. Select Change master data in the task view.
Table 22: Offline Address List Master Data
Property
Description
Exchange organization
Name of the organization.
Name
Name of the offline address list.
Administrative description
Administrative description of the offline address list.
Default offline address list
Labels this as a default offline address list.
Server
Microsoft® Exchange server where the offline address list is stored.
Supports Outlook
Information about which Outlook® versions are supported.
Calculation schedule
Update interval for the offline address list.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Microsoft® Exchange Structure
51
Microsoft® Exchange Public Folder
Public folders are used to allow employees shared access to information. Public folders can be structured
hierarchically and are connection with a public folder database.
To display public folder master data
1. Select the category Active Directory® | Exchange system administration | <organization> |
Organization configuration | Public folders.
2. Select the public folder in the result list.
3. Select Change master data in the task view.
Table 23: Public Folder Master Data
Property
Description
Exchange organization
Name of the organization.
Name
Name of the public folder.
Parent public folder
Name of the parent public folder.
Path
Path to the public folder.
Read state per user
Specifies whether users can show information about read and unread messages.
To display master data for a public folder
1. Select the category Active Directory® | Exchange system administration | <organization> |
Organization configuration | Public folder database.
2. Select the public folder database in the result list.
3. Select Change master data in the task view.
Table 24: Master Data for a Public Folder Database
Property
Description
Exchange organization
Name of the organization.
Name
Name of the database.
Administrative
description
Administrative description of the database.
Store
Name of the storage group.
Master server
If this is a copy of the database, the server on which the original copy is to be found
is entered here. This property is available from Microsoft® Exchange Server 2010
or later.
Mounted
Status of the database. Specifies whether the database is linked in or not.
Replication interval
[min]
Interval for replication the database in minutes.
Max. send size [KB]
Maximum size for replicated messages in KB.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Microsoft® Exchange Structure
52
Property
Description
Max. element size [KB]
Maximum size of elements in KB.
Warn at [KB]
Setting for the maximum size of the database in KB. A warning is sent if this size is
exceeded.
Provisioning prohibited
at [KB]
Setting for the size of messages in KB. Messages that exceed this size cannot be
published.
Database path
Storage location of the server.
Folders expire after
[days]
Expiry data for folders in this public folder store in days.
Store deleted objects
[days]
Number of days the deleted objects (messages, for example) remain on the server
before being removed.
Do not delete
permanently before a
backup is made
Specifies whether objects are allowed to be deleted after a final backup is run.
Distinguished name
Old style distinguished name of the database.
Circular logging
Specifies whether the log data are reused or new. This property is available from
Microsoft® Exchange Server 2010 or later.
Microsoft® Exchange Mailbox Server
The mailbox server is responsible for client processing. There is a copy of the mailbox database on the
mailbox server.
To display server master data
1. Select the category Active Directory® | Exchange system administration | <organization> | Server
configuration.
2. Select the server in the result list.
3. Select Change master data in the task view.
To display a mailbox server's mailbox database.
1. Select the category Active Directory® | Exchange system administration | <organization> | Server
configuration.
2. Select the server in the result list.
3. Select the task Display mailbox database
Table 25: Server Master Data
Property
Description
Exchange organization
Name of the organization.
Active Directory® computer
Computer on which the Microsoft® Exchange server is installed.
server
Name of the server.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Microsoft® Exchange Structure
53
Property
Description
Distinguished name
Distinguished name of the server.
function
Exchange server roles of the server.
Exchange version
Installed version of the Microsoft® Exchange server.
Microsoft® ExchangeData Availability
Groups
Database availability groups (DAG) were implemented for increased availability and site resilience as from
Microsoft® Exchange Server 2010 and later.
To display a database availability group
1. Select the category Active Directory® | Exchange system administration | <organization> |
Organization configuration | Database availability groups.
2. Select the database availability group in the result list.
3. Select Change master data in the task view.
Table 26: Database Availability Group Master Data
Property
Description
Exchange organization
Name of the organization.
Database availability group
Name of the database availability group.
Administrative description
Administrative description of the mailbox database.
Sharing Policies
As from Microsoft® Exchange Server 2010, sharing policies are implement to make calendar and contact data
available to external users. Assigning a sharing policy to a mailbox regulates how calendar and contact data can
be shared with user accounts outside the Microsoft® Exchange organization.
To assign policies to mailboxes
1. Select the category Active Directory® | Exchange system administration | <organization> |
Policies | Share policies.
2. Select the policy from the result list.
3. Select the task Assign mailboxes.
4. Assign mailboxes in Add assignments.
- OR Remove mailboxes from Remove assignments.
5. Save the changes.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Microsoft® Exchange Structure
54
To display master data for a sharing policy
1. Select the category Active Directory® | Exchange system administration | <organization> |
Policies | Share policies.
2. Select the policy from the result list.
3. Select Change master data in the task view.
Table 27: Sharing Policy Master Data
Property
Description
Exchange
organization
Name of the organization.
Name
Name of the policy.
Domain share
Domain and action which apply for this sharing policy.
Enabled
Specifies whether the policy is enabled. The calendar and contact data is shared for user
accounts in the given domains.
Default
Specifies whether this is the default policy.
Retention Policies
As from Microsoft® Exchange Server 2010, retention policies have been implemented to group settings for
retaining folders and email messages and to apply these to mailboxes.
To assign policies to mailboxes
1. Select the category Active Directory® | Exchange system administration | <organization> |
Policies | Retention policies.
2. Select the policy from the result list.
3. Select the task Assign mailboxes.
4. Assign mailboxes in Add assignments.
- OR Remove mailboxes from Remove assignments.
5. Save the changes.
To display master data for a retention policy
1. Select the category Active Directory® | Exchange system administration | <organization> |
Policies | Retention policies.
2. Select the policy from the result list.
3. Select Change master data in the task view.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Microsoft® Exchange Structure
55
Table 28: Retention Policy Master Data
Property
Description
Exchange organization
Name of the organization.
Name
Name of the policy.
Administrative description
Administrative description of the policy.
Policies for Mobile Email Queries
Mailbox policies for mobile email queries contain settings that come into effect when data is accessed in the
Microsoft® Exchange organization with mobile devices through the synchronization protocol Exchange
ActiveSync. The settings include, for example, password requirements, specifications for email attachments,
device encryption data and access rules for shares.
To assign policies to mailboxes
1. Select the category Active Directory® | Exchange system administration | <organization> |
Policies | Email policies.
2. Select the policy from the result list.
3. Select the task Assign mailboxes.
4. Assign mailboxes in Add assignments.
- OR Remove mailboxes from Remove assignments.
5. Save the changes.
To display policy master data for a mobile email query
1. Select the category Active Directory® | Exchange system administration | <organization> |
Policies | Email policies.
2. Select the policy from the result list.
3. Select Change master data in the task view.
Table 29: Email Policy Master Data
Property
Description
Exchange organization
Name of the organization.
Name
Name of the policy.
Devices permitted without
a full policy
Specifies whether older devices can connect to the Microsoft® Exchange
server using Exchange ActiveSync.
File sharing
Specifies whether file sharing is permitted.
SharePoint® services
Specifies whether access to SharePoint® service files is permitted.
Password required
Specifies whether a device password is required.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Microsoft® Exchange Structure
56
Property
Description
Encrypt password
Specifies whether device encryption is required.
Simple passwords allowed
Specifies whether a simple password is allowed.
Min. password length
Minimum length of the password. Minimum number of characters the password
must have.
Password cycle
Number of new passwords that a user has to use before an ‘old’ one can be
reused.
Password expiry period
Length of time a password can be used before it expires.
Password restorable
Specifies whether a restore password is generated that can be used to unlock
the device.
Requires alphanumeric
characters
Specifies whether alphanumeric characters are expected in the password.
Failed logins
Number of incorrect password attempts. If the user has reached this number
the user account is blocked.
Lock if inactive for [min]
Number of minutes without activity before the device is locked.
Attachments download
permitted
Specifies whether attachments are automatically downloaded.
Max. mail attachment size
Maximum size of mail attachment that can be automatically downloaded.
Default
Specifies whether this is the default policy.
Folder Administration Policies
Mailbox policies for folder management are used to group managed folders together. Managed folders are
available in mailboxes when a policy is assigned to a Microsoft® Exchange Organization mailbox.
To assign policies to mailboxes
1. Select the category Active Directory® | Exchange system administration | <organization> |
Policies | Folder management policies.
2. Select the policy from the result list.
3. Select the task Assign mailboxes.
4. Assign mailboxes in Add assignments.
- OR Remove mailboxes from Remove assignments.
5. Save the changes.
To display master data for a folder management policy
1. Select the category Active Directory® | Exchange system administration | <organization> |
Policies | Folder management policies.
2. Select the policy from the result list.
3. Select Change master data in the task view.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Microsoft® Exchange Structure
57
Table 30: Master Data for a Folder Management Policy
Property
Description
Exchange organization
Name of the organization.
