Active Directory Quick Reference Guide for PowerCAMPUS Self-Service 7.x Release 5 July 2011
Trademark, Publishing Statement and Copyright Notice SunGard or its subsidiaries in the U.S. and other countries is the owner of numerous marks, including SunGard, the SunGard logo, Banner, PowerCAMPUS, Advance, Luminis, DegreeWorks, fsaatlas, Course Signals, and Open Digital Campus. Other names and marks used in this material are owned by third parties. 2008-2011 SunGard. All rights reserved. Contains confidential and proprietary information of SunGard and its subsidiaries. Use of these materials is limited to SunGard Higher Education licensees, and is subject to the terms and conditions of one or more written license agreements between SunGard Higher Education and the licensee in question. In preparing and providing this publication, SunGard Higher Education is not rendering legal, accounting, or other similar professional services. SunGard Higher Education makes no claims that an institution's use of this publication or the software for which it is provided will insure compliance with applicable federal or state laws, rules, or regulations. Each organization should seek legal, accounting and other similar professional services from competent providers of the organization s own choosing. This PDF is certified for use with Adobe Readers, version 6.x and higher. Some elements of this PDF may not render properly when viewed using earlier versions of the Acrobat Reader, or with other PDF viewing applications. Prepared by: SunGard Higher Education 4 Country View Road Malvern, Pennsylvania 19355 United States of America Customer Support Center Website http://connect.sungardhe.com Documentation Feedback http://education.sungardhe.com/survey/documentation.html Distribution Services E-mail Address distserv@sungardhe.com Revision History Log Publication Date April 2008 June 2009 January 2010 February 2011 July 2011 Summary First release of this guide. More details about settings. Moved information about the Bulk Account Creation function from the list of future enhancements to the list of available functions for the SQL provider. Added information about using the Active Directory for Authentication Only. Added information about what to do if users are not created in the specified container or organizational unit. Added information about all the options you need to set when using an Active Directory membership provider and want to allow users to change their passwords.
Active Directory for PowerCAMPUS Table of Contents Table of Contents Authentication Provider Details.......................................... 1 History......................................................................... 1 Current State.................................................................... 1 Active Directory (AD)........................................................... 1 SQL Provider................................................................. 2 What to Expect in the Future........................................................ 2 Frequently Asked Questions about AD.................................... 3 Domains........................................................................ 3 Does Self-Service support authentication to multiple AD domains?....................... 3 Does Self-Service support authentication to one domain with multiple child domains?........ 3 Should I use the machine name, domain name, or IP Address for membership settings?...... 3 Containers and Organizational Units (OUs)............................................. 4 Does Self-Service support authentication to multiple AD containers/ous?................. 4 Can Self-Service create users in multiple AD containers/ous?.......................... 5 What if I want Self-Service to create users in ONE Active Directory container/ou?........... 5 To create users in ONE container, does that have to be an OU or can it be a CN?........... 6 What is the difference between an OU and a CN?.................................... 6 How can I find the correct LDAP path to the container/ou I want to use?.................. 6 What if users are not created in the specified container or OU?.......................... 7 Authentication Only............................................................... 7 What if I only want to use the Active Directory for Authentication?........................ 7 SiteAdministrator User............................................................. 8 What AD permissions does the SiteAdministrator user need?........................... 8 Is the SiteAdministrator user created when you install Self-Service?...................... 8 When I log into Self-Service as SiteAdministrator, why don't I see the Administration tab?..... 8 ASP.Net SQL Database............................................................ 8 Why do I need the ASP.Net SQL database if I'm using AD as my membership provider?...... 8 Machine Key.................................................................... 9 What is the machine key in the Web.config file and what is it used for?.................... 9 Can I change the machine key from the default value that ships with the product?........... 9 Active Directory Quick Reference Guide for PowerCAMPUS iii
Table of Contents Active Directory for PowerCAMPUS User Account Settings............................................................ 10 What happens when I set expiration dates for user accounts?.......................... 10 What AD attrributes need to be set so users can change passwords?.................... 11 What happens if I do not allow users to change their passwords?....................... 12 What happens if I force users to change their passwords?............................. 14 How do I disable the Password/Security Question and/or Account Mapping?.............. 15 Why can t I change a user s role?................................................ 18 iv Active Directory Quick Reference Guide for PowerCAMPUS
Active Directory for PowerCAMPUS Authentication Provider Details History Authentication Provider Details Authentication refers to the means by which PowerCAMPUS Self-Service can grant access to the application with a username and a password. The source, or membership provider, of authentication refers to the location where the usernames and passwords are stored. History IQ.Web used tables within the PowerCAMPUS database (ABT_ACCOUNTS and others) to store usernames and passwords. This method was effective to a degree, but put an unnecessary load on the PowerCAMPUS database and had some potential security problems. Current State With PowerCAMPUS 7.x and the update of IQ.Web to Self-Service using.net technology, we now support what is commonly referred to as the membership provider model of authentication. The provider model means that different sources of authentication can be used depending on the school's preference. Out of the box, PowerCAMPUS Self-Service 7.x supports two membership providers: Active Directory (AD) and SQL Provider. Active Directory (AD) Active Directory is the standard provider offered by Microsoft. It is commonly used on our client campuses to authenticate users to their local Windows network. When you use an AD provider, Self-Service users will have the same username and password for Self-Service as they would for their network login. IT staff has one less location to create and maintain accounts on campus. Institutions must create accounts on their own. However, as most schools already employ AD, most have homegrown scripts or have purchased thirdparty tools to automate account creation. Schools which are using the PowerCAMPUS Portal can use the ADWatcher feature to automate the creation and modification of AD accounts. Active Directory Quick Reference Guide for PowerCAMPUS 1
Authentication Provider Details What to Expect in the Future Active Directory for PowerCAMPUS SQL Provider SQL is another standard provider offered by Microsoft. It is similar to the IQ.Web method of storing usernames and passwords in the database. However, because this provider is a separate optimized database, it does not have the inherent security and performance issues of the IQ.Web method. This provider is ideal for schools that do not have AD or wish to keep their AD and Self-Service accounts separate, for whatever reason. An Administrator must create the Self-Service user accounts. Using the Create User function, an Administrator can search for an individual or a group of users in the PowerCAMPUS database, and then create Self-Service accounts for up to 1,000 users at a time. The Request Account function is available, so that people who are already in your PowerCAMPUS database can create new accounts. The system will assign them a username and password based on configurations built by your institution. The Transfer Account function is available, so that people who had IQ.Web accounts can transfer their accounts to the SQL provider. The system will assign them a new username and password based on configurations built by your institution. The Bulk Account Creation function is available, so that schools can import user data from an external file (for example, an Excel spreadsheet) and create Self-Service accounts for these users. What to Expect in the Future Moving forward, the provider model will be extended to the entire PowerCAMPUS application suite -- that means one account, username, and password for each user regardless of the PowerCAMPUS module. Other possible enhancements will be scheduled based on the relative demand received from our client base. These possible enhancements might include any variety of changes, but the most likely (in no particular order) are: More Providers -- Adapters to other authentication sources such as LDAP can be pursued as a customization. Support for Multiple Providers -- The ability to simultaneously use multiple providers. For example, hosting prospective students and alumni in a SQL provider while hosting faculty, students, and staff in AD. 2 Active Directory Quick Reference Guide for PowerCAMPUS
Active Directory for PowerCAMPUS Frequently Asked Questions about AD Domains Frequently Asked Questions about AD The following is a list of the questions that have been asked frequently about using the Active Directory with PowerCAMPUS Self-Service. This information will help you set up and troubleshoot your system. Domains Does Self-Service support authentication to multiple AD domains? No. Authentication to multiple AD domains is planned for a later release. Currently, PowerCAMPUS Self-Service only supports authentication against one AD domain. Does Self-Service support authentication to one domain with multiple child domains? No. Authentication to one domain with multiple child domains is planned for a later release. Currently, PowerCAMPUS Self-Service only supports authentication against one AD domain. Should I use the machine name, domain name, or IP Address for membership settings? Using a machine name for any of the membership configuration settings is not recommended. The I.P. Address or Domain Name are the recommended values to use in configuration settings. In some instances, the I.P. Address may need to be used instead of the Host Name and vice versa. The value to use may vary per environment. If you are using more than one domain controller, we recommend that you use the Primary Domain Controller (PDC) for the configuration settings. Sample Values: I.P. Address I.P.: 192.168.1.1 Domain Name Machine Name www.myhost.com myserver Sample Settings: Active Directory Quick Reference Guide for PowerCAMPUS 3
Frequently Asked Questions about AD Containers and Organizational Units (OUs) Active Directory for PowerCAMPUS Containers and Organizational Units (OUs) Does Self-Service support authentication to multiple AD containers/ OUs? Yes. Authentication to multiple AD containers/organizational units is supported and has been tested. To configure the system in this way, set the LDAP path to your domain root in the connectionsettings.config file. Domain root means setting the LDAP path with the format LDAP://server or LDAP://domain or LDAP://server:port (without ending slashes). With this format: All users who already have user objects in the domain will be able to authenticate to PowerCAMPUS Self-Service. When using PowerCAMPUS Self-Service to create Active Directory accounts, user objects get created in the default Users container (CN=Users). For more information, refer to Can Self-Service create users in multiple AD containers/ous? and What if users are not created in the specified container or OU? If you do not set the LDAP path to your domain root and instead set the LDAP path using a format like LDAP://server/dc=domain,dc=com or LDAP:// server:port/dc=domain,dc=com or LDAP://domain/dc=domain,dc=com, then all users who already have user objects in the domain will also authenticate to PowerCAMPUS Self-Service. However, with this format, when using PowerCAMPUS Self-Service to create Active Directory accounts, the user objects will be created in the root of the domain, and not in a container. This will make for a cluttered Active Directory structure, which you should avoid. 4 Active Directory Quick Reference Guide for PowerCAMPUS
Active Directory for PowerCAMPUS Frequently Asked Questions about AD Containers and Organizational Units (OUs) Can Self-Service create users in multiple AD containers/ous? No. This question is related to the previous question if you intend to use PowerCAMPUS Self-Service to create users in AD. Your options are to: Create users in AD through your own account management processes and manually enter mapping records in the PersonUser table. You have options with this method: After the Active Directory accounts exist, have users log into PowerCAMPUS Self-Service with their Active Directory usernames and passwords. At login, they will be prompted for their People Code ID, First Name, Last Name, and Date of Birth. After correctly entering this information, PowerCAMPUS Self-Service will map the Person ID to the Windows Logon ID in the PersonUser table. If a mapping record in the PersonUser table for a user exists, and if your LDAP path in the connectionsettings.config file is set to the root of the domain, the user can log into PowerCAMPUS Self-Service with his or her Active Directory Username and Password, regardless of where the user object is located in the domain. Use PowerCAMPUS Self-Service to create new users. If the LDAP path in the connectionsettings.config file is set to the root of the domain (in the format LDAP://server or LDAP://domain or LDAP://server:port), the user object will be created in the CN=Users container in that domain. Refer to What if users are not created in the specified container or OU? Enable (display) the Request Account link on the PowerCAMPUS Self- Service Login window. What if I want Self-Service to create users in ONE Active Directory container/ou? Set the LDAP path in the connectionsettings.config file with the path to that container/organizational unit. For example, use any of these formats (without ending slashes): LDAP://server/CN=Users,DC=domain,DC=edu LDAP://domain/OU=TestContainer,DC=domain,DC=edu LDAP://server:port/CN=AnotherTestContainer,DC=domain,DC=edu LDAP://server:port/OU=AnotherOrganizationalUnit,DC=domain,DC=edu With this configuration: The user whose username you enter in the connectionusername property in the MembershipSettings.config file MUST exist in the container/ organizational unit you specify in the LDAP path before you load the Self- Service home page for the first time. Active Directory Quick Reference Guide for PowerCAMPUS 5
Frequently Asked Questions about AD Containers and Organizational Units (OUs) Active Directory for PowerCAMPUS All users who need to log in to Self-Service must have their user objects in the Active Directory container/organizational unit you choose or in containers/ organizational units nested below that container/organizational unit. All Active Directory accounts created via PowerCAMPUS Self-Service will be created in that container/organizational unit. Self-Service cannot create users in containers/organizational units nested below that path. To create users in ONE container, does that have to be an OU or can it be a CN? PowerCAMPUS Self-Service can create users in any container/organizational unit if the user whose username you enter for the connectionusername property in the MembershipSettings.config file has the correct rights. What is the difference between an OU and a CN? This is an Active Directory question and there are many Microsoft resources available to explain how Active Directory works; PowerCAMPUS Self-Service implementation has no impact on it. You can configure PowerCAMPUS Self- Service to create users in CN=Users or in any other single container/ organizational unit, such as OU=People, in your Active Directory domain. An Organizational Unit (OU) object is a special type of container object. The default Users container is always built in as CN=Users. New Organizational Units created manually through either Active Directory Users and Groups or ADSIEDIT are created as OU=[organizational unit name]. The default Users container (CN=Users) is a "plain" container object and is not based on the organizational unit class. One difference between the "plain" container object and the organizational unit object (as defined by their default classes) is that container objects cannot contain organizational unit objects. In ADSIEDIT, there is also a separate "plain" container object that is created as CN=[container name]. How can I find the correct LDAP path to the container/ou I want to use? One option is the ADSI Edit utility, which is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. Refer to: http://technet2.microsoft.com/windowsserver/en/library/ebca3324-5427- 471a-bc19-9aa1decd3d401033.mspx The Adsiedit.msc GUI tool is included when you install Windows Server 2003 Support Tools from the product CD or the Microsoft Download Center. Refer to: http://go.microsoft.com/fwlink/?linkid=100114 With ADSI Edit, you can view the distinguishedname attribute for the container/ organizational unit you want to use. 6 Active Directory Quick Reference Guide for PowerCAMPUS
Active Directory for PowerCAMPUS Frequently Asked Questions about AD Authentication Only What if users are not created in the specified container or OU? If you specify a container or organizational unit, or just the root in the Active Directory, users SHOULD be created there. If users are NOT created in the specified container or organizational unit, execute the following command to redirect the users to the correct location: C:\windows\system32\redirusr <DN path to alternate OU> For example: C:\windows\system32\redirusr ou=myusers,dc=domain,dc=com You can execute this redirect command ahead of time (to ensure that users are created in the correct container/organizational unit), or you can wait and execute this command if users are created in the wrong container/ organizational unit. For more information, refer to Redirecting the users and computer containers in Active Directory domains on the Microsoft Support site. Authentication Only What if I only want to use the Active Directory for Authentication? If you are NOT going to allow users to change their passwords or require users to provide a security question and answer, you do NOT need to make any Schema changes. The following options would be commented out (or not listed) in the MembershipSettings.config file. attributemappasswordanswer attributemappasswordquestion attributemapfailedpasswordanswercount attributemapfailedpasswordanswertime attributemapfailedpasswordanswerlockouttime Active Directory Quick Reference Guide for PowerCAMPUS 7
Frequently Asked Questions about AD SiteAdministrator User Active Directory for PowerCAMPUS SiteAdministrator User What AD permissions does the SiteAdministrator user need? The SiteAdministrator user needs only to be a member of the domain. This user's permissions in PowerCAMPUS Self-Service are governed by the SQL role provider. When the user is created, it receives the Administrator role in that provider. The user whose username you enter for the connectionusername property in the MembershipSettings.config file needs to be able to create, delete, and manage users. (We recommend that you use the Delegation of Control Wizard to provide these rights.) If you enable password reset through PowerCAMPUS Self-Service, that user must also have reset password rights. Is the SiteAdministrator user created when you install Self-Service? Yes, the first time the PowerCAMPUS Self-Service URL is loaded. This means you need to ensure that your configuration files are correct so that operation will complete successfully. If the SiteAdministrator user is not created automatically in Active Directory when PowerCAMPUS Self-Service is installed, you will need to create the SiteAdministrator user manually in Active Directory. When I log into Self-Service as SiteAdministrator, why don't I see the Administration tab? This has happened with one institution when the initial population of the SiteAdministrator data in the ASP.NET SQL database did not complete successfully. Institutions which are running PowerCAMPUS Self-Service 7.0 or 7.01 may see this behavior. For PowerCAMPUS Self-Service 7.1, we added code to re-evaluate the SiteAdministrator user's role during this initiation. To correct the problem, one option is to insert the SiteAdministrator's user ID and the Administrator role ID into the dbo.aspnet_usersinroles table in the ASP.NET SQL database. ASP.Net SQL Database Why do I need the ASP.Net SQL database if I'm using AD as my membership provider? Even when PowerCAMPUS Self-Service is configured to authenticate against AD, Self-Service uses the ASP.NET SQL database as its role provider. When you map roles to people types on the Role Mapping page, the mapped roles are assigned to users the next time they log in to Self-Service. The Role and Profile information is stored in the ASP.NET SQL database. 8 Active Directory Quick Reference Guide for PowerCAMPUS
Active Directory for PowerCAMPUS Frequently Asked Questions about AD Machine Key Machine Key What is the machine key in the Web.config file and what is it used for? The machine key simply allows the encryption of the security answer. If the security answer was not encrypted, then the provider would store each security answer in plain text and anyone with read access would be able to view the security answers. For information about the machine key in ASP.NET 2.0 and how to configure the machine key, refer to: http://msdn2.microsoft.com/en-us/library/ms998288.aspx Can I change the machine key from the default value that ships with the product? If you want to generate a new key (different than the key shipped by default), refer to: http://www.eggheadcafe.com/articles/generatemachinekey/ GenerateMachineKey.aspx Active Directory Quick Reference Guide for PowerCAMPUS 9
Frequently Asked Questions about AD User Account Settings Active Directory for PowerCAMPUS User Account Settings What happens when I set expiration dates for user accounts? If you set the Account Expires option to the End of a specified day, authentication and logins will not connect to the Active Directory via the Membership Provider after the expiration date. When a user attempts to log into PowerCAMPUS Self-Service after the expiration date, the system will display the generic message: Please check your User Name and Password, and try again. 10 Active Directory Quick Reference Guide for PowerCAMPUS
Active Directory for PowerCAMPUS Frequently Asked Questions about AD User Account Settings The Event Properties Viewer will display the Event message: Membership credential verification failed. To allow the user to log in again, you will need to modify the user s Account expires date, as follows: 1. From the Active Directory Users and Computers window, select the Users folder to display a list of your users. 2. Right-click on the name of the user whose account expiration date you need to modify. 3. On the Account tab, update the Account expires setting. What AD attrributes need to be set so users can change passwords? If you only set the EnablePasswordReset attribute to true, and do not set the RequiresQuestionAndAnswer attribute to true, you will receive the following error: Active Directory Quick Reference Guide for PowerCAMPUS 11
Frequently Asked Questions about AD User Account Settings Active Directory for PowerCAMPUS When using Active Directory as your membership provider, you can only set the EnablePasswordReset attribute to true after you have set the following options. The RequiresQuestionAndAnswer attribute must be set to true. The Active Directory schema must be modified to contain attributes for storing the password question and answer, as well as the three tracking fields for password answer change attempts. These attributes must be mapped to attributes in the Active Directory schema: AttributeMapPasswordQuestion AttrributeMapPasswordAnswer AttributeMapFailedPasswordAnswerCount AttributeMapFailedPasswordAnswerTime AttributeMapFailedPasswordAnswerLockoutTime What happens if I do not allow users to change their passwords? If you set the User cannot change password option ON in the Active Directory for a user, that user will not be able to change his or her password via PowerCAMPUS Self-Service. When that user selects the Change Password feature in PowerCAMPUS Self- Service, the system will display the error message: An unexpected error has occurred. The true error that is returned from Directory Services is Access Denied. 12 Active Directory Quick Reference Guide for PowerCAMPUS
Active Directory for PowerCAMPUS Frequently Asked Questions about AD User Account Settings The Allevents.log.config file will list the following error: -Critical-TId: 5100 Msg: An unexpected error has occurred in the PowerCAMPUS Self- Service application. Error Technical Details: System.Web.HttpUnhandledException: Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) --- End of inner exception stack trace --- at System.DirectoryServices.DirectoryEntry.Invoke(String methodname, Object[] args) at System.Web.Security.ActiveDirectoryMembershipProvider.ChangePassword(String username, String oldpassword, String newpassword) The Event Properties Viewer will display the Event message: Membership credential verification failed. To allow the user to change his or her password, you will need to uncheck the User cannot change password setting for the user, as follows: 1. From the Active Directory Users and Computers window, select the Users folder to display a list of your users. 2. Right-click on the name of the user who you want to allow to use the Change Password feature. 3. On the Account tab, UNCHECK the User cannot change password setting. 4. Select OK. Active Directory Quick Reference Guide for PowerCAMPUS 13
Frequently Asked Questions about AD User Account Settings Active Directory for PowerCAMPUS What happens if I force users to change their passwords? Currently, PowerCAMPUS Self-Service sets a member property that forces password resets for new user accounts, but this only works for users created INSIDE the application via the Membership Provider. IF YOU create Active Directory accounts OUTSIDE the Membership Provider or the Self-Service application (via the Active Directory Wizard, third-party tools, or your own scripts), the User must change password at next logon option is automatically checked for these accounts, and the users will not be able to authenticate and log in. When these users attempt to log into PowerCAMPUS Self-Service, the system will display the generic message: Please check your User Name and Password, and try again. The Event Properties Viewer will display the Event message: Membership credential verification failed. This is a confirmed issue and currently the only workaround is to uncheck the User must change password at next logon option for the users. You might want to force users to change their passwords at next login, especially new users, but you certainly want them to be able to log in as well. 1. From the Active Directory Users and Computers window, select the Users folder to display a list of your users. 2. Right-click on the name of the user whose account you need to update. 14 Active Directory Quick Reference Guide for PowerCAMPUS
Active Directory for PowerCAMPUS Frequently Asked Questions about AD User Account Settings 3. On the Account tab, UNCHECK the User must change password at next logon setting. 4. Select OK. How do I disable the Password/Security Question and/or Account Mapping? If you want users to log in the first time and create the account mapping between the PersonUser table, People records, and the Active Directory, but do NOT want to take advantage of the Password/Security Question features, you should disable the Password/Security Question features. If you do NOT want users to create the account mapping between the PersonUser table, People records, and the Active Directory; you would need to disable the account mapping module. HOWEVER, if you disable the account mapping module, YOU would have to create the mapping for each user. Active Directory Quick Reference Guide for PowerCAMPUS 15
Frequently Asked Questions about AD User Account Settings Active Directory for PowerCAMPUS First, decide which options you want to disable in the HttpModules.config file. Then, depending on which options you want to disable, follow the corresponding steps. To Disable: Password/Security Question Do This: Follow these steps to disable the Password/Security Question capabilities.* 1. Comment out these modules in the HTTPModules.config file: ResetPasswordSecurityQuestionModule ResetSecurityQuestionModule 2. Disable the Password Reset/Question and Answer in the MembershipSettings.config file: enablepasswordreset="false" RequiresQuestionAndAnswer="false" 16 Active Directory Quick Reference Guide for PowerCAMPUS
Active Directory for PowerCAMPUS Frequently Asked Questions about AD User Account Settings To Disable: Password/Security Question AND Account Mapping Do This: Follow these steps to disable the Password/Security Question capabilities* AND Account Mapping (maps Active Directory and People records via the PersonUser table, after a user enters First Name, Last Name, Date of Birth, and People ID). 1. Ensure that a PersonUser record has been created for each user. This record ties the login information with the PowerCAMPUS information. Without this record, the user will not have access to PowerCAMPUS data and features. The system will not function properly for the user and many features will not work. 2. Comment out these modules in the HTTPModules.config file: ResetPasswordSecurityQuestionModule ResetSecurityQuestionModule AccountMappingModule 3. Disable the Password Reset/Security Question and Answer in the MembershipSettings.config file: Set enablepasswordreset="false" Set RequiresQuestionAndAnswer="false" 4. Populate the PersonUser table with the Active Directory user name (PersonUser_UserName) and PersonId (PersonUser_PersonId) value from the People record. Account Mapping Follow these steps to disable Account Mapping (maps Active Directory and People records via the PersonUser table after a user enters First Name, Last Name, Date of Birth, and People ID). 1. Ensure that a PersonUser record has been created for each user. This record ties the login information with the PowerCAMPUS information. Without this record, the user will not have access to PowerCAMPUS data and features. The system will not function properly for the user and many features will not work. 2. In the HTTPModules.config file, comment out the AccountMappingModule. 3. Populate the PersonUser table with the Active Directory user name (PersonUser_UserName) and PersonId (PersonUser_PersonId) value from the People record. * Even when you turn off the Password/Security attributes in the membership configuration, the httpmodules run in the background. In a future release, an intuitive feature will be added to the UI to turn modules on and off. Active Directory Quick Reference Guide for PowerCAMPUS 17
Frequently Asked Questions about AD User Account Settings Active Directory for PowerCAMPUS Why can t I change a user s role? This error is likely caused by the security settings for the individual user, particularly if you used the Delegation of Control Wizard to grant rights to the connectionusername (MembershipSettings.config), which connects Self-Service to Active Directory. These rights may not have propagated down to the user for whom you want to change roles. When you attempt to change the user s roles, PowerCAMPUS Self-Service will display the following error message: The following error(s) occurred while processing your request: An unexpected error occurred while updating the account. The corresponding error will be listed in the PowerCAMPUS Self-Service error log: Allevents.log.config Entry -Error-TId: 2764 Msg: An error occurred while updating the following user: thinlizzy777 Technical Details: System.UnauthorizedAccessException: General access denied error at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo()at System.DirectoryServices.DirectoryEntry.CommitChanges()at System.Web.Security.ActiveDirectoryMembershipProvider.UpdateUser(MembershipUser user)at SctPC.Framework.Web.Administration.SiteMembershipManager.UpdateUserInfo(SiteMemb er member, Boolean caneditemail, Boolean canadministrateaccounts, Boolean canupdatename) in d:\builds\powercampus\work\7.1\7.12.47\polaris\sctpc.framework.web\administration\ SiteMembershipManager.cs:line 353 This error typically occurs if the Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here. option was not checked for any given user when the Delegation of Control was given to the connectionusername. To set this option, complete these steps: 1. Access the Active Directory Users and Computers window. 18 Active Directory Quick Reference Guide for PowerCAMPUS
Active Directory for PowerCAMPUS Frequently Asked Questions about AD User Account Settings 2. On the View drop-down menu, select Advanced Features. 3. Right-click on the name of the user and select Properties. 4. On the Security tab, select the Advanced button. Active Directory Quick Reference Guide for PowerCAMPUS 19
Frequently Asked Questions about AD User Account Settings Active Directory for PowerCAMPUS 5. Make sure that the option to Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here. is CHECKED. If this option is not selected, the rights for the connectionusername (which were granted during the Delegation of Control process) will not propagate to this user. 6. Select OK. Once this option is selected, the user for whom control was delegated now appears under the Permission entries. In this example, notice the connectionusername which we are using in the MembershipSettings.config file is named Self Service. 20 Active Directory Quick Reference Guide for PowerCAMPUS