Modifying non-encrypted registry settings
To modify the non-encrypted registry settings, complete the following steps:
Procedure
Results
Key | Description |
---|---|
CreateUNCHomeDirectories | If this key is set to TRUE, the key enables creation of the UNC home directory. The default value is FALSE. |
DeleteUNCHomeDirectories | If this key is set to TRUE, the key enables deletion of the UNC home directory on delete. The default value is FALSE. |
delRoamingProfileOnDeprovision | If this key is set to TRUE, the key
enables user profile directory deletion when the user is de-provisioned.
After successfully deleting the user from the Active Directory, the
adapter deletes the user home directory, subdirectories, and files. If this key is set to FALSE, or if the key does not exist, the adapter does not delete the user home directory. The default value is FALSE. |
delUNCHomeDirOnDeprovision | If this key is set to TRUE, the key
enables UNC Home directory deletion when the user is de-provisioned.
After successfully deleting the user from the Active Directory, the
adapter deletes the user home directory, subdirectories, and files. If this key is set to FALSE, or if the key does not exist, the adapter does not delete the user home directory. The default value is FALSE. |
ForceRASServerLookup | If this key is set to TRUE, the RASServer
is always found from the domain information. If this key is set
to FALSE, one of these conditions exist:
|
ForceTerminalServerLookup | If this key is set to TRUE, the terminal
server is always found from the domain information. If this key
is set to FALSE, one of these conditions exist:
|
ManageHomeDirectories | If this key is set to TRUE, the adapter
performs Add and Delete operations for actual directories. If this key is set to FALSE, the adapter updates only the home directory information in the Active Directory. The default value is FALSE. |
NotifyIntervalSeconds | This key specifies the interval (in seconds) after which the adapter enabled event notification process starts. It can be modified by using the agentCfg tool. The default value is 300 seconds. |
ReconHomeDirSecurity | If this key is set to TRUE, the adapter brings the Home Security information (NTFS security, share name, and share security) during a reconciliation. The default value is FALSE. The reconciliation operation is fast when this key is set to FALSE. |
ReconPrimaryGroup | The recon operation does not add the primary
group to the group list. The memberof attribute
in Active Directory stores the user’s group membership, except the
primary group. The primaryGroupID attribute in Active Directory stores
the primary group of the user. As a result the primary group must
be explicitly added to group list. If this key is set to TRUE, the primary group is added to the group list. If this key is set to FALSE, the primary group is not added to the group list. The default value is FALSE. |
SearchPasswordSettings | Most of the password attributes are stored in
the Active Directory and are directly retrieved. But some (for example, Require
Unique Password and User Cannot Change Password) are not
stored in the Active Directory. These attributes must be retrieved
by using APIs. If this key is set to TRUE, the password attributes are retrieved by using the respective API. If this key is set to FALSE, the attributes are not retrieved. The default value is FALSE. When this key is set to FALSE, the password flag attributes are not retrieved and the reconciliation operation is fast. |
UnlockOnPasswordReset | If this key is set to TRUE, the adapter activates the user on a password change request. The default value is FALSE. |
useDefaultDC | This key provides failover capability for the
adapter when the host specified in the base point is not available.