Name
Name of the policy.
Role Assignments Policies
With since Microsoft® Exchange Server 2010 and later, policies for role assignments have been implemented to
provide users with functions and tasks for managing their mailboxes.
To assign policies to mailboxes
1. Select the category Active Directory® | Exchange system administration | <organization> |
Policies | Role assignment policies.
2. Select the policy from the result list.
3. Select the task Assign mailboxes.
4. Assign mailboxes in Add assignments.
- OR Remove mailboxes from Remove assignments.
5. Save the changes.
To display master data for a role assignment policy
1. Select the category Active Directory® | Exchange system administration | <organization> |
Policies | Role assignment policies.
2. Select the policy from the result list.
3. Select Change master data in the task view.
Table 31: Role Assignment Policy Master Data
Property
Description
Exchange organization
Name of the organization.
identifier
Name of the policy.
Administrative description
Administrative description of the policy.
Description
Detail description of the policy.
Default policy
Specifies whether the policy is the default.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Microsoft® Exchange Structure
58
5
Mailboxes
Mailbox-enabled recipients can send, receive and save messages. Microsoft® Exchange recognizes several
mailbox types. The mailbox types listed below are supported in One Identity Manager.
Table 32: Supported Mailbox Types
mailbox
type
Description
user
mailbox
User mailboxes are assigned to Active Directory® user accounts in a Microsoft® Exchange
organization.
equipment
mailbox
Equipment mailboxes are resource mailboxes used for planning resources, such as computers or
laptops. This mailbox type can only be created for disabled user accounts.
room
mailbox
Room mailboxes are resource mailboxes used for planning meeting locations. This mailbox type
can only be created for disabled user accounts.
Linked
mailbox
Linked mailboxes are assigned to Active Directory® user accounts in a trusted domain. This
makes the Microsoft® Exchange organization available within a domain. Active Directory® user
accounts in a trusted domain without an Exchange structure can obtain a linked mailbox in this
Microsoft® Exchange organization. This mailbox type can only be created for disabled user
accounts.
Shared
mailbox
Shared mailboxes are mailboxes that are used by several users.
Legacy
mailbox
Legacy mailboxes are mailboxes from previous versions of Microsoft® Exchange. These mailboxes
are loaded into One Identity Manager by synchronization and cannot be edited.
Discovery
mailbox
As from Microsoft® Exchange Server 2013 onwards, a discovery mail, which is used as target
mailbox for searches through eDiscovery in Microsoft® Exchange, is created by default. These
mailboxes are loaded into One Identity Manager by synchronization and cannot be edited.
Detailed information about this topic
l
Entering Master Data for Mailboxes on page 60
l
Disabling Mailboxes on page 69
l
Deleting and Restoring Mailboxes on page 70
l
Receive Restrictions for Mailboxes on page 70
l
Permission "Send on behalf of" for Mailboxes on page 71
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Mailboxes
59
Entering Master Data for Mailboxes
You always create mailboxes for an Active Directory® user account. An Active Directory® user account can
either have a mailbox or an email user. If a user account already has an email user, you must delete the email
user before a mailbox can be set up for the user account.
NOTE: Mailboxes, equipment mailboxes and linked mailboxes can only be created for disabled user
accounts.
NOTE: It is recommended to use account definitions to set up mailboxes for company employees.
l
l
In order to create mailboxes through account definitions, the employee must have a central
user account and obtain the IT operating data through assignment to a primary department,
primary location or a primary cost center.
In this case, some of the master data described in the following is mapped through templates
from employee master data.
To create a mailbox for an Active Directory® user account, manually
1. Select the user account in the result list and run Create mailbox in the task view.
2. Save the changes.
To edit a mailbox
1. Select the category Active Directory® | Mailboxes.
2. Select the mailbox in the result list and run the task Change master data.
3. Edit the master data of the mailbox.
4. Save the changes.
NOTE: Names and occurrences of the listed data and tasks can vary depending on which version of the
Microsoft® Exchange server is implemented and the type of Microsoft® Exchange mailbox.
Detailed information about this topic
l
General Master Data for a Mailbox on page 61
l
Calendar Settings for Mailboxes on page 63
l
Limits for Mailboxes on page 64
l
Archive Mailbox on page 65
l
Mailbox Retention on page 65
l
Mailbox Functions on page 66
l
Booking Resources on page 67
Related Topics
l
Setting Up Account Definitions on page 31
l
Deleting and Restoring E-Mail Users on page 76
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Mailboxes
60
General Master Data for a Mailbox
Enter the following general master data on the General tab.
Table 33: Mailbox General Master Data
Property
Description
Employee
Employee using the mailbox. An employee is already entered if the mailbox was generated
by an account definition. If you create the mailbox manually, you can select an employee in
the menu.
Account
definition
Account definition through which the mailbox was created.
Use the account definition to automatically populate mailbox master data and to specify a
manage level for the mailbox. One Identity Manager finds the IT operating data of the
assigned employee and uses it to populate the corresponding fields in the mailbox.
NOTE: The account definition cannot be changed once the mailbox has been saved.
To create the mailbox manually through an account definition, enter an employee in the
Employee box. You can select all the account definitions assigned to this employee and
through which no mailbox has been created for this employee.
manage level
Manage level with which the mailbox is created. Select a manage level from the menu. You
can only specify the manage level can if you have also entered an account definition. All
manage levels of the selected account definition are available in the menu.
Active
Directory®
account
Active Directory® user account for which this mailbox is created.
Linked
mailbox
External Active Directory® user account that has access to the Exchange organization
through this mailbox. A linked mailbox is only permitted for mailboxes with mailbox type
"linked mailbox". The linked mailbox itself is disabled. Disabling in One Identity Manager
Service is done by the Active Directory®. After the next synchronization, the linked mailbox
is also disabled in the One Identity Manager database.
Exchange
organization
Name of the organization.
Canonical
name
Mailbox's canonical name. The canonical name is generated automatically.
mailbox type
Type of mailbox. The mailbox type is specified when a mailbox is added and cannot be
changed afterward. Available mailbox types are: user, room, equipment, linked, legacy,
share and discovery.
Alias
Unique alias for further identification of the mailbox.
Mailbox
database
Name of the mailbox database. Mailbox data is stored in the mailbox database (messages
received, attachments, folders, documents). The mailbox database for user mailboxes is
determined from the current IT operating data for the assigned employee depending on the
mailbox manage level.
This is optional from Microsoft® Exchange Server 2010 and later. If empty, Microsoft®
Exchange decides which mailbox database is used.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Mailboxes
61
Property
Description
Automatically
update based
on recipient
policy
Specifies whether changes to recipient's email addresses are automatically updated based
on incoming settings.
Proxy
addresses
Email addresses for the mailbox. You can also add other mail connectors (for example,
CCMail, MS) in addition to the standard address type (SMTP, X400).
Use the following syntax to set up other proxy addresses:
Address type: new email address
Sender
authentication
required
Specifies whether authentication data is requested from senders. Set this option to prevent
anonymous senders mailing to the mailbox.
Max. number
of recipients
Maximum number of recipients to which the mailbox user can send messages. If there is no
limit, the global setting for Microsoft® Exchange organization message delivery in the
Microsoft® Exchange system manager.
Send and
forward
Specifies whether to send and forward messages. Set this option to send messages to
alternative recipients and mailbox owners.
Alternative
recipient
Alternative recipient to which messages from this mailbox are forwarded. You can either
enter an alternative recipient, a recipient group or a receive folder.
To specify an alternative recipient
1. Click
next to the text box.
2. Select the table under Table which maps the recipient.
3. Select the recipient under Alternative recipient.
4. Click OK.
Simple display
name
Simple display name for systems that cannot interpret all the characters of normal display
names.
Folder policy
Mailbox policy for folder administration.
role
assignment
policy
Role assignment policy which applies for this mailbox. This property is available from
Microsoft® Exchange Server 2010 or later.
sharing policy
Sharing policy which applies for this mailbox. This property is available from Microsoft®
Exchange Server 2010 or later.
Mailbox is
locked
Specifies whether the mail box is locked.
Do not display
in address list
Specifies whether the mailbox is visible in address books. Set this option if you want to
prevent the the mailbox from being displayed in address books. This option applies to all
address books.
Distinguished
name
Active Directory® user account's distinguished name.
Distinguished
Exchange
name
Mailbox's distinguished name.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Mailboxes
62
Related Topics
l
Setting Up Account Definitions on page 31
l
Sharing Policies on page 54
l
Folder Administration Policies on page 57
l
Role Assignments Policies on page 58
l
Disabling Mailboxes on page 69
Calendar Settings for Mailboxes
With Microsoft® Exchange Server 2010 and later, you can enable the Calendar Attendant to automatically
update changes to meeting data, such as meeting times or responses from attendees in the calendar.
