2013 R2. Active Directory. Configuration Guide

Transcription

1 2013 R2 Active Directory Configuration Guide

2 Intellectual property rights Disclaimer This document is the property of ScanJour. The data contained herein, in whole or in part, may not be duplicated, used or disclosed outside the recipient for any purpose other than to conduct business and technical evaluation. This restriction does not limit the recipient s right to use information contained in the data if it is obtained from another source without restriction This document is intended for informational purposes only. Any information herein is believed to be reliable. However, ScanJour assumes no responsibility for the accuracy of the information. ScanJour reserves the right to change the document and the products described without notice. ScanJour and the authors disclaim any and all liabilities. ScanJour is a trademark used under license by ScanJour A/S. All other logos, trademarks and service marks are the property of the respective third parties. Copyright ScanJour A/S All rights reserved Revision history Rev. Date Comment The system users SYSADM and SJSYSADM are no longer mandatory in the application and therefore are not considered as the prerequisites in Active Directory Updated for ScanJour Captia 4.1i Updated for ScanJour Captia 4.2 Id-fields extended from 11 to 30 characters. Section 14 System Access Codes: Amended descriptions of System Access Codes IADM, DEJOURNALADM and UNLOCKADM. Added descriptions of the System Access Code FESD_WS, PHRASEEDIT, PHRASEEDIT_GENERAL, PHRASEEDIT_FILEGROUP and PHRASEEDIT_SUPERUSER. Description regarding usernames in version G, section 12.2 User Name Restrictions has been deleted. Prerequisites regarding Active Directory Application Mode updated. Section 16 Command Line Parameters: Undo deletions in AD key= changed to key=null. Section 11.1 ADSI Field Names for OUs: Field name Country/region ADSI field names changed to c. Section 11.2 ADSI Field Names for the Description Group Groups : Country/region for groups have been deleted The Guide has been translated into English and minor 4.2SP3 changes added. PREFACE and Abbreviations added: GUI, SJAD, SQL Note about Enterprise Access Code have been added. Section 2.4 Configuration of Code Visibility has been added. Section 3.1 User Account Permissions: Note on user account has been added. Examples have been made generic and section headings changed to reflect this. Section 3.3 Create a scheduled task transfer: the step regarding setting up the Scheduled task to run at a specific time was added. Renamed Replication Program to SJ AD Connector and replication of data to transfer of data. Section 5 Creating Organizational Units in AD has been added. Section 6 Create users in Active Directory, step 4: Note about pre-windows 2000: log on user exception if ScanJour Captia user needed access to G-version applications has been removed as obsolete. Section 8.5 Creating a new Distribution Group for ConfigGuide_ActiveDirectory.docx Page 2 of 50

3 Revision history Rev. Date Comment handling Committees has been removed because it is no longer relevant. Section 14.1 WorkZone Content Server System Access Codes: Added System Access Codes MULTIEDIT, WORKFLOWSUBSTITUTE. System Access Code IADM now belongs to rights and access in CCM. Updated System Access Code concerning Word Phrase Module. Section 15.9 Lost Entities Restored with IADM: Changes added regarding Case handler change being logged in the case s life cycle. Section 16.4 SQL statement element corrected: <ou name> changed to <committee name>. Section 17 Monitoring the Transfer: A paragraph explaining the use of command line parameters regarding executing a scheduled transfer task has been added. Section 8 Distribution Groups Groups and Committees : The description of Group access codes can be member of group access codes has been added. Updated for Content Services. The access code Content_Services has been added. In section 5.2 Register OUs in ScanJour Active Directory Connector: Information concerning handling identical OU-names has been added. Section 16 Command Line Parameters: Removed obsolete parameters: /user=<user name> /password=<password> Updated for Captia 4.5. The document title changed from DOC60 to Active Directory Configuration Guide. Section 14.2 ScanJour Configuration Management System Access Codes: System Access Code TERMS has been deleted, because the Terms Module in CCM has been discontinued. WORKFLOWADM has been amended. Workflow State has been added. System Access Codes WORKFLOWSUBSTITUTE and WORKFLOWSUBSTITUTEGLOBAL have been clarified. Section 14.1 WorkZone Content Server System Access Codes: WORKFLOWSUBSTITUTEGLOBAL has been added. Document DOC107 Corporate Access Codes has been merged into this document. Section 18 Corporate Access Code has been added. Section 19 Updated and Corporate Solution explained in more detail with more examples of configuration. Subsection scheduled task process has been added. Section 16 Undo Delete Commands in AD is removed process is now handled automatically. Subsection System Access code IAM has been replaced with section 15.9 Lost Entities Restored with IADM and renamed. Subsection has been removed. Section 10.1 Field data concerning users, note 7 ConfigGuide_WorkZoneContentServerActiveDirectory Page 3 of 50

4 Revision history Rev. Date Comment elaborated with example xml Updated for Captia 4.5 SP1 Added sections: 14.3 Extraordinary System Access Codes SQL-Creation of Extraordinary System Access Codes. Section 14 System Access Codes: Revised System Access Codes PHRASEEDIT_USER, PHRASEEDIT_DEPARTMENT, and PHRASEEDIT_ORGANIZATION. Section SQL-Creation of the Extraordinary System Access Codes: New English table/field names adapted in SQL statements. Updated Access code compliancy for terms used for Standard Access Code System (SACS) and Corporate Access Code System (CACS). Section 18.3 Dummy Group Access Code has been renamed to ALLEEMNER Default Group Access Code Updated for Captia 4.5 SP2 Added the access code FILINGPERIOD Updated for Captia 4.5 SP3 Section 14.1 WorkZone Content Server System Access Codes: Removed POST System Access Code as obsolete. Section 16 Command Line Parameters: Added new parameter /setsid=<systemuser>. Section 13.1 Examples of Stripping: Corrected examples of stripping by removing extra spaces Updated for Captia 4.5 SP Updated for WorkZone Content Server 2013 ScanJour Captia has been replaced with WorkZone Content Server throughout the document. Section 12 Character Restrictions: The section was revised and made more accurate. Section 16 Command Line Parameters: Corrected default value for /db option Updated for WorkZone Content Server 2013 SP1 Section 13.1 Examples of Stripping: Fixed error in Example 3. Section 14.1 WorkZone Content Server System Access Codes: The descriptions of the Workflow access codes WORKFLOWCREATE, WORKFLOWSUBSTITUTE, and WORKFLOWSUBSTITUTEGLOBAL have been removed as the Workflow functionality is no longer supported. Section 14.2 ScanJour Configuration Management System Access Codes: The description of the access code WORKFLOWADM has been removed as the Workflow functionality is no longer supported Updated for WorkZone Content Server 2013 R2 Light grey entries mark updates at major releases! ConfigGuide_WorkZoneContentServerActiveDirectory Page 4 of 50

5 Contents 1 PREREQUISITES SCANJOUR CONFIGURATION MANAGEMENT CONFIGURATION OF SECURITY CODES CONFIGURATION OF CONTACT TYPES CONFIGURATION OF CUSTOM LABELS CONFIGURATION OF CODE VISIBILITY SCANJOUR ACTIVE DIRECTORY CONNECTOR USER ACCOUNT PERMISSIONS WIZARD GUIDED PRE-CONFIGURATION CREATE A SCHEDULED TASK TRANSFER EXIT THE WIZARD-GUIDED PRE-CONFIGURATION ACTIVE DIRECTORY ACCESS ACTIVE DIRECTORY DISTRIBUTION GROUPS CREATING ORGANIZATIONAL UNITS IN AD CREATE AN ORGANIZATIONAL UNIT REGISTER OUS IN SCANJOUR ACTIVE DIRECTORY CONNECTOR CREATE USERS IN ACTIVE DIRECTORY DISTRIBUTION GROUP MEMBERSHIP ESSENTIAL TO USER-TRANSFER USERS BECOME LOG-ON USERS AND EMPLOYEES IN WORKZONE CONTENT SERVER CREATE OR COPY USERS DISCONTINUE USERS CHANGE A USER S ORGANIZATIONAL UNIT DISTRIBUTION GROUPS GROUPS AND COMMITTEES CREATE GROUP ACCESS CODES PREPARE THE GROUP ACCESS CODE FOR TRANSFER CREATE A COMMITTEE PREPARE THE COMMITTEE FOR TRANSFER WHEN YOU HAVE FINISHED ALL CONFIGURATIONS INITIALIZE TRANSFER OF DATA RE-ENABLE THE SCHEDULED TRANSFER TASK FIELD TO FIELD TRANSFER BETWEEN AD AND SJ FIELD DATA CONCERNING USERS FIELD DATA CONCERNING OUS FIELD DATA CONCERNING THE DISTRIBUTION GROUP GROUPS FIELD DATA CONCERNING THE DISTRIBUTION GROUP COMMITTEES ADSI FIELD NAMES ADSI FIELD NAMES FOR OUS ADSI FIELD NAMES FOR THE DESCRIPTION GROUP GROUPS ADSI FIELD NAMES FOR USERS CHARACTER RESTRICTIONS ORGANIZATIONAL UNIT NAME RESTRICTIONS USER NAME RESTRICTIONS GROUP NAME RESTRICTIONS ConfigGuide_WorkZoneContentServerActiveDirectory Page 5 of 50

