Policy Server Guides › Policy Server Management Guide › Adjusting Global Settings › Enable Enhanced Active Directory Integration

Enable Enhanced Active Directory Integration

Active Directory 2003 has several user and domain attributes that are specific to the Windows network operating system (NOS) and are not required by the LDAP standard:

• accountExpires
• userAccountControl
• pwdLastSet
• unicodePwd
• lastLogon
• lastLogonTimestamp
• badPasswordTime
• badPwdCount
• lockoutTime
• lockoutDuration
• pwdMaxAge

If you configure the Policy Server to use Active Directory as a user store, you should enable the Enhanced Active Directory Integration global setting from the SiteMinder Global Settings dialog box available from the Policy Server User Interface. This option improves the integration between the Policy Server’s user management feature and Password Services with Active Directory. This enhancement synchronizes Active Directory user attributes with SiteMinder mapped user attributes. For more information about this feature, see the Policy Design Guide.

Note: The feature is not supported with ADAM.

To enable enhanced Active Directory integration

1. Log into the Policy Server User Interface.
2. From the Policy Server User Interface menu bar, select Tools, Global Settings.

   The SiteMinder Global Settings dialog box opens.

3. Select the Enhance Active Directory Integration check box. By default, this enhancement is disabled.

   Note: After enabling this feature, you must have administrator credentials to modify the AD user store and have privileges to update AD attributes. If you do not have these credentials and privileges, the Policy Server returns an error message.

4. Click OK.

   The SiteMinder Global Settings dialog box closes. The Policy Server enables enhanced Active Directory integration.

5. Open the Active Directory user directory object in the User Directory dialog box for editing.
6. In the Root field for the SiteMinder user directory object, enter the default Windows domain’s DN as the user directory root. For example:

   dc=WindowsDomain,dc=com
   

   Note: AD-specific features may not work in the Root field is set to another value.

7. Click Apply.

More information:

SiteMinder Global Settings Dialog