Enter the following data on the Calendar tab.
Table 34: Mailbox Calendar Settings
Property
Description
Enable Calendar Attendant
Specifies whether the Calendar Attendant is enabled for mailboxes. Other
settings become available once the Calendar Attendant is enabled.
Table 35: Permitted Values
value
Meaning
Disable Calendar
Attendant
The Calendar Attendant is not enabled.
Enable Calendar
Attendant
The Calendar Attendant is enabled.
Enable Resource
Booking Attendant
The Resource Booking Attendant is automatically
enabled for mailboxes of type "room mailbox".
New meeting requests are
marked with the status
"tentative".
Specify whether meeting requests are marked with the state “Tentative” in
the calendar.
Permit meeting requests
from external senders
Specifies whether meeting requests from external senders are entered in
the calendar.
Delete expired meeting
requests
Specifies whether to automatically delete old meeting requests from the
calendar.
Delete expired meeting
requests
Specifies whether to automatically delete messages to other attendees
about forwarded meetings. These message are moved to the "Deleted
objects" folder.
Related Topics
l
Booking Resources on page 67
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Mailboxes
63
Limits for Mailboxes
Enter the following master data on the Limits tab.
Table 36: Limits for a Mailbox
Property
Description
Number of
saved messages
Number of saved messages. This data is determined through synchronization and cannot
be edited manually.
Used disk space
[KB]
Used disk space in KB. This data is determined through synchronization and cannot be
edited manually.
Max. send size
[KB]
Maximum size for message in KB that a mailbox can send. The Microsoft® Exchange
organization global settings in the Microsoft® Exchange System Manager come into effect
for message delivery if there are no limitations.
Max. receiving
size [KB]
Maximum size for message in KB that a mailbox can receive. The Microsoft® Exchange
organization global settings in the Microsoft® Exchange System Manager come into effect
for message delivery if there are no limitations.
Use default
database values
Specifies whether the mailbox database limits are used.
Option set: Mailbox database limits are in use.
Option not set: Mailbox database limits are not in use.
Prohibit transfer
at [KB]
Size of mailboxes in KB above which, sending and receiving messages is prohibited.
Prohibit send at
[KB]
Size of mailboxes in KB above which, sending messages is prohibited. If this size is
exceeded the user is sent a message that messages must be deleted in the archive
mailbox. The user is not able to send more messages until the size of the mailbox has been
reduced.
Warn at [KB]
Maximum size in MB of the mailbox. If this size is exceeded the user is sent a warning that
messages must be deleted in the archive mailbox.
Use default
retention
settings
Specifies whether to use the mailbox's default retention settings.
Option set: Mailbox database default settings are in use.
Option not set: Mailbox database default settings are not in use.
Store deleted
objects [days]
Number of days the deleted objects (email message for example) remain on the server
before being removed.
Do not delete
permanently
before a backup
is made
Specifies whether objects are allowed to be deleted after a final backup is run.
Max. number
subfolders
Maximum number of subfolders allowed in a mailbox. This property is available from
Microsoft® Exchange Server 2013 or later.
Warn at
[subfolder]
Number of subfolders which can be created before the user is sent a warning. This
property is available from Microsoft® Exchange Server 2013 or later.
Max. folder
levels
Maximum number of levels in the mailbox folder structure. This property is available from
Microsoft® Exchange Server 2013 or later.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Mailboxes
64
Property
Description
Warn at [folder
levels]
Number of folder levels which can be created before the user is sent a warning. This
property is available from Microsoft® Exchange Server 2013 or later.
Max.
recoverable
items
Maximum number of messages allowed in a folder in the "Recoverable items" folder. This
property is available from Microsoft® Exchange Server 2013 or later.
Warn at
[recoverable
items]
Number of item a folder in the "Recoverable items" folder can contain before a warning is
sent to the user. This property is available from Microsoft® Exchange Server 2013 or later.
Related Topics
l
Microsoft® Exchange Mailbox Databases on page 49
Archive Mailbox
With Microsoft® Exchange Server 2010 and later, you can configure your personal archive. The user can save
messages in an archive mailbox.
Enter the following master data on the Archive tab.
Table 37: Archiving a Mailbox
Property
Description
Archiving
enabled
Specifies whether a personal archive is created for this mailbox. Set this option if you want
to set up a personal archive for this mailbox.
Archive
mailbox
database
Name of the archive mailbox database.
Archive name
Name of the archive.
Max. size of
archive [MB]
Maximum size in MB that the personal archive of a mailbox may reach.
Archive
warning from
[MB]
Maximum size in MB of the archive mailbox. If this size is exceeded the user is sent a
warning that messages must be deleted in the archive mailbox.
Mailbox Retention
With Microsoft® Exchange Server 2010, you can configure mailbox retention settings.
Enter the following data on the Retention tab.
Table 38: Mailbox Retention Master Data
Property
Description
retention
policy
Retention policy applying to this mailbox.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Mailboxes
65
Property
Description
Retention
hold during
this period
Specifies whether retention is temporary stopped during this period. Set this option if the
policy for retention hold needs to be temporarily deferred, for example, during vacation.
Specify the time period using Start date and End date.
Start date
Start date on which to stop retention actions.
End date
Date on which to end retention actions.
Litigation
hold
Specifies whether mailbox retention is mandatory.
Website for
litigation
hold
Website or document with more information to keep the user informed, when the option
Litigation hold is set. This data is displayed to the user in Outlook®.
Comment
for litigation
hold
Additional comment with more information to keep the user informed, when the option
Litigation hold is set. This data is displayed to the user in Outlook®.
Related Topics
l
Retention Policies on page 55
Mailbox Functions
Enter the following master data on the Functions tab.
Table 39: Mailbox Functions
Property
Description
Outlook
Web
Access
enabled
Specifies whether the function for Microsoft Office Outlook Web App is enabled. Office Outlook
Web App allows mailbox access over the web browser.
Mobile
access
Specifies whether mobile devices can access the mailbox.
Email
policy
Mailbox policy for mobile email queries. Mailbox policies for mobile email queries contain settings
that come into effect when data is accessed in the Microsoft® Exchange organization with mobile
devices through the synchronization protocol Exchange ActiveSync.
MAPI
enabled
Specifies whether the function for MAPI access is enabled. MAPI allows mailbox access through a
MAPI client, like Outlook®.
POP3
enabled
Specifies whether the function for POP3 access is enabled.
IMAP4
enabled
Specifies whether the function for IMAP4 access is enabled.
Related Topics
l
Policies for Mobile Email Queries on page 56
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Mailboxes
66
Booking Resources
With Microsoft® Exchange Server 2010 and later, you can configure booking and planning of resources for
equipment and room mailboxes.
Enter the following master data on the Resources tab.
Table 40: Master Data for Booking Resources
Property
Description
Enable Calendar
Attendant
Specifies whether the Resource Booking Attendant is enabled for device mailboxes
and room mailboxes so that booking requests can be processed automatically.
Table 41: Permitted Values
value
Meaning
Disable Calendar
Attendant
The Calendar Attendant is not enabled.
Enable Calendar
Attendant
The Calendar Attendant is enabled.
Enable Resource
Booking Attendant
The Resource Booking Attendant is automatically enabled
for device and room mailboxes.
Reject repeated
meeting after max.
planning period
Specifies whether booking series can be set up beyond the planning period.
Forward meeting
requests
Specifies whether meeting requests are forwarded to the resource mailbox deputy
managers. The deputy decides about the meeting request.
Max. booking window
[days]
Maximum planning period for meeting request in days.
Max. duration [min]
Maximum time allowed booking the resource.
Max. conflicting
instances
Maximum conflicts permitted for meeting series which overlap with other meetings.
If the value is exceeded, the series request is denied.
Max. series conflicts
[%]
Threshold in percent for the permitted conflicts of meetings series that overlap
with other meetings. If this value is exceeded, the series request is denied.
Remove attachments
from meeting
requests
Specifies whether attachments are deleted from meeting requests.
Remove comments
from meeting
requests
Specifies whether message text is deleted from meeting requests.
Remove subject from
meeting requests
Specifies whether the subject is deleted from meeting requests.
Only retain calendar
meetings
Specifies whether elements that do not belong the calendar are deleted.
Add organizer's name
to subject
Specifies whether the organizer's name is given in the meeting request subject
field.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Mailboxes
67
Property
Description
Remove "private" flag
from accepted
meeting
Specifies whether the state “Private” is deleted from meeting requests.
Mark meeting
requests as
"Tentative"
Specifies whether meeting requests are marked with the state “Tentative” in the
calendar. If this option is disabled, meeting requests are marked with the state
“Free”.
Inform organizer
about declined
meeting request
Specifies whether the organizer is sent information when a meeting request is
declined because of conflicts.
Send additional
information about
rejected request
Specifies whether additional information is sent in response to a meeting request.
Enter the additional information in the input field Additional information.