6 12.4 COMMITTEE NAME RESTRICTIONS NAME CODE STRIPPING EXAMPLES OF STRIPPING SYSTEM ACCESS CODES WORKZONE CONTENT SERVER SYSTEM ACCESS CODES SCANJOUR CONFIGURATION MANAGEMENT SYSTEM ACCESS CODES EXTRAORDINARY SYSTEM ACCESS CODES SQL-CREATION OF THE EXTRAORDINARY SYSTEM ACCESS CODES RECOMMENDATIONS AND ADVICE EVENT LOG ONE CONFIGURATION FILE PER DATABASE DO NOT CHANGE THE NAME CODES DOMAIN SERVER CONNECTION USERS OUS AND UNITS SCHEDULED TRANSFER TASK MAPPING OF AD FIELDS TO WORKZONE CONTENT SERVER FIELDS LOST ENTITIES RESTORED WITH IADM COMMAND LINE PARAMETERS MONITORING THE TRANSFER CHECK QUALITY OF TRANSFER CORPORATE ACCESS CODE PREREQUISITES CONFIGURING THE TRANSFER FROM ACTIVE DIRECTORY SPECIAL ACCESS CODES FOR THE CORPORATE SOLUTION IN AD ALLEEMNER DEFAULT GROUP ACCESS CODE ConfigGuide_WorkZoneContentServerActiveDirectory Page 6 of 50

7 Preface Introduction Purpose This guide describes the process of configuration and administration of users, organizational units, and groups in Active Directory and WorkZone Content Server. The purpose of the guide is: To facilitate understanding of basic configuration of organizational units (OU), users, and groups in Active Directory and WorkZone Content Server. To supply advice and guidance in connection with operation and maintenance of organizational units (OU), users, and groups in Active Directory and WorkZone Content Server. Target audience The target audience of this guide is the technicians who are responsible for the administration of OUs, users, groups, and access codes in WorkZone Content Server through Active Directory. Abbreviations and special terms This table explains the abbreviations and special terms used in this document. Abbreviations Access Code AD ADAM Explanations The ScanJour application operates with three different types of Access Codes: Employee Access Code (associated with each user from AD) Unit Access Code (associated with each OU from AD). Group Access Code (optional Access Codes). Note that there are two types of Group Access Codes: System Access Codes (that is, DEJOURNALADM) provide its members extended rights and access through the interface, that is, WorkZone Content Server. Access Codes an Access Code is created by the organization to provide its members access to restricted information or the ability to share the restricted information. Access Codes (excluding System Access Codes) can be used to restrict access to an entity on two levels: with regard to viewing rights and/or editing rights. Note: If your organization opted for an installation that utilizes the Corporate Access Code System (CACS) then all cases and documents are created with an Access Code string of a minimum of 2 Access Codes: 1 Organizational Access Code & 1 Group Access Code. For more information see section 18 Corporate Access Code. Active Directory the program Active Directory. Active Directory Application Mode. ADAM is a light-weight implementation of Active Directory. ADAM is capable of running as a service on the computers running Microsoft Windows Server 2003 or Windows XP Professional. ADAM shares the code base with Active Directory and provides the same functionality as Active Directory, including an identical API, but does not require the creation of domains or domain ConfigGuide_WorkZoneContentServerActiveDirectory Page 7 of 50

8 Abbreviations controllers. Explanations ADLD AD LDS ADSI GUI ID Location Code OU SJ SJADConnect SQL Unit Unit Access Code Active Directory Light weight Directory. Identical to ADAM, see ADAM-entry. Identical to ADAM, see ADAM-entry. Active Directory Service Interface. ADSI is a number of COM interfaces which provides the opportunity to utilize directory services from different network providers. Graphic User Interface. Identification the unique identification key of an item. The Location Code (sometimes Contact Code) is an abbreviation of a unit and part of the units ID in WorkZone Content Server. The units ID is made up of a Contact Type of one character (a letter or a number between 0 and 9) and a Contact Code/Location Code of up to 11 characters. In WorkZone Content Server the unit Secretariat s ID would be A SECR here the SECR-part = Location Code. Note: The Contact Type in Configuration Management may be referred to as Addressee Type in some contexts. Organizational Unit. Created in Active Directory. ScanJour The ScanJour Active Directory Connector. Structured Query Language. A database computer language designed for managing data in a relational database management. A unit is an OU that has been replicated to WorkZone Content Server. Is the Access Code that is added to the users profile on behalf of the user s OU membership in AD. References Ref. Document title 1 ScanJour WorkZone Content Server Database Installation Guide, Chapter Captia_Online_Help.chm, topic on Corporate Access Code (can also be accessed from Captia Web Client). 3 Configuration_Management_Online_Help.chm, topic on Lost and Found (can also be accessed from Configuration Management). 4 ScanJour WorkZone Content Server Installation Guide ConfigGuide_WorkZoneContentServerActiveDirectory Page 8 of 50

9 1 Prerequisites Prerequisites This guide assumes that the ScanJour programs and databases are up and running and that the system administrator has access to ScanJour Configuration Management and Active Directory (AD). To configure and maintain the system properly, access to the following items is a prerequisite: The individual moduels of ScanJour Configuration Management, for example, Basic Data ScanJour s program catalog (all rights access) sjactivedirectoryreplication Active Directory Users and Computers Active Directory Application Mode SYSADM and SJSYSADM The system users SYSADM and SJSYSADM have been discontinued in Configuration Management and are no longer a prerequisite in AD. The SYSADM user account has been replaced with System Access Codes in Configuration Management. This means that the rights are no longer associated with a single account but can be granted to one or several users in whole or in part by adding the necessary System Access Codes to any users AD profile. The SJSYSADM user still has limited use with regard to SQL but none in WorkZone Content Server or Configuration Management. In WorkZone Content Server the SYSADM user is still used with regards to letter templates. 2 ScanJour Configuration Management System administration Before running the Wizard program for configuring your SJ AD, you must first configure the items listed below. The detailed description of configuring these items is described in this chapter. Security Codes Contact Types Custom Labels Code Visibility 2.1 Configuration of Security Codes Configuration of security codes In Configuration Management in the module Registry Security you have to preconfigure the security system and assign permissions to each level of security. The ScanJour Security System is based on 9 Security Codes: 1, 2, 3, 4, 5, 6, 7, 8, and 9. For each of these security codes, the system administrator must configure a set of permissions for every register and table of the system. The security code must reflect the permissions of a user regarding the database content. The permissions define whether the user is allowed to search, update, ConfigGuide_WorkZoneContentServerActiveDirectory Page 9 of 50

10 insert, delete, lock, and unlock a certain type of database item, that is, a case or a relation. The permissions of each security code can be configured to reflect the demands of specific groups of users. When a user logs on to ScanJour, the security code assigned to the user defines what the user is allowed to do. Assigning security codes to users is done in Active Directory Users and Computers (AD). When a ScanJour user is created in AD the user must be made a member of a distribution group, representing one of the 9 security codes. When the users are replicated to the ScanJour database, the user is automatically allocated the correct security code and the corresponding permissions for registers and tables in the database. 2.2 Configuration of Contact Types Configuration of Contact Types In Configuration Management in the Basic data Addressee module, you must pre-configure the following three mandatory Contact Types: Contact Type A, which is used to contain the replicated organizational units created in AD. Contact Type M, which is used to contain the replicated user as created in AD for the purpose of a Case Handler register. Contact Type U, which is used to contain the replicated Committees as created in AD. In case your organization have installed Local Government Edition, a fourth Contact Type may apply: Contact Type K, which is used to contain local authorities, that is, municipalities. All the contact types listed above must be created with Auto ID set to N while the maximal length of Name Code Length must be 30 characters. 2.3 Configuration of Custom Labels Configuration of custom labels In Configuration Management in the Basic data Custom label module, you must pre-configure a mandatory contact role for members of a committee: Create a Contact Reference named Member under label type NP. Later on in the process you must add this role/contact reference to Committees in the ScanJour Active Directory Connector. 2.4 Configuration of Code Visibility Configuration of Access Code Visibility In Configuration Management in the Operation Owner module, you can change the default configuration of Access Code Visibility. By default both User Access Codes (that is, Employee User Codes) and Unit Access Codes (that is, Organizational Unit Access Codes) are visible. If your organization wishes to deny the use of either one, select the Hide check box near each type in the Access Code Visibility section. After this, the users will be able to choose only from Group Access Codes. ConfigGuide_WorkZoneContentServerActiveDirectory Page 10 of 50

