Skip to main content

Handling account attributes

When a new account is created using Bravura Security Fabric , most of the attributes in the User Class schema object are copied from the template account. However, in some cases it is necessary for other actions be performed.

Attributes may not be copied for one or more of the following reasons:

  • The attribute can only be set by the system.

  • The attribute is binary and cannot be copied by Bravura Security Fabric .

  • The attribute was inserted into the schema by Exchange 2000. The Exchange 2000 agent is responsible for copying these attributes.

Since Bravura Security Fabric queries the Active Directory schema for the User Class attributes, if you add any attributes to the User Class, Bravura Security Fabric also copies those attributes.

You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using the Manage the system (PSA) module. To do this, select Active Directory DN from the Manage the system > Resources > Account attributes > Target system type menu.

This section describes the attributes that Bravura Security Fabric uses to compose values, set flags, or control behavior in Active Directory. For information about the native Active Directory attributes managed by Bravura Security Fabric , consult your Active Directory documentation.

cantChangePassword

Bravura Security Fabric can copy from the template or set the value of the U ser Cannot Change Password checkbox in Active Directory, using the attribute cantChangePassword . Setting this attribute takes several seconds and is not recommended for general use. groups By default, new accounts are created with the same group membership as the template account. The attribute groups determines group membership.

When setting this attribute, the account’s primary group must be the first element in the list.

Note

You cannot remove a user from their primary group.

Extension attributes

Extension attributes 1 to 15 are supported (extensionAttribute1 - extensionAttribute15), and can be used to store extra information. The AD server must be Exchange enabled for the attributes to be available.

_operationDC

Note

Implemented in Connector Pack 4.3.

The domain controller the account is created on will be outputted to this pseudo attribute during account creation and update operations. This attribute can be used to:

  • Check if the newly created user exists on the domain controller being operated on, or is delayed, often due to replication issues, before running subsequent operations.

  • Orchestrate blackboard rules using the same DC in multiple operations.

Setting dates

Dates are stored in Active Directory in two formats.

  • Large Integer (nano seconds from 1601-01-01 00:00:00)

  • UTC Coded time

The dates in Bravura Security Fabric are stored in ISO standard format (YYYY-MM-DD HH24:MI:SS). The conversion between ISO format and native Active Directory format is handled by the agent. A request attribute only needs to accept the ISO format.

Dates displayed and set must be in Coordinated Universal Time (UTC).

Forcing users to change their password at next logon

To force users to change their password the next time they log into Windows, set the pwdLastSet attribute to 0. This value corresponds to the User must change password at next logon checkbox in Active Directory Users and Computers. Note that Bravura Security Fabric does not copy this property from the template account.

The pwdLastSet attribute cannot be set if the template account has the Password never expires checkbox enabled. You can clear the Password never expires attribute by clearing the corresponding UF_DONT_EXPIRE_PASSWD flag of the userAccountControl attribute.

Using Windows Terminal Services attributes

These settings can be found in the Environment, Sessions, Remote Control, and Terminal Services Profiles of Active Directory users.

By default, the Windows Terminal Services attributes are set to ignore. To use these attributes to perform an action other than ignore, you must configure Active Directory to run through a proxy on the target system.

  • _wts_initialProgram A string that contains the path of the initial program that Terminal Services runs when the user logs in.

  • _wts_workingDirectory A string that contains the path of the working directory for the initial program.

  • _wts_inheriteInitialProgram A numerical value that indicates whether the client can specify the initial program. If set to 0, the client cannot specify the initial program. Instead, the _wts_initialProgram string identifies an initial program that runs automatically when the user logs into a remote computer. Terminal server logs the user off when the user exits that program. If set to 1, the client can specify the initial program.

  • _wts_allowLogonTerminalServer A numerical value that indicates whether the user is permitted to log into a terminal server. If set to 0, the user cannot log in. If set to 1, the user can log in.

  • _wts_timeoutSettingsConnections A numerical value that specifies the maximum connection duration, in milliseconds. If set to 0, the connection timer is disabled.

  • _wts_timeoutSettingsDisconnections A numerical value that specifies the maximum duration, in milliseconds that a terminal server retains a disconnected session before the logon is terminated. A value of 0 indicates the disconnection timer is disabled.

  • _wts_timeoutSettingsIdle A numerical value that specifies the maximum idle time, in milliseconds. A value of 0 indicates that the idle timer is disabled.