Additional information
Additional information for responding to meeting requests.
Booking permissions
for everyone
Specifies whether meeting requests conforming to policy are automatically
approved for all users.
If this option is not set, use the task Assign booking permissions to specify
individual users who can send requests conforming to policy, which are
automatically approved.
Out-of-policy request
permissions for
everyone
Specifies whether all user can send meeting requests that do not conform to policy.
These requests are decided by the mailbox deputy.
If this option is not set, use the task Assign out-of-policy meeting request
permission to specify individual users who can send requests which are policy nonconform.
Booking permissions
for everyone
Specifies whether all users can send booking requests that conform to policy. These
requests are decided by the mailbox delegate unless the option Booking
permissions for everyone is set.
If this option is not set, use the task Assign in-policy meeting request permissions
to specify individual users who can send requests which are policy non-conform.
Allow conflicts
Specifies whether conflicting meeting requests are allowed.
Allow reoccurring
requests
Specifies whether a series of meetings is allowed.
Request only possible
during working hours
Specifies whether the resource can be booked during working hours or outside them
as well.
Resource capacity
Resource capacity, for example, the number of seats in a meeting room.
Related Topics
l
Permission "Send on behalf of" for Mailboxes on page 71
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Mailboxes
68
Disabling Mailboxes
Table 42: Configuration Parameters for Disabling Mailboxes
Configuration parameter
Meaning
QER\Person\TemporaryDeactivation
When this parameter is set, the employee’s user accounts are locked
when the employee is temporarily or permanently disabled.
How you disabled and delete an employee's mailboxes depends on the type of mailbox administration.
Scenario:
l
Mailboxes are managed through account definitions.
Mailboxes managed through account definitions are disabled when the employee is temporarily or permanently
disabled. The behavior depends on the mailbox's manage level. Mailboxes with the manage level “Full
managed” are disabled depending on the account definition settings. Use the column template
EXOMailbox.IsLocked to configure the behavior for mailboxes with another manage level.
Scenario:
l
Mailboxes are not managed through account definitions.
The behavior depends on the configuration parameter “QER\Person\TemporaryDeactivation”.
l
l
If the configuration parameter is set, mailboxes for an employee are disabled if the employee is
temporarily or permanently disabled.
If the configuration parameter is not set, the employee data does not have any effect on the
linked mailboxes.
To lock a mailbox when the configuration parameter is not set
1. Select the category Active Directory® | Mailboxes.
2. Select a mailbox in the result list.
3. Select Change master data in the task view.
4. Set the option Mailbox is disabled on the General tab.
5. Save the changes.
Scenario:
l
Mailboxes not linked to employees.
To lock a mailbox, which is not linked to an employee
1. Select the category Active Directory® | Mailboxes.
2. Select a mailbox in the result list.
3. Select Change master data in the task view.
4. Set the option Mailbox is disabled on the General tab.
5. Save the changes.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Mailboxes
69
Related Topics
l
Creating an Account Definition on page 32
l
Setting Up Manage Levels on page 34
l
Deleting and Restoring Mailboxes on page 70
Deleting and Restoring Mailboxes
NOTE: As long as an account definition for an employee is valid, the employee retains the mailbox that
was created by it. If the account definition assignment is removed, the mailbox created through this
account definition, is deleted.
To delete a mailbox
1. Select the category Active Directory® | Mailboxes.
2. Select a mailbox in the result list.
3. Delete the mailbox using
.
4. Confirm the security prompt with Yes.
To restore a mailbox
1. Select the category Active Directory® | Mailboxes.
2. Select a mailbox in the result list.
3. Click Undo delete in the result list toolbar.
When you delete a mailbox, the option Do not display in address lists is enabled and the mailbox is no longer
shown in address books. Furthermore, the settings Use default database values, Max. send size [KB], Max.
receiving size [KB], Prohibit transfer at [KB] and Prohibit send at [KB] are reset so that no email messages
can be received or send with this mailbox.
Configuring Deferred Deletion
By default, mailboxes are finally deleted from the database after 30 days. During this period you have the
option to reactivate the mailboxes. A restore is not possible once the delete delay has expired. You can
configure an alternative deletion delay on the table EX0MailBox in the Designer.
Related Topics
l
Disabling Mailboxes on page 69
Receive Restrictions for Mailboxes
NOTE: Assignments Assign mail acceptance and Assign mail rejection are mutually exclusive. You can
either specify from whom messages are accepted or you can specify from whom they are rejected.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Mailboxes
70
To customize mail acceptance for mailboxes
1. Select the category Active Directory® | Mailboxes.
2. Select a mailbox in the result list.
3. Select the task Assign mail acceptance to establish from which recipients messages are accepted.
- OR Select the task Assign mail rejection to specify from which recipients messages are not accepted.
4. Select the table containing the recipient from the menu at the top of the form. Select from:
l
Mail-enabled distribution groups
l
Dynamic distribution groups
l
Mailboxes
l
E-mail users
l
E-mail contacts
5. Assign recipients in Add assignments.
- OR Remove recipients from Remove assignments.
6. Save the changes.
Permission "Send on behalf of" for
Mailboxes
Use the send permission "Send on behalf of" to specify which users can send messages on behalf of the
mailbox owner.
To modify the permission "Send on behalf of" for mailboxes
1. Select the category Active Directory® | Mailboxes.
2. Select a mailbox in the result list.
3. Select the task Assign send authorizations.
4. Select the table which contains the user from the menu at the top of the form. You can
select:
l
Mail-enabled distribution group
l
Mailboxes
l
E-mail users
.
5. Assign users in Add assignments.
- OR Remove users from Remove assignments.
6. Save the changes.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Mailboxes
71
6
E-Mail Users and E-Mail Contacts
Mail-enabled recipients obtain data about users from outside the Microsoft® Exchange organization. There is at
least one email address defined for a mail recipient. Notification is automatically forwarded to this email
address. You can manage mail-enabled Active Directory® user accounts (e-mail users) and mail-enabled Active
Directory® contacts (e-mail contacts) in One Identity Manager.
Detailed information about this topic
l
Entering Master Data for E-Mail Users on page 72
l
Entering Master Data for E-Mail Contacts on page 74
l
Deleting and Restoring E-Mail Users on page 76
l
Deleting and Restoring E-Mail Contacts on page 77
l
Receive Restrictions for E-Mail Users on page 77
l
Receive Restrictions for E-Mail Contacts on page 78
Entering Master Data for E-Mail Users
Enter e-mail users for Active Directory® user accounts. Active Directory® user accounts can either have a
mailbox or be mail-enabled. If a user account already has a mailbox, you must delete the mailbox before you
set up an e-mail user for this user account.
NOTE: It is recommended to use account definitions to set up e-mail users for company employees.
l
l
In order to create e-mail users through account definitions, employees must have a central user
account and obtain the IT operating data through assignment to a primary department, primary
location or a primary cost center.
In this case, some of the master data described in the following is mapped through templates
from employee master data.
To create an e-mail user for an Active Directory® user account manually
1. Select the user account in the result list and run Create e-mail user in the task view.
2. Save the changes.
To edit an e-mail user.
1. Select the category Active Directory® | E-mail users.
2. Select the e-mail user in the result list and run the task Change master data.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
E-Mail Users and E-Mail Contacts
72
3. Edit the master data of the e-mail user.
4. Save the changes.
Table 43: General Data of an E-Mail User
Property
Description
Employee
Employee to use the e-mail user. An employee is already entered if the e-mail user was
generated by an account definition. If you create the e-mail user manually, you can select
an employee in the menu.
Account
definition
Account definition through which the e-mail user was created.
Use the account definition to automatically populate e-mail user master data and to specify
a manage level for the e-mail user. The One Identity Manager finds the IT operating data of
the assigned employee and uses it to populate the corresponding fields in the e-mail user.
NOTE: The account definition cannot be changed once the e-mail user has been
saved.
To create the e-mail user manually through an account definition, enter an employee in the
Employee box. You can select all the account definitions assigned to this employee and
through which no e-mail user has been created for this employee.
manage level
Manage level with which the e-mail user is created. Select a manage level from the menu.
You can only specify the manage level can if you have also entered an account definition. All
manage levels of the selected account definition are available in the menu.
Active
Directory®
account
Active Directory® user account for which the e-mail user is created.
Exchange
organization
Name of the organization.
Canonical
name
Canonical name of the e-mail user. The canonical name is generated automatically.
destination
address
Email address for forwarding messages.
Destination
address type
Target address type of the email address. You can also add other mail connectors (e.g.
CCMail, MS) apart from the standard destination address type (SMTP, X400).
alias
Unique alias for further identification of the e-mail user.
Automatically
update based
on recipient
policy
Specifies whether changes to recipient's email addresses are automatically updated based
on incoming settings.
Proxy
addresses
Other email addresses for the e-mail user. You can also add other mail connectors (for
example, CCMail, MS) in addition to the standard address type (SMTP, X400).
Use the following syntax to set up other proxy addresses:
Address type: new email address
Max. send size
[KB]
Maximum size for message in KB that an e-mail user can send. The Microsoft® Exchange
organization global settings in the Microsoft® Exchange System Manager come into effect for
message delivery if there are no limitations.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
E-Mail Users and E-Mail Contacts
73
Property
Description
Max. receiving
size [KB]
Maximum size for message in KB that an e-mail user can receive. The Microsoft® Exchange
organization global settings in the Microsoft® Exchange System Manager come into effect for
message delivery if there are no limitations.
Do not display
in address list
Specifies whether the e-mail user is visible in address books. Set this option if you want to
prevent the the e-mail user from being displayed in address books. This option applies to all
address books.
Use MAPI-RTF
Specifies whether the e-mail user can receive messages in MAPI format. Available options
are “Never”, “Always” and “Use default settings”.
Sender
authentication
required
Specifies whether authentication data is requested from senders. Set this option to prevent
anonymous senders mailing the e-mail user.
Simple display
Simple display name for systems that cannot interpret all the characters of normal display
names.
Distinguished
name
E-mail user's distinguished name.
Related Topics
l
Setting Up Account Definitions on page 31
l
Deleting and Restoring Mailboxes on page 70
Entering Master Data for E-Mail
Contacts
Enter e-mail contacts for Active Directory® contacts.
NOTE: It is recommended to use account definitions to set up e-mail contacts for company employees.
l
l
In order to create e-mail contacts through account definitions, employees must have a default
email address and obtain their company IT data through assignment to a primary department,
primary location or a primary cost center.
In this case, some of the master data described in the following is mapped through templates
from employee master data.
To create an e-mail contact for an Active Directory® contact manually
1. Select the contact from the result list and run Create e-mail contact from the task view.
2. Save the changes.
To edit an e-mail contact
1. Select the category Active Directory® | E-mail contacts.
2. Select the e-mail contact in the result list and run the task Change master data.
3. Edit the master data of the e-mail contact.
4. Save the changes.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
E-Mail Users and E-Mail Contacts
74
Table 44: General Data of an E-Mail Contact
Property
Description
Employee
Employee to use the e-mail contact. An employee is already entered if the e-mail contact
was generated by an account definition. If you create the e-mail contact manually, you can
select an employee in the menu.
Account
definition
Account definition through which the e-mail contact was created.
Use the account definition to automatically populate e-mail contact master data and to
specify a manage level for the e-mail contact. The One Identity Manager finds the IT
operating data of the assigned employee and uses it to populate the corresponding fields in
the e-mail contact.
NOTE: The account definition cannot be changed once the e-mail contact has been
saved.
To create the e-mail contact manually through an account definition, enter an employee in
the Employee box. You can select all the account definitions assigned to this employee and
through which no e-mail contact has been created for this employee.
manage level
Manage level with which the e-mail contact is created. Select a manage level from the
menu. You can only specify the manage level can if you have also entered an account
definition. All manage levels of the selected account definition are available in the menu.
Active
Directory®
contact
Active Directory® contact for whom the e-mail is created.
Exchange
organization
Name of the organization.
Canonical
name
Canonical name of the e-mail contact. The canonical name is generated automatically.
destination
address
Email address for forwarding messages.
Destination
address type
Target address type of the email address. You can also add other mail connectors (e.g.
CCMail, MS) apart from the standard destination address type (SMTP, X400).
alias
Unique alias for further identification of the e-mail contact.
Automatically
update based
on recipient
policy
Specifies whether changes to recipient's email addresses are automatically updated based
on incoming settings.
Proxy
addresses
Other email addresses for the e-mail contact. You can also add other mail connectors (for
example, CCMail, MS) in addition to the standard address type (SMTP, X400).
Use the following syntax to set up other proxy addresses:
Address type: new email address
Max. send size
[KB]
Maximum size for message in KB that an e-mail contact can send. The Microsoft® Exchange
organization global settings in the Microsoft® Exchange System Manager come into effect for
message delivery if there are no limitations.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
E-Mail Users and E-Mail Contacts
75
Property
Description
Max. receiving
size [KB]
Maximum size for message in KB that an e-mail contact can receive. The Microsoft®
Exchange organization global settings in the Microsoft® Exchange System Manager come into
effect for message delivery if there are no limitations.
Do not display
in address list
Specifies whether the e-mail contact is visible in address books. Set this option if you want
to prevent the e-mail contact from being displayed in address books. This option applies to
all address books.
Use MAPI-RTF
Specifies whether the e-mail contact can receive messages in MAPI format. Available options
are “Never”, “Always” and “Use default settings”.
Sender
authentication
required
Specifies whether authentication data is requested from senders. Set this option to prevent
anonymous senders mailing the e-mail contact.
Simple display
Simple display name for systems that cannot interpret all the characters of normal display
names.
Distinguished
name
E-mail contact's distinguished name.
Related Topics
l
Disabling Mailboxes on page 69
l
Setting Up Account Definitions on page 31
Deleting and Restoring E-Mail Users
NOTE: As long as an account definition for an employee is valid, the employee retains the e-mail user
that was created by it. If the account definition assignment is removed, the e-mail user created through
this account definition, is deleted.
To delete an e-mail user
1. Select the category Active Directory® | E-mail users.
2. Select the e-mail user in the result list.
3. Delete the e-mail user with
.
4. Confirm the security prompt with Yes.
To restore an e-mail user
1. Select the category Active Directory® | E-mail users.
2. Select the e-mail user in the result list.
3. Click Undo delete in the result list toolbar.
When you delete an e-mail user, the option Do not display in address lists is enabled and the e-mail user is no
longer shown in address books.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
E-Mail Users and E-Mail Contacts
76
Configuring Deferred Deletion
By default, e-mail users are finally deleted from the database after 30 days. During this period you have the
option to reactivate the e-mail users. A restore is not possible once the delete delay has expired. You can
configure an alternative deletion delay on the table EX0MailUser in the Designer.
Deleting and Restoring E-Mail Contacts
NOTE: As long as an account definition for an employee is valid, the employee retains the e-mail contact
that was created by it. If the account definition assignment is removed, the e-mail contact created
through this account definition, is deleted.
To delete an e-mail contact
1. Select the category Active Directory® | E-mail contacts.
2. Select the e-mail contact in the result list.
3. Delete the e-mail contact with
.
4. Confirm the security prompt with Yes.
To restore an e-mail contact
1. Select the category Active Directory® | E-mail contacts.
2. Select the e-mail contact in the result list.
3. Click Undo delete in the result list toolbar.
When you delete an e-mail contact, the option Do not display in address lists is enabled and the e-mail
contact is no longer shown in address books.
Configuring Deferred Deletion
By default, e-mail contacts are finally deleted from the database after 30 days. During this period you have the
option to reactivate the e-mail contacts. A restore is not possible once the delete delay has expired. You can
configure an alternative deletion delay on the table EX0MailContact in the Designer.
Receive Restrictions for E-Mail Users
NOTE: Assignments Assign mail acceptance and Assign mail rejection are mutually exclusive. You can
either specify from whom messages are accepted or you can specify from whom they are rejected.
To customize mail acceptance for e-mail users
1. Select the category Active Directory® | E-mail users.
2. Select the e-mail user in the result list.
3. Select the task Assign mail acceptance to establish from which recipients messages are accepted.
- OR Select the task Assign mail rejection to specify from which recipients messages are not accepted.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
E-Mail Users and E-Mail Contacts
77
4. Select the table containing the recipient from the menu at the top of the form. Select from:
l
Mail-enabled distribution groups
l
Dynamic distribution groups
l
Mailboxes
l
E-mail users
l
E-mail contacts
5. Assign recipients in Add assignments.
- OR Remove recipients from Remove assignments.
6. Save the changes.
Receive Restrictions for E-Mail Contacts
NOTE: Assignments Assign mail acceptance and Assign mail rejection are mutually exclusive. You can
either specify from whom messages are accepted or you can specify from whom they are rejected.
To customize mail acceptance for e-mail contacts
1. Select the category Active Directory® | E-mail contacts.
2. Select the e-mail contact in the result list.
3. Select the task Assign mail acceptance to establish from which recipients messages are accepted.
- OR Select the task Assign mail rejection to specify from which recipients messages are not accepted.
4. Select the table containing the recipient from the menu at the top of the form. Select from:
l
Mail-enabled distribution groups
l
Dynamic distribution groups
l
Mailboxes
l
E-mail users
l
E-mail contacts
5. Assign recipients in Add assignments.
- OR Remove recipients from Remove assignments.
6. Save the changes.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
E-Mail Users and E-Mail Contacts
78
7
Mail-enabled distribution groups
You can email-enable universal security groups and universal distribution groups to distribute messages to a
group of recipients.
Detailed information about this topic
l
Entering Master Data for Mail-Enabled Distribution Groups on page 79
l
Receive Restrictions for Mail-Enabled Distribution Groups on page 81
l
Permission "Send on behalf of" for Mail-Enabled Distribution Groups on page 82
l
Assigning Administrators for Mail-Enabled Distribution Groups on page 83
l
Adding Dynamic Distribution Groups to a Mail-Enabled Distribution Group on page 83
l
Moderated Distribution Group Extensions on page 84
l
Deleting Mail-Enabled Distribution Groups on page 85
Entering Master Data for Mail-Enabled
Distribution Groups
Set up mail-enabled distribution groups for universal security groups and universal distribution groups.
To create a mail-enabled distribution group for an Active Directory® group
1. Select the group in the result list and run the task Create mail-enabled distribution group.
2. Save the changes.
To edit a mail-enabled distribution group
1. Select the category Active Directory® | Mail-enabled distribution groups.
2. Select the mail-enabled distribution group in the result list and run Change master data in
the task view.
3. Edit the master data of the mail-enabled distribution group.
4. Save the changes.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Mail-enabled distribution groups
79
Table 45: Mail-Enabled Distribution Group Master Data
Property
Description
Active
Directory®
group
Active Directory® group for which the mail-enabled distribution group is created.
Exchange
organization
Name of the organization.
alias
Unique alias for further identification of the mail-enabled distribution group.
Simple display
Simple display name for systems that cannot interpret all the characters of normal display
names.
expansion
server
Server on to which to expand the mail-enabled distribution group.
Proxy
addresses
Email addresses for the mail-enabled distribution group. You can also add other mail
connectors (for example, CCMail, MS) in addition to the standard address type (SMTP, X400).
Use the following syntax to set up other proxy addresses:
Address type: new email address
Do not display
in address list
Specifies whether the mail-enabled distribution group is visible in address books. Set this
option if you want to prevent the mail-enabled distribution group from being displayed in
address books. This option applies to all address books.
Max. send size
[KB]
Maximum size of message in KB that a mail-enabled distribution group can send. The
Microsoft® Exchange organization global settings in the Microsoft® Exchange System
Manager come into effect for message delivery if there are no limitations.
Max. receiving
size [KB]
Maximum size of message in KB that a mail-enabled distribution group can receive. The
Microsoft® Exchange organization global settings in the Microsoft® Exchange System
Manager come into effect for message delivery if there are no limitations.
Report to
sender
Specifies whether the delivery reports are sent to the message sender.
Report to
owner
Specifies whether the delivery reports are sent to the message owner.
Automatically
update based
on recipient
policy
Specifies whether changes to recipient's email addresses are automatically updated based
on incoming settings.
Only limit
messages from
authenticated
users
Specifies whether authentication data is requested from senders. Set this option if only
messages from authenticated users are permitted.
Out-of-office
message to
sender
Set this option if the message sender should receive out-of-office messages. This property is
available from Microsoft® Exchange Server 2010 or later.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Mail-enabled distribution groups
80
Property
Description
Add to group
Specifies how members can join the mail-enabled distribution group. This property is
available from Microsoft® Exchange Server 2010 or later.
Table 46: Permitted Values
Leave group
value
Meaning
Open
Members can be added to the group without approval.
Closed
Only mail-enabled distribution group administrator can be added to the group.
Requests to be added to the group are automatically denied.
Owner
approval
Requests to be added to the group can be made and are approved by the mailenabled distribution group administrator.
Use this option to specify how members can leave the distribution group. This property is
available from Microsoft® Exchange Server 2010 or later.
Table 47: Permitted Values
value
Meaning
Open
Members can leave the group without approval.
Closed
The group can only be left with administrator approval. Requests to leave the
group are automatically denied.
Distribution
group
moderation
Specifies whether the mail-enabled distribution group is moderated. Set this option if the
distribution group should be moderated. Use the task Assign moderators to specify
moderators. This property is available from Microsoft® Exchange Server 2010 or later.
Sending
message to
Specifies how senders are notified when they send messages to moderated distribution
groups. This property is available from Microsoft® Exchange Server 2010 or later.
Table 48: Permitted Values
value
Meaning
Do not notify
No message is sent.
Only notify senders in your exchange
organization
Only internal sender receive notification.
Notify all senders
Internal and external sender receive
notification.
Receive Restrictions for Mail-Enabled
Distribution Groups
NOTE: Assignments Assign mail acceptance and Assign mail rejection are mutually exclusive. You can
either specify from whom messages are accepted or you can specify from whom they are rejected.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Mail-enabled distribution groups
81
To modify mail acceptance for mail-enabled distribution groups
1. Select the category Active Directory® | Mail-enabled distribution groups.
2. Select the mail-enabled distribution group in the result list.
3. Select the task Assign mail acceptance to establish from which recipients messages are accepted.
- OR Select the task Assign mail rejection to specify from which recipients messages are not accepted.
4. Select the table containing the recipient from the menu at the top of the form. Select from:
l
Mail-enabled distribution groups
l
Dynamic distribution groups
l
Mailboxes
l
E-mail users
l
E-mail contacts
5. Assign recipients in Add assignments.
- OR Remove recipients from Remove assignments.
6. Save the changes.
Permission "Send on behalf of" for MailEnabled Distribution Groups
Use the send permission "Send on behalf of" to specify which users can use the mailbox to send messages.
To customize the permission "Send on behalf of" for mail-enabled distribution groups
1. Select the category Active Directory® | Mail-enabled distribution groups.
2. Select the mail-enabled distribution group in the result list.
3. Select the task Assign send authorizations.
4. Select the table which contains the user from the menu at the top of the form. You can
select:
l
Mail-enabled distribution group
l
Mailboxes
l
E-mail users
.
5. Assign users in Add assignments.
- OR Remove users from Remove assignments.
6. Save the changes.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Mail-enabled distribution groups
82
Assigning Administrators for MailEnabled Distribution Groups
As from Microsoft® Exchange Server 2010, membership in mail-enabled distribution groups can be applied for
and approved. Specify which users manage the mail-enabled distribution group and therefore can grant
approval for membership in the group.
To specify a mail-enabled distribution group
1. Select the category Active Directory® | Mail-enabled distribution groups.
2. Select the mail-enabled distribution group in the result list.
3. Select the task Assign administrators
4. Select the table which contains the user from the menu at the top of the form. Available are:
l
Active Directory® user accounts
l
Active Directory® groups
5. Assign the administrators in Add assignments.
- OR Remove the call types in Remove assignments.
6. Save the changes.
Adding Dynamic Distribution Groups to
a Mail-Enabled Distribution Group
As from Microsoft® Exchange Server 2010, you can add dynamic distribution groups to mail-enabled
distribution groups.
To add dynamic distribution groups to a mail-enabled distribution group
1. Select the category Active Directory® | Mail-enabled distribution groups.
2. Select the mail-enabled distribution group in the result list and run Assign dynamic distribution
groups in the task view.
3. Assign dynamic distribution groups in Add assignments.
- OR Remove dynamic distribution lists from Remove assignments.
4. Save the changes.
Related Topics
l
Adding a Dynamic Distribution Group to Mail-Enabled Distribution Groups on page 89
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Mail-enabled distribution groups
83
Moderated Distribution Group
Extensions
With Microsoft® Exchange Server 2010 and later, moderated distribution groups let a moderator approve or
deny messages sent to a mail-enabled distribution group. Only after a message has been approved by a
moderator can it be forwarded to members of the mail-enabled distribution group.
Define the moderators of a mail-enabled distribution group. Furthermore, you can specify users whose
messages to the moderated distribution group are excluded from moderation.
Read the documentation from your Microsoft® Exchange server on the concept of moderated
distribution groups.
To specify moderators for mail-enabled distribution groups
1. Select the category Active Directory® | Mail-enabled distribution groups.
2. Select the mail-enabled distribution group in the result list.
3. Select the task Assign moderators.
4. Select the table which contains the user from the menu at the top of the form. Select from:
l
Mailboxes
l
E-mail contacts
l
E-mail users
5. Assign moderators in Add assignments.
- OR Remove organization assignments Remove assignments.
6. Save the changes.
To exclude users from moderation
1. Select the category Active Directory® | Mail-enabled distribution groups.
2. Select the mail-enabled distribution group in the result list.
3. Select the task Exclude from moderation.
4. Select the table which contains the user from the menu at the top of the form. Select from:
l
Mail-enabled distribution groups
l
Dynamic distribution groups
l
Mailboxes
l
E-mail users
l
E-mail contacts
5. Assign moderators in Add assignments.
- OR Remove organization assignments Remove assignments.
6. Save the changes.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Mail-enabled distribution groups
84
Deleting Mail-Enabled Distribution
Groups
To delete a mail-enabled distribution group
1. Select the category Active Directory® | Mail-enabled distribution groups.
2. Select the mail-enabled distribution group in the result list.
3. Delete the mail-enabled distribution group using
.
4. Confirm the security prompt with Yes.
The mail-enabled distribution group is entirely deleted from the One Identity Manager database and
Microsoft® Exchange system.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Mail-enabled distribution groups
85
8
Dynamic Distribution Groups
The members of a dynamic distribution group are not fixed but are determined using a filter criteria. Dynamic
distribution groups are loaded into One Identity Manager through synchronization and can only be edited to a
limited extent in One Identity Manager.
Detailed information about this topic
l
Master Data for Dynamic Distribution Groups on page 86
l
Receive Restrictions for Dynamic Distribution Groups on page 88
l
Permission "Send on behalf of" for Dynamic Distribution Groups on page 88
l
Adding a Dynamic Distribution Group to Mail-Enabled Distribution Groups on page 89
Master Data for Dynamic Distribution
Groups
To display a dynamic distribution group
1. Select the category Active Directory® | Exchange system administration | <organization> |
Recipient configuration | Dynamic distribution groups.
2. Select the dynamic distribution list in the result list.
3. Select Change master data in the task view.
Table 49: Dynamic Distribution List Master Data
Property
Description
Exchange
organization
Name of the organization.
expansion server
Server on to which to expand the dynamic distribution group.
identifier
Name of the dynamic distribution group.
alias
Unique alias for further identification of the dynamic distribution group.
Display name
Display name of the dynamic distribution group.
Proxy addresses
Other email addresses for the dynamic distribution group.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Dynamic Distribution Groups
86
Property
Description
Email address
Email addresses of the dynamic distribution group.
Simple display
Simple display name for systems that cannot interpret all the characters of normal
display names.
Do not display in
address list
Specifies whether the dynamic distribution group is visible in address books. Set this
option if you want to prevent the dynamic distribution group from being displayed in
address books. This option applies to all address books.
Max. receiving
size [KB]
Maximum size of message in KB that a dynamic distribution group can receive. The
Microsoft® Exchange organization global settings in the Exchange System Manager come
into effect for message delivery if there are no limitations.
container
Active Directory® container of the dynamic distribution group.
domain
Active Directory® domain of the dynamic distribution group.
Recipient
container
Recipient's root container. The condition for finding distribution group members is
applied to the selected recipient container and its sub containers.
All recipient
types
Specifies whether all recipient types are permitted in the dynamic distribution group.
User mailboxes
Specifies whether user mailboxes are permitted in the dynamic distribution group.
E-mail users
Specifies whether e-mail users are permitted in the dynamic distribution group.
Email contacts
Specifies whether e-mail contacts are permitted in the dynamic distribution group.
Mail-enabled
distribution
groups
Specifies whether mail-enabled distribution groups are permitted in the dynamic
distribution group.
Resource
mailboxes
Specifies whether resource mailboxes are permitted in the dynamic distribution group.
None
Specifies whether any recipients are permitted in the dynamic distribution group.
Condition
Condition with extra filter criteria, which is used to determine the members of the
dynamic distribution group
Filter rules
Filter rules for finding members in the dynamic distribution group.
Report to sender
Specifies whether the delivery reports are sent to the message sender.
Report to owner
Specifies whether the delivery reports are sent to the message owner.
Automatically
update based on
recipient policy
Specifies whether changes to recipient's email addresses are automatically updated
based on incoming settings.
Only limit
messages from
authenticated
users
Specifies whether authentication data is requested from senders.
Out-of-office
message to
sender
Specifies whether the message sender should receive out-of-office messages. This
property is available from Microsoft® Exchange Server 2010 or later.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Dynamic Distribution Groups
87
Receive Restrictions for Dynamic
Distribution Groups
NOTE: Assignments Assign mail acceptance and Assign mail rejection are mutually exclusive. You can
either specify from whom messages are accepted or you can specify from whom they are rejected.
To modify mail acceptance for dynamic distribution groups
1. Select the category Active Directory® | Exchange system administration | <organization> |
Recipient configuration | Dynamic distribution groups.
2. Select the dynamic distribution list in the result list.
3. Select the task Assign mail acceptance to establish from which recipients messages are accepted.
- OR Select the task Assign mail rejection to specify from which recipients messages are not accepted.
4. Select the table containing the recipient from the menu at the top of the form. Select from:
l
Mail-enabled distribution groups
l
Dynamic distribution groups
l
Mailboxes
l
E-mail users
l
E-mail contacts
5. Assign recipients in Add assignments.
- OR Remove recipients from Remove assignments.
6. Save the changes.
Permission "Send on behalf of" for
Dynamic Distribution Groups
Use the send permission "Send on behalf of" to specify which users can use the mailbox to send messages.
To customize the permission "Send on behalf of" for dynamic distribution groups
1. Select the category Active Directory® | Exchange system administration | <organization> |
Recipient configuration | Dynamic distribution groups.
2. Select the dynamic distribution list in the result list.
3. Select the task Assign send authorizations.
4. Select the table which contains the user from the menu at the top of the form. You can select:
l
Mail-enabled distribution group
l
Mailboxes
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Dynamic Distribution Groups
88
l
E-mail users
.
5. Assign users in Add assignments.
- OR Remove users from Remove assignments.
6. Save the changes.
Adding a Dynamic Distribution Group to
Mail-Enabled Distribution Groups
As from Microsoft® Exchange Server 2010, you can add dynamic distribution groups to mail-enabled
distribution groups.
To add a dynamic distribution groups to mail-enabled distribution groups
1. Select the category Active Directory® | Exchange system administration | <organization> |
Recipient configuration | Dynamic distribution groups.
2. Select the dynamic distribution group in the result list and run Assign distribution groups in
the task view.
3. Assign the dynamic distribution group to mail-enabled distribution groups in Add assignments.
- OR Remove the dynamic distribution group assignments from mail-enabled distribution groups in Remove
assignments.
4. Save the changes.
Related Topics
l
Adding Dynamic Distribution Groups to a Mail-Enabled Distribution Group on page 83
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Dynamic Distribution Groups
89
9
Mail-enabled Public Folders
Mail-enabled public folders are loaded into the One Identity Manager database by synchronization and cannot
be edited in the One Identity Manager.
To display mail-enabled public folders
1. Select the category Active Directory® | Exchange system administration | <organization> |
Receive configuration | Mail-enabled public folder.
2. Select the mail-enabled distribution group in the result list.
3. Select Change master data in the task view.
To display mail acceptance for mail-enabled public folders
1. Select the category Active Directory® | Exchange system administration | <organization> |
Receive configuration | Mail-enabled public folder.
2. Select the mail-enabled distribution group in the result list.
3. Select the task Assign mail acceptance to display recipients from whom messages are accepted.
- OR Select the task Assign mail rejection to display recipients from whom messages are not accepted.
To customize the permission "Send on behalf of" for mail-enabled public folders
1. Select the category Active Directory® | Exchange system administration | <organization> |
Receive configuration | Mail-enabled public folder.
2. Select the mail-enabled distribution group in the result list.
3. Select the task Assign send authorizations.
Table 50: Mail-Enabled Public Folder Master Data
Property
Description
Exchange
organization
Name of the organization.
Public
Folder
Connected public folder.
Name
Name of the mail-enabled public folder.
Alias
Unique alias for further identification of the mail-enabled public folder.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Mail-enabled Public Folders
90
Property
Description
Display
name
Display name of the mail-enabled public folder.
Simple
display
Simple display name for systems that cannot interpret all the characters of normal display
names.
Domain
Active Directory® domain of the mail-enabled public folder.
Container
Active Directory® container of the mail-enabled public folder.
Proxy
addresses
Other email addresses for the mail-enabled public folder.
Email
address
Email address of the mail-enabled public folder.
Alternative
recipient
Alternative recipient to which messages from this mail-enabled public folder are forwarded.
Do not
display in
address list
Specifies whether the mail-enabled public folder is visible in address books. Set this option if
you want to prevent the mail-enabled public folder from being displayed in address books.
This option applies to all address books.
Max. send
size [KB]
Maximum size of message in KB that a mail-enabled public folder can send. The Microsoft®
Exchange organization global settings in the Exchange System Manager come into effect for
message delivery if there are no limitations.
Max. send
size [KB]
Maximum size of message in KB that a mail-enabled public folder can receive. The Microsoft®
Exchange organization global settings in the Exchange System Manager come into effect for
message delivery if there are no limitations.
Send and
forward
Specifies whether to send and forward messages. If this option is set, messages are sent to
alternative recipients and mailbox owners.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Mail-enabled Public Folders
91
A
Appendix: Configuration Parameters
for Managing an Microsoft® Exchange
Environment
The following configuration parameters are additionally available in One Identity Manager after the module has
been installed.