If the adapter cannot connect to the host specified in the base point
and the key is set to TRUE, the adapter connects to the base point
without the host name. If this key is set to TRUE, the key affects RASServer and Terminal server lookup behavior. The default value is FALSE. |
useSSL | This key enables SSL communication between
the adapter and the Active Directory. If this key is set to TRUE, the adapter uses SSL to communicate with the Active Directory. If this key is set to FALSE or does not exist, the adapter does not use SSL. The default value is FALSE. |
WtsDisableSearch | This key takes effect only if WtsEnabled is
set to TRUE. If set to FALSE, this key enables a reconciliation of the WTS attributes. If set to TRUE, the reconciliation is faster. The default value is FALSE. |
WtsEnabled | If this key is set to TRUE, the key enables processing of Windows Terminal Server (WTS) attributes. The default value is FALSE. |
UseGroup | You can set this key to one of the following options:
Depending on the key the adapter retrieves the value for group during the reconciliation operation and processes during the add and modify operation of the adapter. When you change the value of this key, you must modify the profile and import it again on IBM® Security Identity Manager. The default value is DN. |
ReconMailboxPermissions | When this key is set to FALSE, the adapter does not retrieve the Mailbox Permission information. The reconciliation operation is fast when this key is set to FALSE. The default value is TRUE. |
UPNSearchEnabled | When the registry key UPNSearchEnabled is
set to FALSE, the adapter does not perform a search on the User
Principal Name for uniqueness. It creates the user account
with the supplied or generated value of the User Principal
Name. When the registry key UPNSearchEnabled is
set to TRUE, the adapter performs a search on the User Principal
Name to ensure the uniqueness. The default value is TRUE.
Note: This
key is used only for the user add operation.
|
UseITIMCNAttribute | When this key is set to TRUE , the adapter uses IBM Security Identity Manager common schema
attribute cn. The adapter processes the cn attribute for add, modify, and reconciliation operations.
When this key is set to FALSE , the adapter uses the erADFullName attribute for add,
modify, and reconciliation operations. When you set this registry key to FALSE , you
must customize the account form. For more information, see Configuring the cn attribute. The default value is
|
MailUserRenameDelay |
When you rename a user account with mail status, the Active Directory might
take time to reestablish the user account mail status. This behavior causes the adapter to fail the
exchange attributes in the rename request with the error message Error setting attribute name.
User does not have a mailbox. In this case, renaming means modifying the
Eruid and the User Principal Name attribute. When you use this key, the adapter waits before it modifies the exchange attribute when a user account is renamed. For example, set this key is set to 10 seconds. Submit a user account rename request. The adapter waits for 10 seconds before modifying the exchange attributes that are in the request. The default value of the registry key is 0 seconds. Note: The adapter uses this key only when the Eruid, User Principal Name, and
the exchange attributes are modified.
|
SearchTimeout | In some of the Active Directory setups, the adapter might not complete the
reconciliation operation. This failure occurs when the Microsoft ADSI API GetNextRow halts
indefinitely. The adapter monitors the reconciliation operation. Set this registry key to a non-zero value. The adapter process ends if there is no activity by the adapter in the reconciliation operation for the time in seconds specified in this key. When you set the value of this registry key to 0 and if the adapter halts during the reconciliation operation, the reconciliation operation does not complete and the operation is timed out on IBM Security Identity Manager. In this case, restart the adapter service. The default value of the registry key is 0 seconds. |
LyncDisableSearch | If this key is set to TRUE, the key disables the Lync attributes. It excludes the Lync attributes, which are not stored as LDAP values and are retrieved with a powershell call, from search results. The Lync attributes can significantly affect the performance during a search. The default value is FALSE. |
- AbortReconOnFailure
- OverrideX500Addresses
- Example 1
- When a Users BasePoint DN specified on service
form is
OU=TestOU,DC=MyDomain,DC=com
, you can specify the list of target server(s) in the adapter registry by using agentCfg.exe as:- Create the registry with name
OU=TestOU,DC=MyDomain,DC=com
. - Specify the value for the key as
DC01|DC02|DC03
.
- Create the registry with name
- Example 2
- When a Users BasePoint DN specified on service form is
DC01|DC02|DC03/DC=MyDomain,DC=com
, you can specify the list of additional target server(s) in the adapter registry by using agentCfg.exe as:- Create the registry with name
DC=MyDomain,DC=com
. - Specify the value for the key as
DC04|DC05|DC06
.
- Create the registry with name
HKEY_LOCAL_MACHINE\
SOFTWARE\Access360\ADAgent\Specific
. For more information,
see Users Base Point configuration for the adapter.