  • _wts_deviceClientDrives Used by Citrix ICA clients. A numerical value that indicates whether the terminal server automatically reestablishes client drive mappings at logon. If set to 0, the server does not automatically connect to previously mapped client drives.

  • _wts_deviceClientPrinters Used by RDP 5.0 clients and Citrix ICA clients. A numerical value that indicates whether the terminal server automatically reestablishes client printer mappings at logon. If set to 0, the server does not automatically connect to previously mapped client printers.

  • _wts_deviceClientDefaultPrinter Used by RDP 5.0 clients and Citrix ICA clients. A numerical value that indicates whether the client printer is the default printer. If set to 0, the client printer is not the default printer.

  • _wts_brokenTimeoutSettings A numerical value that indicates what happens when the connection or idle timers expire or when a connection is lost due to a connection error. If set to 0, the session is disconnected. If set to 1, the session is terminated.

  • _wts_reconnectSettings A numerical value that indicates how a disconnected session for this user can be reconnected. If the value is 0, the user can log into any client computer to reconnect to a disconnected session. If set to 1, the user can reconnect to a disconnected session by logging onto the client computer used to establish the disconnected session. If the user logs on from a different client computer, the user gets a new Logon session.

  • _wts_modemCallbackSettings Used by Citrix ICA clients. A numerical value that indicates the callback settings for dial-up connections in which the terminal server hangs up and then calls back the client to establish the connection. If set to 0, callback connections are disabled. If set to 1, the server prompts the user to enter a phone number and calls the user back at that phone number. The _wts_modemCallbackPhoneNumber attribute is used to specify a default phone number. If set to 2, the server automatically calls the user back at the phone number specified by the _wts_modemCallbackPhoneNumber value.

  • _wts_modemCallbackPhoneNumber Used by Citrix ICA clients. A string containing the phone number used for callback connections.

  • _wts_shadowingSettings Used by RDP 5.0 clients and Citrix ICA clients. A numerical value that indicates whether the on-screen operations of a user session can be remotely monitored by another user (shadowed). If set to 0, disable shadowing. If set to:

    • 1 - enable input and notify the user

    • 2 - enable input, do not notify the user

    • 3 - disable input, notify the user

    • 4 - disable input, do not notify the user

  • _wts_terminalServerProfilePath A string that contains the path of the user’s profile for terminal server logon. The directory the path identifies must exist prior to the logon.

  • _wts_terminalServerHomeDir A string that contains the path of the user’s home directory for terminal server logon.

  • _wts_terminalServerHomeDirDrive A string that contains a drive specification (a drive letter followed by a colon) to which the UNC path specified in the _wts_terminalServerHomeDir string is mapped.

Allowing users to specify the container DN

You can configure Bravura Security Fabric to use a profile/request attribute to prompt users for the destination container when creating or moving accounts on a target system that supports contexts.

When the Profile/request attribute to use as the container DN option is configured on the Target system information page (Manage the system > Resources > Target systems), users can:

  • Set the destination container when creating new accounts.

    Users do this by setting the profile/request attribute value in the request form. By default, Bravura Security Fabric creates new accounts in the same container as the template. Without the profile/request attribute, you may need to set up identical templates for each container.

    If enabled when setting the target system address, Bravura Security Fabric can also create a container if a non-existing one is specified.

  • Move existing accounts on the target system to a different container.

    Users do this by setting the To container value – which is actually the profile/request attribute, but with a different name – on the move accounts page. Bravura Security Fabric only displays the move operation (the Move button) for users with accounts that can be moved between containers.

To allow users to select a container for a create account or move context operation:

  1. Add a profile attribute to provide a place to prompt the user for this information. To learn how to do this, see Profile and request attributes .

    It is recommended that you configure the profile attribute to have a set of restricted values, so that the requester or product administrator can select from a drop-down list.

  2. Ensure that you set read/write permissions for the profile attribute.

    To learn how to do this, see Attribute groups .

  3. Provide a group of users the "Move user from one context to another" rule.

    To learn how to do this, see User types and access rules.

  4. Update the Target system information page (Manage the system >Resources >Target systems) by typing the name of the profile attribute in the Profile/request attribute to use as the container DN field.

    This allows Bravura Security Fabric to use the profile attribute for this purpose.

In this section: