Creating a template account
Bravura Security Fabric uses template accounts as models or "blueprints" for creating new accounts in Active Directory. The following example illustrates how you can create a template account in Active Directory:
The following instructions are for Windows 2012 Active Directory. Details may vary depending on your version of the software.
Log into an Active Directory domain controller as a member of the Domain Admins group.
Launch Server Manager.
Select Tools > Active Directory Users and Computers.
Right-click on the Organizational Unit where you want the template account to exist. For example, the Users OU.
Select New >User.
Windows displays the New Object-User dialog box.
Enter the account names and User logon name.
When creating a template account, ensure that the User logon name and User logon name (pre-windows 2000) fields match, or new accounts created using this template may be created with an incorrect value.
If you wish to use different Active Directory and pre-Windows 2000 logon names, you must modify the configured action for the corresponding attributes in Bravura Security Fabric (see in the Bravura Security Fabric configuration documentation).
Click Next .
Enter the new user’s password in the Password and Confirm Password fields, and set other options as you require.
You can disable the account if it is to be used only as a template account or enabled later.
Click Next to confirm the user’s account details.
Click Finish to close the dialog box.
Defining properties
By default, Bravura Security Fabric copies many properties (attributes) when creating a new user.
Note
It is recommended that you do not add template accounts to Bravura Security Fabric managed groups. Managed group memberships should be handled by including them in roles.
Without the use of roles, it may be necessary to create multiple template accounts depending on the needs of your organization, because group membership generally denotes resources (such as printers, file shares) to which a user has access.
To define additional properties for the template account:
Open the Users folder and locate the template user.
If you want to set the logon hours and account options:
Select the tab.
Set the following account parameters:
Logon Hours (Optional)
To restrict the hours during which the user can connect to a server. This setting does not affect a user’s ability to use a workstation.
Log On To (Optional)
To restrict the workstations from which a user will be permitted to log on to this domain account.
Account options
To manage the account expiration date and other options.
If you want to configure a logon script or home directory:
Select the tab.
Type the full path for the user’s profile in the Profile path field and the logon script to be used by the account in the Logon script field.
Type the location of the user’s Home folder in the Connect: To: fields.
When creating the template account’s home folder, ensure that the folder name matches the template account ID (required so that Bravura Security Fabric can replace the ID with the ID of the new user). No home directory is created for the recipient account if the template account has their Home folder defined on the DC (the Local Path), the home folder must be located on a network drive (Connect drive: to).
Configure other properties as you require.
Click OK to close the window.
Close the window.
Renaming template accounts
If a template account is renamed on the target system, account creation behaves differently depending on whether the target system is a source of profiles:
If the target is a source of profiles, then nothing changes. Bravura Security Fabric can continue to use the template account as is to create accounts.
If the target system is not a source of profiles, when you rename the template account (for example, cn or distinguishedName) ensure that userPrincipalName is also renamed or emptied out. If userPrincipalName is not renamed nor emptied, account creation will fail.