11 3 ScanJour Active Directory Connector AD Connector To make Active Directory comply with the ScanJour system once data is transferred, you must perform initial configuration using SJ Active Directory Connector (SJADConnector). You can access the application from ScanJour program catalog. Run sjactivedirectoryreplication.exe. SJADConnector facilitates the transfer (replication) of data from AD to WorkZone Content Server. The administration of users, user security codes, Access Codes, units, and Committees are maintained in AD but this data must continually be updated and transferred to ScanJour database. In order for the ScanJour system to receive the transferred data correctly, it is essential that the configuration of AD and ScanJour are aligned. The tasks of transformation of data and alignment are handled by the SJADConnector: sjactivedirectoryreplication.exe 3.1 User Account Permissions User Account User permissions Permissions to initiate the Wizard The name of the user account used to run the connector is not important, however, it is essential that the user account, including its password, is present and known to the database and the connector prior to initialization. User permissions are essential in two aspects: The permissions which a user needs to run the Wizard in the SJADConnector. The permissions which a user needs to run the scheduled task transfer of data from AD to SJ. The first time you run ScanJour Active Directory Connector sjactivedirectoryreplication.exe a Wizard is initiated. This Wizard will guide you through the alignment between AD and SJ and you only have to establish this alignment once. The Wizard writes directly to AD and it is therefore essential that the used user account possesses the necessary permissions to complete this task. The task implies permissions to create the following objects in AD: OU with the ScanJourCaptiaAdministration title in the root of AD. 11 universal distribution groups in the subtree of ScanJourCaptiaAdministration OU: o o o ScanJourCaptia<database name><i> I =1-9 (is used to align the user s security levels, each distribution group represents the eqv. security group in SJ). ScanJourCaptia<database name>groups (is used to identify the Access Codes). ScanJourCaptia<database name>committees (is used to identify Committees). Note: <basename> must be substituted with the current ODBC base name. These 11 groups can be created by the Wizard by clicking on a button in the GUI of SJADConnector. ConfigGuide_WorkZoneContentServerActiveDirectory Page 11 of 50

12 Permissions to run a scheduled transfer task To run a scheduled task of transferring data from AD to SJ you must use a user account which has the following rights: View the relevant OU s, groups and users in AD. Write entries in the event log. Create and update in the following sub key entries in Window s Registry: HKLM\SOFTWARE\SCANJOUR\SJAD HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application 3.2 Wizard Guided Pre-Configuration Activity overview The Wizard will guide you through the following steps during the pre-configuration of the SJADConnector: Specifying the name of the database. Specifying the name of the domain server. Initiating the needed distribution groups in SJ dedicated AD. Initiating the creation of the configuration file that secures the alignment between AD and SJ. Creating a desktop shortcut to SJADConnector for easy maintenance access Configuration of a scheduled task which periodically automatically secures alignment of data. Preconfiguratio n wizard Step Action 1 Access WorkZone Content Servers program catalog C:\ProgramFiles\Scanjour\Captia\Program 2 Double click on sjactivedirectoryreplication.exe to initiate the Connector s Wizard. The window Welcome to the ScanJour Active Connetor Setup appears: Click Next. 3 On the Database tab, type the name of your database in the text box. ConfigGuide_WorkZoneContentServerActiveDirectory Page 12 of 50

13 Preconfiguratio n wizard Step Click Next. Action 4 The tab Server Domain is now active. On the Server Domain tab, click the Current Domain button to insert the name of the current domain or enter the name of your Server Domain in the <field name> field manually. Click Next. 5 On the Administrative groups tab, in the <field name> field the Wizard suggests a prefix for the 11 distribution groups it is about to setup for the transfer of security codes, Committees and Group Access Codes ScanJourCaptia<database name>. To enhance legibility, ScanJour recommends that you add a separating character such as a dash after the <database name>. Click Create. 6 In the Creating groups in AD dialog box, click OK to verify. Click Next. 7 The tab Setup is now active. On the Setup tab, in the Run in interactive mode section, click Run now to create the configuration file. The file is called SJADConfiguration<database name>.xml and can be found in ScanJour s program catalog. It is used in the alignment of transferred data from AD to SJ. 8 The window SJ Active Directory Connector appears. The file SJADConfiguration<database name>.xml is shown. Click Edit. 9 The window Active Directory Connector Configuration appears. In the Configuration File section, click Save. The configuration file is now saved with your entries in WorkZone Content Server s program catalog. Click Exit. 10 The window SJ Active Directory Connector appears again. In the Run in interactive mode section, click Create shortcut. Click Exit to return to the Wizard. 11 The Create Shortcut dialog box appears. To verify, click OK. A desktop shortcut-icon to the SJADConnector for easy maintenance access is placed on your desktop with the title sjad<database name>, for example, sjadtiltest ConfigGuide_WorkZoneContentServerActiveDirectory Page 13 of 50

14 3.3 Create a scheduled task transfer Scheduled task transfer setup and disabling Perform the following steps to create a scheduled task which periodically automatically secures alignment of data: Step Action 1 Start SADConnector. In the SJ Active Directory Connector window, click Run Wizard. In the Welcome to the ScanJour Active Directory Connector Setup window, click the Setup tab. In the Setup scheduled task for transfer section, click Create job. 2 Windows Command-line interface appears. Specify the Server password and press Enter or Back key on your keyboard. You have now created a Scheduled task which can be found StartControl panel Scheduled tasksjadreplication<database name> To set it to run at a specific time, you must access the Scheduled Task and setup or edit the tabs Schedule and Settings regarding: When the task should be performed Start time Start date Note: When the AD Connector wizard is used to create a scheduled task for the replication, the job is installed with the Run only when user is logged on setting. You might want to change this to Run whether user is logged on or not. If you do that, you must also check the Run with highest privileges setting. This only applies to Windows Server 2008 and not Windows Server ScanJour recommends that you disable Scheduled Task until you have finished your AD configuration. Click StartControl panel Scheduled task. Right click the SjADreplication<database name> item and select Properties. 4 The Scheduled Task Window appears. The Task tab is active. On the Task tab, clear the Enabled check box. Click OK. 5 Note: Remember to re-activate the Scheduled Task before your system runs. ConfigGuide_WorkZoneContentServerActiveDirectory Page 14 of 50

15 3.4 Exit the Wizard-Guided Pre-Configuration Exit Setup Perform the following steps to exit the Wizard-guided pre-configuration: Step 1 Action In the Welcome to the ScanJour Active Directory Connector Setup window on the Setup tab, click Exit. 2 In the Exit dialog box, click OK to verify exit. 4 Active Directory AD Activity overview Access the part of Active Directory that deals with Users and Computers as described below. This part of Active directory will be your entry to conduct the following activities: Create your organizations hierarchical structure of OUs. Create new and maintain users. Maintain distribution groups and memberships. Create new and maintain memberships of security groups (for example, Group Access Codes and Committees). 4.1 Access Active Directory Open Active directory To access AD, click StartAll programsadministrative tools Active Directory Users And Computers You now have access to the AD-tree: 4.2 Distribution Groups ConfigGuide_WorkZoneContentServerActiveDirectory Page 15 of 50

16 Distribution groups The ScanJourCaptiaAdministration entry in the AD tree contains 11 distribution groups preconfigured by the Wizard of ScanJour Active Directory Connector. These distribution groups together with the configuration.xml file are the basis for alignment between AD and the ScanJour system and the secure transfer of data. The re-configuration of the database through ScanJour Configuration Manager, that is, Security Groups, Custom Labels, and Contact Types, secures the reception of transferred data. Folder that contains the distribution groups is shown below: Note that ScanJour distribution groups themselves carry no value but simply doubles as a carrier through which its memberships transfer meaning to the receiving end, that is, WorkZone Content Server: Example A user that is a member of distribution group 6 in AD becomes a Log-on user and an employee with security level 6 in WorkZone Content Server. The basic edit and delete permissions of the security levels are defined in the Configuration Management program. 5 Creating Organizational Units in AD OU structure Essential to the ScanJour Active Directory structure is Organizational Units. Your organizations hierarchical structure must be mirrored in your Organizational Units (OUs) in the AD tree. In a standard WorkZone Content Server installation, all units and unit dependencies are maintained in AD. However, some customers have opted for customized installations that draw on data, regarding units, from sources other than AD for a number of reasons. Some have opted for a direct integration and basically maintain the entire hierarchical structure from outside AD while others just feed a shadow AD-structure. ConfigGuide_WorkZoneContentServerActiveDirectory Page 16 of 50

17 Three common OU situations Below is a description of three most common situations regarding Organizational Units: 1. The OUs must be created from scratch The customer does not have its OUs or users in AD. The OU structure must be implemented and each OU created in AD. 2. The OUs need restructuring The customer has implemented AD and has created OUs and users but not in a hierarchy and the OU-structure needs these to fit the ways of SJ AD. The task is to make sure that all the necessary OUs are structured in a hierarchy that takes the organization s Unit Access Codes into account, since the user s OU membership determines which Unit Access Codes are available to each user (recursively from sub-ou to main OU). 3. The OUs need not be transferred The customer has implemented AD and has created OUs but does not want to change their structure to fit SJ AD. The customer can opt for a transfer that excludes OUs but includes users and security groups. To do this, the configuration file must be customized and the user to unit relationship must be established in an alternate way. Maintenance of the units register then needs to be established through integration to a system where this is feasible. A solution like this may be vulnerable due to the sheer timing between transfers from two or three different sources. Prerequisites for the examples The next step of this guide is based on situation 1 above, that is, OUs, users, and security groups (Group Access Codes and Committees) need to be implemented. 5.1 Create an Organizational Unit How to create an OU Perform the following steps to create an OU in Active Directory. OU creation Step Action 1 Active directory Users and computers is accessed and the AD tree is displayed. Right-click the domain name at the top of the tree and click NewOrganizational unit. 2 The New Object Organizational dialog box appears. In the Name entry box, enter full name of the OUs, for example, Library. Create the OU at the top of your organization, for example, <name of the top of your organization> with each sub entry inside the top OU. In this example, Library is the top one. Circulation, Reading Room, and Administration are child OUs to Library. Click OK to commit the entry. ConfigGuide_WorkZoneContentServerActiveDirectory Page 17 of 50

18 OU creation Step Action Right-click the created OU and click Properties. 3 The Library Properties dialog box appears. In the Description text box, enter library s abbreviation, for example, LIBR. Click OK. The abbreviation is library s Name Code and part of its ID in the Units Register in WorkZone Content Server. Important: Note that some restrictions regarding characters and length apply. For more information, see section 12.1 Organizational Unit Name. For more details about the transfer of additional information from OUs, see section 10.2 Field Data Concerning OUs. 4 Create the additional OUs of your organizations hierarchy one by one. Right-click <name of the top of your organization> for example, Library and select NewOrganizational unit Perform the steps 2 and 3 again. 5.2 Register OUs in ScanJour Active Directory Connector Configuration of OUs To perform the transfer and alignment of OU data, SJADConnector needs to register OUs that belong to ScanJour s AD. If it isn t registered, the configuration file won t work correctly. Register OUs in SJADConnector Step 1 Start SJADConnector. Action 2 The SJ Active Directory Connector window appears. Click Edit. 3 The Active Directory Connector Configuration window appears. In the Domain server section, click Edit. 4 The Domain Server dialog box appears. In the Section Units section, click Add. 5 The Unit dialog box is displayed. In the Full name drop-down list, select the OU at the top of your OU hierarchy, for example, Library. If two or more OUs have the same full name, they are distinguished by their Distinguished name in relevant dialog box. For instance, two organizational units in different departments are both called Sec, that is, Secretariat. In AD they are displayed like this: SEC <DN : OU=SEC,OU=DEP1,DC=udvad,DC=local> SEC <DN : OU=SEC,OU=DEP2,DC=udvad,DC=local> (SEC is the name and the following string is the distinguished name - DN.) Select the Recursive checkbox. The child OUs of the selected one will be transferred as well. ConfigGuide_WorkZoneContentServerActiveDirectory Page 18 of 50

19 Register OUs in SJADConnector Step Action Note: By enabling recursive, this becomes a onetime setup, because now all your future sub-ous are instantly known to the SJADConnector. Click OK. 6 The Domain Server dialog box appears. Click OK to exit. 7 In the Configuration file section of the Active Directory Connector Configuration window, click Save to commit you recent changes to the configuration file. Click Exit. 8 The SJ Active Directory Connector window appears. Click Exit to finish. ConfigGuide_WorkZoneContentServerActiveDirectory Page 19 of 50

20 6 Create users in Active Directory Create a user You create in the OU each user according to their executive unit in WorkZone Content Server. Note: Even though you may already have users in your AD, they must be located in the users organizational OU and not in a separate user-catalog. Move your users to OU where they belong to comply with ScanJour default configuration. Step Action 1 Access Active directory Users and computers and the AD tree is displayed. Right-click the OU to which you want to add the user. In the context menu, select NewUser. 2 The New Object User dialog box is displayed. Specify the following required values: First name Last Name User logon name The following values are filled in automatically: Full Name User logon name (pre-windows 2000) Click Next. Note: Some restrictions regarding characters and length apply, as well as User logon name (pre-windows 2000) restrictions. See section 12.2 User Name. 3 Specify the following values: Password Confirm password Enable the required set of password rules taking into consideration the Group policy of your company. Click Next. Information: Group Policy is a feature of Microsoft Windows NT family of operating systems. It provides the centralized management and configuration of computers and remote users in an Active Directory environment. That is, it manages user rights in a computer network, for example, with regard to password security. Click Next. Click Finish to create the user. 4 Right-click the user you have just created and select Properties. 5 In the <user name> Properties dialog box on the General tab: The following text boxes can be filled in or edited in a default configuration - () indicates the text box is already filled in but may be edited: ConfigGuide_WorkZoneContentServerActiveDirectory Page 20 of 50

21 Step First name () Last Name() Description Telephone number Click the Address tab. Action 6 Under the tab Address the following text boxes can be filled in or edited in a default configuration - () indicates the text box is already filled in but may be edited: 7 Street Zip/postal code Country/Region To complete creating the user, add user to a ScanJour distribution group. For more information, see section 7 Distribution Group membership Essential to User-transfer. ConfigGuide_WorkZoneContentServerActiveDirectory Page 21 of 50

22 7 Distribution Group membership Essential to Usertransfer User security code membership If we transfer data from AD to ScanJour as defined in previous sections, only the registered OUs would be transferred. To transfer the users and user details, you must include them to one of 9 distribution groups, which secure the alignment of a corresponding security level. ScanJourCaptia<database name>-<security code> Note: The distribution groups can be found in the AD-tree under the entry ScanjourAdministration. See section 4.2 Distribution Groups for more details. <Procedure name > Step Action 1 The AD-tree contains a list of users that you have created. Right-click the user and select Properties. 2 In the <user name> Properties dialog box, click the Member Of tab. Click Add. 3 The Select groups dialog box appears. In the Enter the object names to select field, start typing the name of the distribution group into which you want to include the user and click Check Names. 4 The Multiple Names Found dialog box is displayed. Select the distribution group. Click OK. 5 Click OK in the following dialog boxes to verify the user(s) membership. 7.1 Users become log-on users and employees in WorkZone Content Server Transferred AD user When data is transferred from AD to Scanjour, Users become: Log-on user in WorkZone Content Server s user register. In a default configuration, user logon name (pre Windows 2000) is transferred to User Name in WorkZone Content Server and is equal to the users ID. Employee in WorkZone Content Server s Employee register and can be used in the user interface list boxes such as Case handler. 7.2 Create or copy users Copy or create a new user The other way of creating a user is to copy a model user. This way there is a good chance that this model user has the necessary distribution group memberships, for example, security code 6, and required Access Codes. You can change the user default settings as required. ConfigGuide_WorkZoneContentServerActiveDirectory Page 22 of 50

23 7.3 Discontinue users Dealing with User Access Codes After AD Connector transfer Before discontinuing a user in AD it is essential to investigate whether the user has been using User Access Codes. If the user has been applying User Access Codes to cases, documents or addressees, you have two options: 1. You can choose to manually change the Access Codes on the objects in question from the user interface in WorkZone Content Server before discontinuing the user. 2. You can choose to let the Administrator take care of it in the Configuration Management program in the module Lost and Found. The administrator needs to be a member of the System Access Code IADM to deal with objects that no one can see in the user interface any longer, refer to Configurtion_Management_Online_Help-.chm, topic on Lost and Found for further information. When the user has been discontinued in AD and a transfer has been taking place (either manually or as a scheduled task), be aware of the following: Discontinued users remain in WorkZone Content Server s User register but without any permission. The user s security code is now 0 which equates no access to the database. Discontinued users continue to be employees in Scanjour s Employee Register and are therefore still owners of terminated cases or archived documents. Discontinued users User Access Codes have been terminated. 7.4 Change a user s Organizational Unit Dealing with change of OU When a user is moved from one OU to another in the AD tree, it only affects the Unit Access Codes of moved user. However, you should be aware of the following: A changed OU will affect all cases, documents, and addressees where the user has been applying Unit Access Codes. These can no longer be viewed by the Case handler only members of the former case handler s Responsible Unit. The objects will not appear in Lost and Found for the simple reason that the rest of the members of the unit in question can still view it. All the objects of the moved user will need to have Responsible Unit text box updated: either manually per object or multi edited by a user with the System Access Code MULTIEDIT. 8 Distribution Groups Groups and Committees The purpose of Groups and Committees Organization The purpose is to be able to unite users across the organization with regard to the following: Shared Group Access Codes regardless of Organizational unit An AD Group (Global Security Group) which is a member of the distribution group ScanJourCaptia<database name>groups. Shared Committees An AD Group (Global Security Group) which is a member of the distribution group ScanJourCaptia<database name>committees. An AD Group can be a member of both distribution groups if the context makes sense, for example, a Committee called Agenda may be a Group Access Code to ConfigGuide_WorkZoneContentServerActiveDirectory Page 23 of 50

24 protect the work of the Committee Agenda. However, when you organize your AD-tree, ScanJour recommends you to consider creating two individual OUs under the domain that the ScanJour AD Groups are part of, to separate them from other AD Groups in your general AD tree: 1. One that contains Group Access Codes, for example, named SJ Access Codes 2. An one that contains Committees, for example, SJ Committees System Access Codes Corporate Access Codes Some AD Groups are mandatory such as the System Access Codes that are automatically generated by a script when the ScanJour system is initialized. In section 14 System Access Code you can find a list of these mandatory Access Codes. If your organization has opted for a Corporate Solution employing Corporate Access Codes, see section 18 Corporate Access Code for details. 8.1 Create Group Access Codes Group Access Codes In the following steps of this guide it is presupposed that the above mentioned organization of your SJ AD-tree has been implemented. Note: If you still need to create your SJ AccessCode OU, see section 5.1 Create an Organizational Unit, steps 1 and 2 for more details. Create a Group Access Code Perform the following steps: Step Action 1 Access Active directory Users and computers and the AD tree is displayed. Right-click the OU in which you wish to organize your Group Access Codes, (for example, SJ Access Codes in the AD-tree) and select NewGroup. 2 The New Object Group dialog box is displayed. In the Group name text box, enter the name of the Group, for example, CONFIDE1. Note: Your entry is not case-sensitive but must be within the length specified in Configuration Management max 30 characters. Other important restrictions regarding characters apply. For more information, see section 12.3 Group Name. The pre-windows 2000 text box is automatically filled in. Leave Group scope and Group type as they are. Click OK. 3 Right-click the Group you just created, for example, CONFIDE1 and select Properties. 4 In the <group name> Properties dialog box on the General tab click Add. Important: Leave the Description text box blank! 5 Click the Members tab. Click Add. ConfigGuide_WorkZoneContentServerActiveDirectory Page 24 of 50

25 Step Action 6 You can add both individual users and groups (of users), that is, group access codes as members, see below this step guide Group Access Code member of Group Access Code. In the Select Users, Contacts or Computers dialog box, start typing the name of the user or users you wish to make members. Click Check Names: If there is only one match, the name appears directly in the Enter the object names to select text box area If there are multiple matches, the Multiple Names dialog box is shown In the Multiple Names dialog box you can: Select the name you were looking for Hold the Ctrl key while you select more than one name. Click OK. Tip: Alternately, if you know from the start you are looking for several users you can separate entries with semicolon hen;pel;elp 7 After the name (or all the names you have selected) in step 6 appear in the Select Users, Contacts or Computers dialog box in the Enter the object names to select text box area click OK. 8 In the <group name> Properties dialog box, the added members are listed. Click OK to verify. Group Access Code member of Group Access Code You can add groups (of users),that is, group access codes as members of group access codes. In this way, you can make a whole batch of users into members of a group access code at the same time. Example: You have a group access code, for instance, Confide1. Now you wish to populate it. First you add an individual user User A. Then you wish to add batches of users. To do this, you can add the group access code Confide2 and Confide7. In this way you add all the members of Confide2 and Confide7 at the same time. Group access code Confide5 is already a member of Confide2. Therefore, the members of Confide5 are also members of Confide1. See the diagram below. ConfigGuide_WorkZoneContentServerActiveDirectory Page 25 of 50

26 8.2 Prepare the Group Access Code for Transfer Group Access Code Groups membership If you transferred data from AD to ScanJour at this point, your Group Access Code CONFIDE1 would not be transferred. It will be another Global Security group in your general AD tree. To complete creating the group access code, it must become a member of the distribution group: ScanJourCaptia<database name>-<groups> This is the tag that makes it recognizable to the configuration file and is an important prerequisite. Step Action 1 Access Active directory Users and computers and the AD tree is displayed. Click the OU ScanJourCaptiaAdministration to open it. Right-click the ScanJourCaptia<database name>-<groups> distribution group and select Properties 2 In the <database name>-<groups> dialog box, click the Members tab. Click Add. Enter the Group Access Code name, for example, CONFIDE1 (or part of it) Click Check Names. Select the group. Click OK. 3 Click OK in the following dialog boxes to verify the membership. ConfigGuide_WorkZoneContentServerActiveDirectory Page 26 of 50

27 After AD Connector transfer When the next transfer has been performed (either manually or as a scheduled task), the Group Access Code, for example, CONFIDE1, has been added to the profiles of its members in WorkZone Content Server. The added Group access code now allows its members to: Apply this access code to entities. Access entities protected by this access code. 8.3 Create a Committee Committee In the following section of this guide, it is presupposed that the above mentioned organization of your SJ AD-tree has been implemented. If you still need to create your SJ Committee OU, see section 5.1 Organizational Unit, steps 1 and 2. Create an Create a Committee Perform the following steps: Step Action 1 Access Active directory Users and computers and the AD tree is displayed. Right-click the OU in which you wish to organize your Group Access Codes used as committees, for example, SJ Committee, in the AD-tree (left side). In the context menu select NewGroup. 2 The dialog box New Object Group is displayed. In the Group name text box, enter the name of the Group, for example, AGENDA. Note: Your entry isn t case-sensitive but must be within the length specified in Configuration Management maximum of 30 characters. Other important restrictions regarding characters apply. See section 12.4 Committee Name. The pre-windows 2000 text box is automatically filled in. Leave Group scope and Group type as they are. Click OK. 3 Right-click the group you just created, for example, AGENDA and select Properties. 4 In the <group name> Properties dialog box on the General tab, click Add. Important: Leave the Description text box blank. 5 Click the Members tab. Click Add. 6 In the Select Users, Contacts or Computers dialog box, enter part of the name of the user or users you wish to make members. Click Check Names: If there is only one match, the name appears directly in the Enter ConfigGuide_WorkZoneContentServerActiveDirectory Page 27 of 50

28 Step Action the object names to select text box area. If there are multiple matches, the Multiple Names dialog box is displayed. In the Multiple Names dialog box you can: Click OK. Select the name you were looking for Hold the Ctrl key while you select more than one name Tip: Alternately if you know from the start you are looking for several users you can separate entries with semicolon hen;pel;elp 7 After the name (or all the names you have selected in step 6) appears in the Select Users, Contacts or Computers dialog box in the Enter the object names to select: text box area, click OK. 8 The dialog box <group name> Properties with the added members is displayed. Click OK to verify. 8.4 Prepare the Committee for Transfer Group Access Code Groups membership If we transferred data from AD to ScanJour at this point, our Committee AGENDA would not be transferred. It would just be another Global Security group in your general AD tree. To complete creating the group access code, for the Committee, it must become a member of the distribution group: ScanJourCaptia<database name>-<committees> This is the tag that makes it recognizable to the configuration file. Step Action 1 Active directory Users and computers is accessed and the AD tree is displayed. Click the OU ScanJourCaptiaAdministration to open it in the right pane. Right-click the distribution group: ScanJourCaptia<database name>-<committees>. Choose Properties. 2 In the dialog box <database name>-<committees>, click the Members tab. Click Add. Enter the Committee name, for example, AGENDA, and click Check Names. Click OK. 3 Click OK in the following dialog boxes to verify the membership. After AD Connector When the next transfer has been taking place (either manually or as a scheduled task), two things happen: ConfigGuide_WorkZoneContentServerActiveDirectory Page 28 of 50

29 transfer The committee, for example, AGENDA, has been created in ScanJour Addressee Register under the Contact Type U and the Addressee Code, for example, AGENDA Members of the Committee, for example, AGENDA, have been added as Contact References to a Contact group named AGENDA in WorkZone Content Server. 9 When You Have Finished All Configurations Manual trail transfer After you configure your SJ AD and system according to the prior steps of this guide, you must initialize a trial transfer. The window SJ Active Directory Connector is shown and you click on Display Only in order to catch errors in the set up in AD (mind you not errors dependent on actual data in the database). 9.1 Initialize Transfer of Data Transfer from AD to WorkZone Content Server When you have corrected any errors that the trial caught, you are ready to transfer for real. When you click on the button Transfer in SJADConnector data is transferred from AD to WorkZone Content Server database according to the alignment described in the configuration file 9.2 Re-enable the Scheduled Transfer Task Enable task After transfer has been completed successfully, you must re-enable the Scheduled Transfer Task. See section 3.3 Create a scheduled task transfer, step 3-4 in reverse. This task will now handle the alignment of data changes and new creations between AD and WorkZone Content Server. 10 Field to Field Transfer between AD and SJ Default configuration This chapter of the guide describes the default configuration with regard to transfers from AD-fields to fields in WorkZone Content Server. Changes to the default configuration may only be made in collaboration with or the knowledge of your software provider, for example, ScanJour A/S. Customer specific changes, additions or removals of data, to cater for the customer s organization or AD-setup, are done in the configuration file: SJADConfiguration<database name>.xml In the tables below you can see where changes can be made: in the rows without a check mark () in the Mandatory dependency column. Furthermore, the table shows you how the transfer of information is mapped (or aligned) field by field. However, note the following exclusions: ConfigGuide_WorkZoneContentServerActiveDirectory Page 29 of 50

30 The fields automatically transferred via SOM, for example, the field Registered by in the Addressee Register. The tables created for the internal audit of the transfer itself. Any relations to Access Codes. Field to field mapping The field to field information mapping in the default configuration between AD and ScanJour database is marked in the columns Mandatory value and Mandatory dependency. If the Mandatory value column is checked () in the row, for example, user logon name, this means that the value is mandatory in AD and will be transferred. If the value is missing the data can t be aligned. If the Mandatory Dependency column is checked () in the row, for example, user logon name, this means that the data will always be filled in according to the equivalent AD-field or in case of a note according to the convention specified in the note, for example, (7). Transferred field information from AD to WorkZone Content Server that becomes a Name Code will always be transferred capitalized, for example, ELP Field Data Concerning Users User table Field information regarding users Name in AD GUI User logon name (pre- Windows 2000) ADSI name WorkZon e Content Server register WorkZone Content Server field Mandatory value Mandatory dependency samaccountname employee name_code (7) User logon name (pre- Windows 2000) samaccountname employee name:name_code (7) First name givenname employee name:name1 Last name Sn employee name:name2 Telephone number telephonenumber employee address:phone_no(add ress_type=ha) Street streetaddress employee address:address1(add ress_type=ha) Zip/postal code postalcode employee address:postcode(add ress_type=ha) Country/region c employee address:country_code (address_type=ha) Mail employee address: (addres s_type=ha) Description Description employee text employee location_code (1) employee resigned (2) employee name:end_date (2) User logon name (pre- Windows 2000) samaccountname users user_name (7) ConfigGuide_WorkZoneContentServerActiveDirectory Page 30 of 50

31 Name in AD GUI ADSI name WorkZon e Content Server register WorkZone Content Server field Mandatory value Mandatory dependency objectsid users Sid (8) users Ntauthentication (3) users Ntname (4) users Authority (5) users bem (6) Notes: (1) Is filled in as the name_code of the OU containing the user. May be overridden by a customer AD-field (2) Is only filled in if the employee is no longer transferred from AD. Left blank if the employee is transferred again at a later date (3) Is filled in as default value J (4) Is filled in as <domain name>\<samaccountname> (5) Is filled in as the Name Code of the OU containing the superior level OU in the OU register if it has the value MYNDIGHE; otherwise is left blank (6) Is filled in as user_name name:name1 name:name2 (7) All these fields will be filled in with the same value. The value either comes from samaccountname or an alternative specified field. If an alternative field is specified, the <SJName> tag must mention the field name user_name. For example, if using the description field in AD for the name_code, the following piece of XML should be added: <userfield> <ADName>description</ADName> <SJName>user_name</SJName> <mandatory>true</mandatory> </userfield> (8) This field is selected in the default configuration, and ScanJour recommends you not to change it. If, however, it is for some reason necessary to read the users SIDs from a different field, it may be configured in the configuration XML-file under the tag <usersidadfieldname> in the <configuration> section. In such situations ScanJour recommends using the securityidentifier field, as it has the appropriate format and is not used by Microsoft Field Data Concerning OUs OU table Field information regarding OUs is listed below: Name in AD GUI ADSI name WorkZone Content Server register WorkZone Content Server field Mandatory value Description Description (1) OU name_code Description Description (1) OU name:name_code OU ens navn OU OU name:name1 Mandatory dependency OU parent_ou (2) OU end_date (3) ConfigGuide_WorkZoneContentServerActiveDirectory Page 31 of 50

32 Notes (1) This field is selected in the default configuration, however it is possible to change it in the Active Directory Connector Configuration window in the Organizational unit AD field to use as identifier text box. Note: You can specify each OU s Name Code explicitly. (2) Is filled in as the Name Code of the immediate superior (the parent) OU in AD, if this is being transferred. Otherwise it remains blank. (3) Is only filled in if the OU no longer is transferred from AD. Left blank if the OU is transferred again at a later date Field Data Concerning the Distribution Group Groups Groups Global security groups that are the members of the Groups distribution group are only transferred into Group Access Codes if at least one user is a member of the Global security group in question Field Data Concerning the Distribution Group Committees Committees = committee Field information regarding Committees is listed below: Name in AD GUI ADSI name Scan Jour Captia register Scan Jour Captia field Mandatory value Mandatory dependency Group name (pre-windows 2000) Group name (pre-windows 2000) samaccountname contact name_code x x samaccountname contact name1 x contact end_date x x (1) Notes: (1) Is only filled in if the committee no longer is transferred from AD. Left blank if the committee is transferred again at a later date. ConfigGuide_WorkZoneContentServerActiveDirectory Page 32 of 50

33 11 ADSI Field Names Making changes to the configuration file This chapter of the guide is aimed at the technician of the software provider who is in charge of the customization of the configuration file SJADConfiguration<database name>.xml In the table below you can see what the ADSI equivalent of AD field names ADSI Field Names for OUs ADSI field names for OUs The table below shows the ADSI equivalent of the AD field names for OUs: AD Field name ADSI Field name Name ou Description description Street street City l (lowercase L) State/province st Zip/postal Code PostalCode Country/region c 11.2 ADSI Field Names for the Description Group Groups ADSI names for Groups The table below shows the ADSI equivalent of the AD field names for Groups : AD Field name ADSI Field name Name Description Notes name description mail Info ConfigGuide_WorkZoneContentServerActiveDirectory Page 33 of 50

34 11.3 ADSI Field Names for Users ADSI names for users The table below shows the ADSI equivalent of the AD field names for Users: AD Field name ADSI Field name General First name givenname Initials initials Last name sn Description description Office physicaldeliveryofficename Telephone number telephonenumber mail Web page WWWHomePage Address Street streetaddress P.O. Box postofficebox City l (lowercase L) State/province st Zip/Postal Code postalcode Country/region C Telephones Home homephone Pager pager Mobile mobile Fax facsimiletelephonenumber IP Phone ipphone Organization Title title Department department Company company 12 Character Restrictions Character restrictions Some character restrictions apply to OUs, User Names, Global security groups and Global distribution groups. Note: In general ScanJour strongly discourages the use of any other characters, symbols or digits than the ones mentioned below. If you ignore this, it can have serious consequences for the success of your transfer. ConfigGuide_WorkZoneContentServerActiveDirectory Page 34 of 50

35 12.1 Organizational Unit Name Restrictions Allowed characters in the name_code for organizational units The following restrictions apply to the name_code (with standard configuration this is the value in the Description field): 1. Maximum length is 30 characters. However, it must not exceed the length of Address Type A s Address Code as configured in Configuration Management, see section 2.2 Configuration of Contact Types. 2. The only allowed characters are: a. Letters (including Æ, Ø and Å) b. Digits c. The following special characters: Period (.) Underscore (_) Dash (-) 12.2 User Name Restrictions User names in WorkZone Content Server The following restrictions apply to user logon name for WorkZone Content Server: 1. The User Name in the User logon name (pre-windows 2000) text box in AD has a maximum length of 20 characters. This is an AD restriction. WorkZone Content Server allows up to 30 characters. You can utilize this by opting for an alternative field for the transfer of Name Code/User Code. 2. The User Name in the User logon name (pre-windows 2000) text box must not exceed the length of Address Type M s Address Code as configured in Configuration Management, see section 2.2 Configuration of Contact Types. 3. The only allowed characters are: a. Letters (including Æ, Ø and Å) b. Digits c. The following special characters: Period (.) Underscore (_) Dash (-) ConfigGuide_WorkZoneContentServerActiveDirectory Page 35 of 50

36 12.3 Group Name Restrictions Allowed characters in Group names in AD The following restrictions apply to the AD field Group name (pre-windows 2000) in Global Security groups used for Group Access Codes. 1. All letters are converted to uppercase when transferred. 2. Maximum 30 characters are converted, additional characters are cut off. 3. The only letters and digits allowed are: A to Z 0 through The only special characters allowed are: Underscore (_) Dash (-). 5. The characters Æ, Ø and Å are converted as shown below: Æ = AE Ø = OE Å = AA. Important: Æ, Ø, and Å are treated as two characters. 6. All special characters other than the above will be removed. 7. Spaces are converted into dashes (-) Committee Name Restrictions Allowed characters in Committees The following restrictions apply to the AD field Group name (pre-windows 2000). 1. Maximum length is 30 characters. However, it must not exceed the length of Address Type U s Address Code as configured in Configuration Management (or any alternative Address Types generated), see section 2.2 Configuration of Contact Types. 2. The only allowed characters are: a. Letters (including Æ, Ø and Å) b. Digits c. The following special characters: Period (.) Underscore (_) Dash (-) 13 Name Code Stripping Default handling of Name Code If your User Name (Name Code) exceeds 20 characters or AD prefixes you do not want to transfer, stripping the name before transferring from AD is an option. Normally the Name Code in WorkZone Content Server s database is transferred as follows: Users: <pre-windows 2000 logon> name. Units: <pre-windows 2000 logon> name or other AD-field (default=description) or alternatively custom integration explicitly amended in the configuration file. Groups : <pre-windows 2000 logon> name. ConfigGuide_WorkZoneContentServerActiveDirectory Page 36 of 50

37 Committees : <pre-windows 2000 logon> name. Stripping of xml-elements The Name Code instances mentioned above can be manipulated in the manner described below before they are stored in ScanJour s database. It is possible to strip a defined leading and/or trailing part of a string of the data from AD. This is done by utilizing one of the following XML-element in the configuration file: SJADConfiguration<database name>.xml The elements are: leading: <stripprefix> trailing: <strippostfix> The XML-element must be entered as a sub-element of the <domain> element in order to facilitate the possibility of different Name Code stripping for alternate domains. Only Name Codes with the defined part of the string are stripped; all others are left unchanged. Only one prefix and one postfix can be stripped for each kind. The attribute kind Both elements have a non-mandatory attribute kind. The attribute s legal values are: user User Codes will be stripped. unit the Unit Codes (OUs in AD) will be stripped. group Group Access Codes, codes will be stripped. committee - committee s codes will be stripped. Note: Exclusion of the attribute will be interpreted as kind= user. The part of the string you wish to strip should always be written in CAPITAL LETTERS since they are Name Codes Examples of Stripping Example 1 <stripprefix>t-</stripprefix> This stripping string will result in all User Codes from the relevant domain beginning with T- will be stripped of these; all others will be left as they are: AD Code T-VIGGO HUGO SJ Code VIGGO HUGO Example 2 <stripprefix kind= user >T-</stripPrefix> <strippostfix>o</strippostfix> This stripping string will result in all User Codes from the relevant domain beginning with T- and ending in O will be stripped of these if they meet the criteria. ConfigGuide_WorkZoneContentServerActiveDirectory Page 37 of 50

38 AD Code T-VIGGO HUGO SJ Code VIGG HUG Example 3 <stripprefix kind= unit >OU-</stripPrefix> <strippostfix kind= unit >Z-</stripPostfix> This stripping string will result in all OU codes from the relevant domain beginning with OU- and ending in -Z will be stripped of these if they meet the criteria. AD Code OU-DEP1 OUDEP2-Z SJ Code DEP1 OUDEPD2 14 System Access Codes System Access Codes The following groups of System Access Codes (subsections 14.1 WorkZone Content Server System Access Codes and 14.2 ScanJour Configuration Management System Access Codes) are mandatory. Usually they are scripted, but if they are not in you AD, they must be created manually. The three extraordinary System Access Codes (subsection 14.3 Extraordinary System Access Codes) are not mandatory but an option. These cannot be created in AD but must be executed by SQL. System Access Codes provide its members extended rights and access to the system through the interface of the system or module they refer to WorkZone Content Server System Access Codes WorkZone Content Server System Access Codes In the table below you have an overview of the System Access Codes available with regard to WorkZone Content Server System Access Codes ALLEEMNER CONFIGADM DEJOURNALADM Corporate Access Code. Comments If the Corporate configuration is chosen, then the Access Code field of cases and documents must never be left blank. Therefore, all these objects of the system that should be visible to all users must have the Access Code ALLEEMNER. This is a System Access Code that all users of the Corporate configuration must be members of. Members of CONFIGADM have the rights to distribute menu and list configurations. Members of DEJOURNALDM have the rights to dejournalize (to make a traceable move of ConfigGuide_WorkZoneContentServerActiveDirectory Page 38 of 50

39 System Access Codes Comments misplaced) archived documents from one case to another. LISTCONF MENUCONF MULTIEDIT RAPDEF RECORD_ACCESS UNLOCKADM CONTENT_SERVICES FILINGPERIOD Members of LISTCONF have rights to edit lists in their own profile. Members of MENUCONF have the rights to edit menus. Members of MULTIEDIT have rights to batch edit from lists. Members of RAPDEF have rights to create Crystal Report Definitions in WorkZone Content Server. Externally used System Access Code, for example, CMS. Members of RECORD_ACCESS have rights to mitigate a citizen s request for access from a third party system. The system user of the third party system is the member. Members of UNLOCKADM have rights to unlock the following relations in WorkZone Content Server between: Case and contact Document and case Case and case Document and document Contact and contact All users can lock (and members of UNLOCKADM can unlock) the above-mentioned relations from the menu of the Action Icon in WorkZone Content Server GUI. Members of CONTENT_SERVICES have rights to enable and disable Content Services. Members of FILINGPERIOD have rights to edit filing period data in Captia Web Client ScanJour Configuration Management System Access Codes Configuration Management System Access Codes In the table below, you have an overview of the System Access Codes available with regard to the individual modules and functions in ScanJour Configuration Management. System Access Codes DATAADM Comments Members of DATAADM have rights to the following modules in Configuration Management: Countries and PostCodes Custom Label ConfigGuide_WorkZoneContentServerActiveDirectory Page 39 of 50

40 System Access Codes Comments Custom Domain Addressee (Contacts) Filing period Stopwords Classification Scheme Facet Dictionary Subnumbers Applied Case Number Format Document Format Register Security DIAGADM PROFILADM IADM PROFILADM USERADM FESD_WS Members of DIAGADM have rights to the following module in Configuration Management: Trace Output Members of PROFILADM have rights to the following modules in Configuration Management: Restricting Profiles Preference Profiles Record Access Members of IADM have rights and access to the following module in Configuration Management: Lost and Found Members of PROFILADM have rights and access to the following modules in Configuration Management: Restricting Profiles Preference Profiles Record Access Members of USERADM have rights and access to the following modules in Configuration Management: Owner Users Use Log Externally used System Access Code. Members of FESD_WS have rights to call WorkZone Content Server Open WSI and gain access from a third party system. The system user of the thirdparty system is the member Extraordinary System Access Codes Extraordinary System Access Codes The following extraordinary system access codes are optional: AFDADM, MEDARBADM, and STJERNEADM. They can be launched if the customer s organizations deem it necessary in dealing ConfigGuide_WorkZoneContentServerActiveDirectory Page 40 of 50

41 with maintenance and security issues in their own solution. Warning: Most customers will be able to control access rights through Active Directory and AD Transfers, and will therefore have no need for the following access codes. However, because these access codes partly impair the control of what the user can view in the database, ScanJour only recommends these system access codes to be implemented if the customer can notcontrol the access rights through Active Directory alone. Notes: These access codes cannot be created from Active Directory, but must be created directly in the database, see section SQL-Creation of the Extraordinary System Access Codes below for method. Be aware that the rights allocated to the user by these system access codes cannot be executed by Active Directory. System Access Codes AFDADM MEDARBADM STJERNEADM Comments If this system access code is allocated to a user, the user can create or amend units. If this system access code is allocated to a user, the user can create or amend employees. If this system access code is allocated to a user with security code 9, this user will now have rights to allocate * access code to any user. Notes: * access code is the only access code that can be allocated in this way. The * access code allocates the user access rights to all domains, otherwise protected by individual access codes or access code strings SQL-Creation of the Extraordinary System Access Codes The system access codes must be created in the access_code_domain table, but only if it is opted for by the organization. At least one user must be allocated per access code once they have been created. They are created by executing the following SQL commands: 1. Execute the following if you want to allocate at least one user the system access code MEDARBADM: insert into access_code_domain(access_code, access_code_type, system) select 'MEDARBADM', 'INDBLIK', 'J' from dual where not exists (select null from access_code_domain where access_code = 'MEDARBADM'); commit; 2. Execute the following if you want to allocate at least one user the system access code AFDADM: insert into access_code_domain(access_code, access_code_type, system) select 'AFDADM', 'INDBLIK', 'J' from dual where not exists (select null from access_code_domain where access_code = 'AFDADM'); ConfigGuide_WorkZoneContentServerActiveDirectory Page 41 of 50

42 commit; 3. Execute the following if you want to allocate at least one user the system access code STJERNEADM insert into access_code_domain(access_code, access_code_type, system) select 'STJERNEADM', 'INDBLIK', 'J' from dual where not exists (select null from access_code_domain where access_code = 'STJERNEADM'); commit; ConfigGuide_WorkZoneContentServerActiveDirectory Page 42 of 50

43 15 Recommendations and Advice Advice Below you will find a number of recommendations, best practices, and general advice concerning SJADConnector and pre-transfer snags Event Log Event log monitoring ScanJour recommends that you monitor your first transfer of user data from AD to WorkZone Content Server with SJADConnector. The trial transfer is described in section 9.1 Initialize Transfer of Data. However, as mentioned, this doesn t necessarily catch everything. All errors, whether they show up in the status of the transfer or not, are reported in Windows event log. You should therefore monitor the event log carefully through the initial transfer. Correct the errors that show up and repeat the process while monitoring the event log. You are done when the event log has nothing to report. You check the event log in the Event Viewer: Click Start Control panel Administration tools Event Viewer. As a last precaution you should run a total update enabled transfer. To do this, in Window SJ Active Directory Connector select the total update checkbox before starting a transfer One Configuration File per Database Transferring You should only have one configuration file per database. In other words, you should make sure your scheduled task(s) utilize the correct configuration file. And you should always disable the Scheduled Task if you decide to transfer manually. Always only one transfer per database at any time. If you are doing major maintenance in AD, it is prudent to stop your scheduled task while you are manually monitoring you transfer. Remember to re-enable the task when you are done, see section 9.2 Re-enable the Scheduled Transfer Task Do not Change the Name Codes Name Codes If you need to change user names, unit names, or pre-windows 2000 group names, do not make these changes in AD without pre-analyzing and mapping the consequences. If you do, the transfer will catch the changes and report them as errors. If it is essential that a user changes his/hers, for example, initials, ScanJour recommends to delete this user and create a new one. Be aware, though, that in this event you have a major administrative task of cleaning up: old cases, all objects protected with a User Code, personal and general drafts that weren t yet archived, ownerships of reminders, personal preferences in GUI, and so on, now ought to have ownership transferred or mass edited or moved. If you do nothing, these objects will now be owned by an inactive user and none redistributed objects holding User Access Codes will have to be handled by Lost and Found in Configuration Management. You should also model the new user on the old, see section 7.1 Users become logon users and employees in WorkZone Content Server. ConfigGuide_WorkZoneContentServerActiveDirectory Page 43 of 50

44 15.4 Domain Server Connection Domain server For each domain server you must enter the name of the server (or its IP address). If the program isn t run as a trusted user of the domain, then you have to supply the User Name and password of a user that have the permissions to read in ADs file catalog. The domain name may also be entered as a LDAP Distinguished Name as: DC=scanjour,DC=dk Encryption of Password The AD Connector supports specification of logon information to be used for reading from the domain. This information is stored in the XML configuration file in the form of a username and a password. In previous versions, the password was stored in unencrypted form, but in versions starting from Captia 4.5 SP1, the password is stored in encrypted form. For backwards compatibility, the connector can use a password stored in unencrypted form too. If decryption of the password fails, the replicator tries to use the password exactly as read from the configuration file. As in earlier versions it is still possible to avoid specifying any logon information in the Connector itself. Instead, it can be run under an account with the needed permissions to read from the domain. The password is encrypted in such a way that it can only be decrypted on the same machine as the one that was used during encryption - which is performed when you click OK in the Domain Server dialog box where the logon information has been specified. This means that if you move the XML configuration file to another server for use with the AD Connector there, you need to reenter the password of the logon information in the Domain Server dialog box after having moved the XML configuration file to the new server Users Users The list Groups identifying ScanJour Captia users in the Domain server window in SJADConnector lists the global distribution groups that identify users to be transferred. If a user is a member of more than one, note that the user then automatically is allocated the highest security code OUs and Units OUs and units The list Units in the Domain server window in SJADConnector lists the organizational units that identify OU to transfer into units in WorkZone Content Server. If an OU has had the Recursive check box selected all underlying OUs will be transferred as well, see section 5.2 Register OUs in ScanJour Active Directory Connector, step Scheduled Transfer Task Automatic transfer task When your transfer is error free (and the event log is as well) you must configure a scheduled transfer task at a regular interval between 2 hours and once a day depending on the size of your organization. You can set up a scheduled task from the Wizard, see section 3.3 Create a ConfigGuide_WorkZoneContentServerActiveDirectory Page 44 of 50

45 scheduled task transfer. If you change your scheduled task or make changes to the configuration file, make sure the configuration is reflected in the command line parameters, see section 17 Monitoring the Transfer Mapping of AD Fields to WorkZone Content Server Fields Mapping of AD fields The configuration file contains alignment information regarding which AD field is transferred to which ScanJour database field (WorkZone Content Server GUI text box). This information can be maintained directly in the configuration file, which is an XML-file. Note: There is no GUI through which you can maintain this. Changes must be made manually directly in the XML-file using a text editor. The XML-file contains a number of <userfield>, <UnitField> and<commiitteefield> with specifications of what is transferred from where to where. Changes can be made but it is prudent to do so with the knowledge of your software provider and your ScanJour technician, see sections 10 Field to Field Transfer between AD and SJ and 11 ADSI Field Lost Entities Restored with IADM Lost entities When data has been transferred from AD to ScanJour, a scheduled task periodically checks whether there are any lost, that is, inaccessible, entities such as cases, documents, tasks or contacts in the database. This task was preconfigured when the system was installed; refer to InstallGuide_EnterpriseServer.docx for further information. Because the scheduled task is executed periodically, members of the System Access Code IADM can view these lost entities in the module Lost and Found in Configuration Management. IADM insures against loss of data Typically, when a corporation makes organizational changes or employees resign, there is a possible risk that there will be entities, such as cases and documents, which no one has the access codes to see or change. These entities can be lost. IADM prevents the loss and is used to administrate such lost entities through a module in Configuration Management, Lost and Found, refer to Configuration_Management_Online_Help.chm, topic on Lost and Found. Lost and Found The purpose of the Lost and Found module is to find these entities and make them accessible. Then users with access to the module can exchange the void access code and make the entities accessible in WorkZone Content Server to personnel in charge of handling redistribution. ConfigGuide_WorkZoneContentServerActiveDirectory Page 45 of 50

46 16 Command Line Parameters Parameters Command line parameters are used while running the Scheduled Task, see section 3.3 Create a scheduled task transfer step 3 and 4, and its default setting from the initial setup may be changed. To change the setup, open the Scheduled Task Window and select the Task tab. In the Run text box, you can see the default command line parameters. In the table below is an overview of command line parameters including their default values and comments: Parameter Default value Comment /db=<database name> No default. Indicates the ScanJour Database in question. /window /nowindow or /wizard /forceupdate /config=<file name> If the database is specified, /window is the default. If the database is not specified, /wizard is the default. No default value. Configuration file changes since last transfer will be checked SJADConfiguration<database name>.xml Indicates whether the program should show GUI and whether it should be the transfer status window (\window) or the Wizard (\wizard). Indicates that all data (user, user information, and so on) needs to be totally updated. If it isn t indicated modified-date in AD is compared with the last transfer. Indicates the location of the configuration file in question. /setsid=<systemuser> No default. This user must be present in the AD, but should not be included as member of any of the administrative groups or access code groups. The effect is that the system user is looked up in the domain where the SID is read and is written into the database, so that the user can log on to WorkZone Content Server. Normal replication is not performed - only this single user is handled. 17 Monitoring the Transfer Check quality of transfer You can at any time check the quality of your transfer from AD to WorkZone Content Server. Each time you have made essential changes to your AD or the SJADConnector, you can check the quality of the transfer Check quality of transfer How to check Step Action 1 Start SjADConnector. The Window SJ Active Directory Connector is shown. 2 Click Display only (a trial transfer from AD to the display only). If you have deviated from the conventions of AD registrations, they will ConfigGuide_WorkZoneContentServerActiveDirectory Page 46 of 50

47 How to check Step Action show up in the window with error where info is usually shown. 3 Now correct your mistakes. Repeat steps If your trail transfer comes up without any errors in your status window. Click Transfer. 5 Even if the transfer has been completed successfully, check your Event Viewer: Click Start Control panel Administration tools Event Viewer The event log may catch transfer problems that won t show up in your status window, see section 15.1 Event Log. 18 Corporate Access Code Introduction Overview If your organization has opted for an installation that utilizes Corporate Access Codes there are some minor deviations from the previous chapters. However, in general the methods previously described in Active Directory also apply here. The following is described below: 18.1 Prerequisites 18.2 Configuring the Transfer from Active directory 18.3 Special Access Codes for the Corporate Solution in AD 18.1 Prerequisites Prerequisites The following is assumed: The database has been installed to support Corporate Access Codes, refer to InstallGuide_Database.docx, Chapter 4.2. for further information. The scheduled task for Lost and Found has been set up; refer to InstallGuide_EnterpriseServer.docx for further information. It s a standard Corporate configuration. Knowledge of how the Corporate Access Codes are used, refer to Captia_Online_Help.chm, topic on Corporate Access Code for further information. Knowledge of how your organization wishes to utilize the Corporate Solution Configuring the Transfer from Active directory The configuration of corporate access codes includes creating organizational units for the corporation. The organizational units are transferred from Active Directory (AD) as OUs. This means that the organizational units must exist in AD, before you can transfer between AD and the database. You can create the organizational units in AD as described in section 5 Creating Organizational Units in AD. ConfigGuide_WorkZoneContentServerActiveDirectory Page 47 of 50

48 A typical OU configuration in AD: The four levels of a standard Corporate Installation: <OMYND> = Executive Authority <UMYND>= Authority/department <AFD>= Section <KT>=Office Mind you that the normal rules apply: 1) Top level OU must be known to SJADConnector, see section 5.2 Register OUs in ScanJour Active Directory Connector. 2) Users are always placed at the kontor level (office level), for example, KT1, see section Create users in Active Directory. The effect of the above configuration will result in the following: the end-user AA, for instance, who is a member of the OU KT1 (office 1), will organizationally be placed in the framework: UMYND2, in AFD2, in KT1 all under OMYND and segregated from any other Authorities sharing the same database of OMYND. This means that when AA creates, for example, a case in WorkZone Content Server, the case is automatically supplied with the access code string: UMYND2 & ALLEEMNER: UMYND2 is the access code of the Authority to which AA belongs. ALLEEMNER is a dummy access code assigned to entities if none is inherited from either class or case. All users are members of this access code. See also section ALLEEMNER Default Group Access Code. Note: It is possible to have more than the four levels presented above, and they can be labeled differently to mirror the customer s organization. However, this must be taken into account during the organization s analysis of their Corporate Installation. To configure the transfer from AD Step Action 1 Do the following: Open the configuration file SJADConfiguration<database name>.xml on the server, where the replication is to be made. Search for the text <unitfield> and add the following <unitfield> statement after the existing: <unitfield> <ADName>st</ADName> <SJName>OU_GRP</SJName> <mandatory>false</mandatory> </unitfield> This addition will have the effect that the field OU_GRP is replicated from the State/province field in AD. Note: If you want to use the City field or the Zip/Postal Code field instead of the State/province field, you must replace the text <ADName>st</ADName> with one of the following: <ADName>l</ADName> (representing the City field). <ADName>postalCode</ADName> (representing the Zip/Postal Code field). ConfigGuide_WorkZoneContentServerActiveDirectory Page 48 of 50