Table 51: Configuration Parameter for Managing a Microsoft® Exchange Environment
Configuration parameter
Meaning
TargetSystem\ADS\Exchange2000
Preprocessor relevant configuration
parameter for controlling the
database model components for the
administration of the target system
Microsoft® Exchange. If the
parameter is set, the target system
components are available. Changes
to the parameter require
recompiling the database.
TargetSystem\ADS\Exchange2000\Accounts
This configuration parameter
permits configuration of recipient
data.
TargetSystem\ADS\Exchange2000\Accounts\MailTemplateDefaultValues
This configuration parameter
contains the mail template used to
send notifications if default IT
operating data mapping values are
used for automatically creating a
user account.
TargetSystem\ADS\Exchange2000\DefaultAddress
The configuration parameter
contains the recipient's default
email address for sending
notifications about actions in the
target system.
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Appendix: Configuration Parameters for Managing an Microsoft® Exchange Environment
92
B
Appendix: Default Project Template
for Microsoft® Exchange
A default project template ensures that all the information required in One Identity Manager is entered, for
example, the synchronization base object. If you do not use a default project template you must declare the
synchronization base object in One Identity Manager yourself.
Use a default project template for initially setting up the synchronization project. For custom
implementations, you can extend the synchronization project with the Synchronization Editor.
Detailed information about this topic
l
Default Project Template for Microsoft® Exchange 2010 on page 93
l
Default Project Template for Microsoft® Exchange 2013 on page 94
Default Project Template for
Microsoft® Exchange 2010
The template uses mappings for the following schema types.
Table 52: Mapping Microsoft® Exchange 2010 schema types to tables in the One Identity Manager schema.
Schema type in Microsoft® Exchange
Table in the One Identity Manager schema
ActiveSyncMailboxPolicy
EX0ActiveSyncMBPolicy
AddressList
EX0AddrList
DatabaseAvailabilityGroup
EX0DAG
DistributionGroup
EX0DL
DynamicDistributionGroup
EX0DynDL
GlobalAdressList
EX0AddrList
Mailbox
EX0Mailbox
MailboxDatabase
EX0MailboxDatabase
MailContact
EX0MailContact
MailPublicFolder
EX0MailPublicFolder
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Appendix: Default Project Template for Microsoft® Exchange
93
Schema type in Microsoft® Exchange
Table in the One Identity Manager schema
MailUser
EX0MailUser
ManagedFolderMailboxPolicy
EX0ManagedFolderPolicy
OfflineAddressBook
EX0OfflAddrBook
Organization
EX0Organization
PublicFolder
EX0PublicFolder
PublicFolderDatabase
EX0PublicFolderDatabase
RetentionPolicy
EX0RetentionPolicy
RoleAssignmentPolicy
EX0RoleAssignPolicy
ExchangeServer
EX0Server
SharingPolicy
EX0SharingPolicy
Default Project Template for
Microsoft® Exchange 2013
The template uses mappings for the following schema types.
Table 53: Mapping Microsoft® Exchange 2013 schema types to tables in the One Identity Manager schema.
Schema type in Microsoft® Exchange
Table in the One Identity Manager schema
ActiveSyncMailboxPolicy
EX0ActiveSyncMBPolicy
AddressList
EX0AddrList
DatabaseAvailabilityGroup
EX0DAG
DistributionGroup
EX0DL
DynamicDistributionGroup
EX0DynDL
GlobalAdressList
EX0AddrList
Mailbox
EX0Mailbox
MailboxDatabase
EX0MailboxDatabase
MailContact
EX0MailContact
MailPublicFolder
EX0MailPublicFolder
MailUser
EX0MailUser
OfflineAddressBook
EX0OfflAddrBook
Organization
EX0Organization
PublicFolder
EX0PublicFolder
PublicFolderDatabase
EX0PublicFolderDatabase
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Appendix: Default Project Template for Microsoft® Exchange
94
Schema type in Microsoft® Exchange
Table in the One Identity Manager schema
RetentionPolicy
EX0RetentionPolicy
RoleAssignmentPolicy
EX0RoleAssignPolicy
ExchangeServer
EX0Server
SharingPolicy
EX0SharingPolicy
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Appendix: Default Project Template for Microsoft® Exchange
95
About Dell
A b o u t D e ll
Dell listens to customers and delivers worldwide innovative technology, business solutions and services they
trust and value. For more information, visit www.software.dell.com.
Contacting Dell
For sales or other inquiries, visit http://software.dell.com/company/contact-us.aspx or call +1 949 754-8000.
Technical support resources
Technical support is available to customers who have purchased Dell software with a valid maintenance
contract and to customers who have trial versions. To access the Support Portal, go to
http://support.software.dell.com.
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours
a day, 365 days a year. In addition, the Support Portal provides direct access to product support engineers
through an online Service Request system.
The Support Portal enables you to:
l
Create, update, and manage Service Requests (cases)
l
View Knowledge Base articles
l
Obtain product notifications
l
Download software. For trial software, go to http://software.dell.com/trials.
l
View how-to videos
l
Engage in community discussions
l
Chat with a support engineer
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
About Dell
96
In d e x
Index
D
direction of synchronization
direction target system 16, 26
in the Manager 16
A
dynamic distribution group 86
add mail-enabled distribution groups 89
addressing 86
account definition 31
assign automatically 41
alias 86
assign to Active Directory® domain 42
Condition 86
assign to all employees 41
display name 86
assign to business role 40
expansion server 86
assign to cost center 40
identifier 86
assign to department 40
limit 86
assign to employee 39, 42
mail acceptance 88
assign to location 40
receive restriction 88
assign to system roles 42
recipient type 86
create 32
send on behalf of 88
E
delete 43
IT operating data 37-38
manage level 34
e-mail contact 72
Active Directory® domain
account definition 42, 74
account definition e-mail contact (initial) 42
Active Directory® contact 74
account definition e-mail user (initial) 42
addressing 74
account definition mailbox (initial) 42
alias 74
DC (linked mailbox) 15
deferred deletion 77
trust 15
delete 77
user (linked mailbox) 15
destination address 74
architecture overview 6
display name 74
C
edit 74
calculation schedule
limit 74
employee 74
disable 29
configuration parameter 92
mail acceptance 78
manage level 74
receive restriction 78
restore 77
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Index
97
E-mail users 72
send on behalf of 82
account definition 42, 72
mail-enabled public folder 90
Active Directory® user account 72
Mailbox
addressing 72
account definition 42, 61
alias 72
Active Directory® user account 61
deferred deletion 76
addressing 61
delete 76
alias 61
destination address 72
alternative recipient 61
display name 72
archive size 65
edit 72
book 67
employee 72
Calendar Attendant 63, 67
limit 72
calendar setting 63
mail acceptance 77
connected mailbox 61
manage level 72
deferred deletion 70
receive restriction 77
delete 70
restore 76
disable 61, 69
J
Discovery mailbox 59
Job server
Email policy 56, 66
display name 61
employee 61
edit 10
equipment mailbox 59, 67
M
Folder policy 57, 61
mail-enabled distribution group 79
Active Directory® group 79
addressing 79
assign dynamic distribution group 83
edit 79
expansion server 79
join 79
leave 79
limit 79
mail acceptance 81
moderate 79, 84
moderator 84
receive restriction 81
linked mailbox 59
Mailbox database 61
alias 79
display name 79
limit 64
mail acceptance 70
administrator 83
delete 85
Functions 66
mailbox type 59, 61
manage level 61
personal archive 65
receive restriction 70
Resource Attendant 67
resource mailbox 59, 67
restore 70
retention policy 55, 65
role assignment policy 58, 61
room mailbox 59, 67
send on behalf of 71
set up 59-60
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Index
98
shared mailbox 59
update 27
sharing policy 54, 61
synchronization
size 64
configure 16, 26
user mailbox 59
connection string 16, 26
Microsoft® Exchange connector 6
entitlement 9
Microsoft® Exchange organization
Microsoft® Exchange 8
application roles 7
prevent 29
target system manager 7, 45, 47
scope 26
Microsoft® Exchange server 6
set up 8
configure 13
start 16
remote access 13
synchronization project
Microsoft® Exchange structure 47
create 16
address list 50
user 9
database availability group 54
variable 26
Mailbox database 49
workflow 16, 26
mailbox server 53
synchronization configuration
mobile email query policy 56
customize 26
offline address list 50
synchronization log 22
Organizations 47
synchronization project
policy for folder admin 57
create 16
public folder 52
disable 29
retention policy 55
project template 93-94
role assignment policy 58
synchronization server 6
sharing policy 54
configure 10, 13
O
install 10
object
remote access 13
Job server 10
delete immediately 28
outstanding 28
publish 28
synchronization workflow
create 16, 26
T
outstanding object 28
P
target system manager 45
target system synchronization 28
project template 93-94
S
schema
changes 27
shrink 27
One Identity Manager 7.0 Administration Guide for Connecting to Microsoft®
Exchange
Index
99
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement