Ultimus and Microsoft Active Directory

Ultimus and Microsoft Active Directory May 2004 Ultimus, Incorporated 15200 Weston Parkway, Suite 106 Cary, North Carolina 27513 Phone: (919) 678-0900 Fax: (919) 678-0901 E-mail: documents@ultimus.com Web site: http://www.ultimus.com/ Copyright 2002-2004 Ultimus, Inc. All rights reserved. Ultimus is a trademark of Ultimus Incorporated. All other brands and product names may be trademarks of their respective owners and are used here for reference only. The information contain in this document is accurate as of May 6, 2004. Due to the speed at which technology is advancing, this document may contain dated information and may have changed since it was authored. Ultimus and Microsoft Active Directory

Contents Overview 3 Introduction 3 Contacting Ultimus 3 Conventions used in this document 3 Why is Active Directory important to Ultimus? 4 Figure 1. Ultimus Org Chart accessing Active Directory in a read-only manner 4 Figure 2. Ultimus Org Chart accessing Active Directory dynamically 5 Benefits and limitations of accessing Active Directory in a read-only manner 5 Benefits 5 Limitations 6 Benefits and limitations of using Active Directory dynamically 6 Benefits 6 Limitations 7 Figure 3. Ultimus Org Chart structure 8 Figure 4. Active Directory structure 8 Chapter 1 Ultimus BPM Suite reading from Active Directory Configuration 10 Configuring Ultimus BPM Suite to read from Active Directory 11 Figure 5. The Server node Properties dialog box 11 Figure 6. Selecting the Database storage option 12 Figure 7. Choosing the NETBIOS of an Active Directory 13 Interaction 14 Characteristics of how Ultimus Org Chart reads from an Active Directory 14 Figure 8. A user placed into a chart in Ultimus Org Chart 14 Figure 9. The Department field of the Job Function Information dialog box 15 Figure 10. The User Directory as accessed from the Active Directory 15 ultimus.com 1 Ultimus and Microsoft Active Directory

Chapter 2 Ultimus BPM Suite using dynamic Active Directory integration Configuration 16 Prerequisite to Configuration 16 Installing the Active Directory Schema snap-in on Windows 2000 Server 16 Installing the Active Directory Schema snap-in on Windows Server 2003 17 Configuring Ultimus BPM Suite to use Active Directory dynamically 18 Figure 11. The Server node Properties dialog box 18 Figure 12. Selecting the Active Directory storage option 19 Integration 21 Characteristics of how Ultimus Org Chart data is stored in Active Directory 21 Figure 13. Active Directory OUs populated from Ultimus Org Chart 21 Figure 14. A user placed into a chart in Ultimus Org Chart 22 Figure 15. The user populating the Active Directory 22 Figure 16. The Organization tab of the user 23 Figure 17. The Title field populated in Active Directory 24 Figure 18. Broken reporting structure as shown in Ultimus Org Chart 25 Active Directory groups 25 Figure 19. Proper parameters for a universal distribution group in Active Directory 25 Figure 20. An Ultimus group as shown in Active Directory 26 Appendix A Attributes and objects within Active Directory Table 1. Attributes used by the User object 27 Table 2. Attributes used by the Organizational Unit object 27 Table 3. Additional attributes for the User object 28 Table 4. Additional attributes for the Organizational Unit object 28 Table 5. New Objects introduced by Ultimus BPM Suite 28 ultimus.com Ultimus and Microsoft Active Directory 2

Overview Introduction This white paper offers an overview of how Ultimus BPM Suite 6.0 leverages Microsoft Active Directory service. This document assumes that the reader has an extensive understanding and knowledge of Ultimus BPM Suite 6.x and Microsoft Active Directory usage. Contacting Ultimus Ultimus is always striving to improve its product and support services. Furthermore, Ultimus offers a number of ways to find answers or to submit feedback. You may use the following ways to find answers to your Ultimus-related questions or to submit feedback to Ultimus: Ultimus Support: At Ultimus Support, you can access technical experts to resolve your technical issues, use the Knowledgebase to get answers to common and specific questions, and download the latest product builds and documentation. You can reach Ultimus Support at: http://www.ultimussupport.com/. Ultimus Education: Ultimus Education provides technical training and certification on the latest Ultimus BPM Suite to ensure you possess up-to-date knowledge of the latest product releases. Ultimus Enterprise Integration Kit (EIK) training is provided on an as-needed basis. For more information, contact training@ultimus.com. Documentation feedback: Ultimus strives to improve technical documentation and online help. If you would like to submit documentation feedback, contact documents@ultimus.com. Conventions used in this document The following conventions are used throughout this document: bold italic Bold text denotes items that you must select or click on in an application, such as menu items, dialog box options, and dialog box output. Italic text denotes variables, emphasis, and document, chapter, and section titles. This also denotes text that is a placeholder for a word or value that you must supply. ultimus.com 3 Ultimus and Microsoft Active Directory

Why is Active Directory important to Ultimus? monospace Text in this font denotes text or characters that you should input to an application, application output, sections of code, programming examples, and syntax examples. This is also used for the proper names of disk drives, paths, directories, device names, file names, file extensions, code excerpts, and URLs.» The» symbol leads you through nested Start menu items, application menu items, and dialog box options to a final action. For example, the sequence File»Page Setup»Printer... directs you to pull down the File menu, select the Page Setup item, then select Printer... from the dialog box. This icon denotes a tip, which alerts you to advisory information. This icon denotes a note, which alerts you to important information. This icon denotes a caution, which advises you of precautions to take to avoid specific application errors, data loss, or system crash. Why is Active Directory important to Ultimus? Active Directory is a Microsoft directory service that stores information about objects on a network and makes this information available to users over a network. Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. Furthermore, it provides network administrators with an intuitive, hierarchical view of the network and a single point of administration for all network objects. Ultimus BPM Suite 6.0 supports a variety of directory structures in read-only format, including NT Directory, Lightweight Data Access Protocol (LDAP), and Active Directory. This allows integration with Windows NT, Windows 2000 Server, Windows Server 2003, and supported LDAP directories. In order to integrate with any of these directory structures in a read-only format, Ultimus Administrator (within the OC tab) must be configured to the Database storage option. In a read-only format, the domain names will appear in a single flat list when browsing for directory users from Ultimus Org Chart (as illustrated in Figure 1). Figure 1. Ultimus Org Chart accessing Active Directory in a read-only manner ultimus.com Ultimus and Microsoft Active Directory 4

Why is Active Directory important to Ultimus? Benefits and limitations of accessing Active Directory in a read-only manner Conversely, Ultimus BPM Suite offers a read/write option with Microsoft Active Directory (as illustrated in Figure 2). Under this configuration, Ultimus Org Chart operates as a direct interface to Microsoft Active Directory. Changes made in Ultimus Org Chart to user information, organizational chart membership, and reporting structures are immediately reflected in Active Directory (and vice versa). In this scenario, Ultimus BPM Suite does not maintain an organizational chart database in the Ultimus BPM database, but rather updates and modifies the underlying Active Directory. Figure 2. Ultimus Org Chart accessing Active Directory dynamically The decision to use Ultimus BPM Suite with Active Directory should ideally be made before taking Ultimus BPM Suite live, as the migration path to convert a live BPM environment to use Active Directory is detailed and represents a large amount of conversion time and effort. (For specific instructions on migrating the Ultimus BPM Suite, refer to the Ultimus Migration Guide.) Benefits and limitations of accessing Active Directory in a read-only manner Outlined below are the benefits and limitations of accessing Active Directory in a read-only manner. Benefits There are a number of advantages to accessing Active Directory only in a read-only manner: Quick integration: The process to configure Ultimus BPM Suite to access an Active Directory in a read-only manner is straightforward and does not require administration rights to do so. This allows almost anyone in an organization to access an Active Directory through Ultimus Org Chart. Preserved Active Directory structures: Since Active Directory is being accessed in only a read-only manner, Ultimus BPM Suite cannot make changes to any Active Directory. This gives an organization s network administrator peace of mind that no one in the organization can make accidental or unauthorized changes to any Active Directory. 5 Ultimus and Microsoft Active Directory ultimus.com

Why is Active Directory important to Ultimus? Benefits and limitations of using Active Directory dynamically Limitations Because Ultimus BPM Suite can only access an Active Directory in a read-only manner, there are some limitations to Ultimus Org Chart s functionality when interacting with an Active Directory: No real-time Active Directory updating: Pre-existing Active Directory information is not brought into Ultimus Org Chart (such as e-mail addresses and hierarchy information). Ultimus Org Chart replication: Any changes to an Active Directory must be replicated manually in any chart created through Ultimus Org Chart in order to ensure those charts are up to date. To configure and interface with Active Directory in a read-only manner, refer to Chapter 1, Ultimus BPM Suite reading from Active Directory. Benefits and limitations of using Active Directory dynamically Outlined below are the benefits and limitations of using Active Directory dynamically. Benefits Ultimus BPM Suite leverages Active Directory dynamically in a number of ways: Easier administration: With Active Directory, all user information is maintained in one location. When using NT or LDAP directories, Ultimus Org Chart retrieves information from the NT or LDAP directory and stores it in the Ultimus BPM database. If the directory changes, the Ultimus BPM database must be updated as well. When accessing Active Directory dynamically, changes made in one location are automatically propagated everywhere else it is used. Automatic updating: All changes made to Active Directory are immediately reflected in any chart created through Ultimus Org Chart, since it is reading directly from Active Directory. This eliminates errors. Wide availability: Active Directory is based on LDAP and is supported by Microsoft. Therefore, it is widely available across all Microsoft platforms for Ultimus to leverage. Reduced client administration: Because Active Directory stores e-mail addresses, this eliminates the need for users to enter them into Ultimus Client. Active Directory front end: Ultimus Org Chart functions as a graphical interface to Active Directory. Flexibility: Active Directory is highly extensible and customizable as a directory service, and adds additional flexibility to Ultimus Org Chart. ultimus.com Ultimus and Microsoft Active Directory 6

Why is Active Directory important to Ultimus? Benefits and limitations of using Active Directory dynamically Limitations Because Active Directory stores data in one location and can propagate changes throughout a user store, caution must be exercised in a number of ways: Cautious administration: If not administered properly, inadvertent changes in Ultimus Org Chart will change the Active Directory, and could affect other applications that rely on Active Directory. Migrating to Active Directory: Ultimus does not support the direct migration of a live production Ultimus environment from Windows NT Directory to Active Directory. Ultimus BPM Suite must be uninstalled before migrating to Active Directory, then re-installed after Active Directory is in place. For specific steps to migrate from Windows NT Directory to Active Directory, refer to the Ultimus Migration Guide. Unavailable Ultimus BPM Suite features: Some Ultimus BPM Suite features are not available when it is using Active Directory dynamically. These are outlined as follows: a. Ultimus Client group views cannot be set when using Ultimus BPM Suite with Active Directory. (Ultimus Client individual views may be created in Ultimus Administrator.) b. Reporting relationships in Active Directory OUs will have to be modified in Ultimus Org Chart to allow supervisor-relative job function routines for the top-most person in Active Directory sub-ous. This modification in Ultimus Org Chart is necessary because in Ultimus terminology sub-charts report to a user while in Active Directory sub-ous belong to parent OUs. 7 Ultimus and Microsoft Active Directory ultimus.com

Why is Active Directory important to Ultimus? Benefits and limitations of using Active Directory dynamically There is an important difference between Ultimus Org Chart and Active Directory chart relationships. Ultimus Org Chart s smallest compositional element is a user. A user can be a supervisor of another user within Ultimus Org Chart structure, and can also be a supervisor of another user from a different Ultimus Org Chart structure (namely, a sub-chart). This is graphically represented in Figure 3. In this figure, User a is the supervisor of User b. Figure 3. Ultimus Org Chart structure Active Directory s smallest compositional element is a sub-ou (or child OU). No specific element within an Active Directory OU can report to an element within another OU. This is graphically represented in Figure 4. In this figure, User a is not the supervisor of User b. Figure 4. Active Directory structure ultimus.com Ultimus and Microsoft Active Directory 8

Why is Active Directory important to Ultimus? Benefits and limitations of using Active Directory dynamically Therefore, chart relationships between Ultimus Org Chart and Active Directory are different: Active Directory does not offer the same specific detail of job function routing as Ultimus Org Chart does. It is for this reason that reporting relationships in Active Directory OUs will have to be modified in Ultimus Org Chart to allow supervisor-relative job function routines for the top-most person in Active Directory sub-ous. To configure and integrate with Active Directory dynamically, refer to Chapter 2, Ultimus BPM Suite using dynamic Active Directory integration. 9 Ultimus and Microsoft Active Directory ultimus.com

1 Ultimus BPM Suite reading from Active Directory This section details how to configure Ultimus BPM Suite to read from an Active Directory, and how Ultimus Org Chart interacts with Active Directory in a read-only manner. To understand and evaluate the benefits and limitations of this configuration, refer to Benefits and limitations of accessing Active Directory in a read-only manner in this document s Overview. Configuration This section details how to configure Ultimus BPM Suite to read from an Active Directory. ultimus.com 10 Ultimus and Microsoft Active Directory

Configuration Configuring Ultimus BPM Suite to read from Active Directory Configuring Ultimus BPM Suite to read from Active Directory Follow these steps to configure Ultimus BPM Suite to read from an Active Directory: 1. Open Ultimus Administrator. 2. Right-click on the Server node and select Properties. The following dialog box appears, as shown in Figure 5. Figure 5. The Server node Properties dialog box 11 Ultimus and Microsoft Active Directory ultimus.com

Configuration Configuring Ultimus BPM Suite to read from Active Directory 3. Select the OC tab. Verify that the Database radio button is selected as the storage option, as shown in Figure 6. If not, select the Database radio button, then select OK. Figure 6. Selecting the Database storage option ultimus.com Ultimus and Microsoft Active Directory 12

Configuration Configuring Ultimus BPM Suite to read from Active Directory 4. Select the Domains tab. Enter the Network Basic Input/Output System (NETBIOS) name of an Active Directory into the Add/Delete Domain field, then click the New button ( ). An example is shown in Figure 7. Select OK. Figure 7. Choosing the NETBIOS of an Active Directory Ultimus Org Chart can now access the selected Active Directory. Caution: Ultimus does not support integration with Active Directory via the Enable LDAP setting within the OC tab in the server node properties. Ultimus Org Chart does not properly read from Active Directory in this manner. 13 Ultimus and Microsoft Active Directory ultimus.com

Interaction Characteristics of how Ultimus Org Chart reads from an Active Directory Interaction This section outlines how Ultimus Org Chart interacts with an Active Directory in a read-only manner. Characteristics of how Ultimus Org Chart reads from an Active Directory It is important to understand how Ultimus Org Chart reads from an Active Directory. Accessing the Active Directory with this configuration limits its functionality with Ultimus Org Chart as well as its liability to the Active Directory. For an overview of the benefits and limitations of this configuration, refer to Benefits and limitations of accessing Active Directory in a read-only manner in this document s Overview. The following are characteristics between charts created in Ultimus Org Chart and the Active Directory: a. All organization charts have to be created in Ultimus Org Chart because the Active Directory OUs are not read into Ultimus Org Chart. b. When a user is added to a chart created in Ultimus Org Chart (as shown in Figure 8), that individual is not altered in the Active Directory. Figure 8. A user placed into a chart in Ultimus Org Chart ultimus.com Ultimus and Microsoft Active Directory 14

Interaction Characteristics of how Ultimus Org Chart reads from an Active Directory c. The Department field within the Job Function Information dialog box (as shown in Figure 9) does not create an organizational unit (OU) in the Active Directory. Instead, data for Ultimus Org Chart is stored in the Ultimus BPM database. Figure 9. The Department field of the Job Function Information dialog box d. When selecting Browse... to select a user for the Name field of the Job Function Information dialog box, a single flat list is presented of all users at that moment in the Active Directory (as shown in Figure 10). There is no use of the Active Directory s Manager value to differentiate hierarchy or sub-ous. Figure 10. The User Directory as accessed from the Active Directory e. Similarly, Active Directory groups are not read into Ultimus Org Chart. Only the Active Directory user names are read, producing a single flat list from Ultimus Org Chart. In summary, when Ultimus BPM Suite is configured to interact with Active Directory in a read-only manner, the only information brought into Ultimus Org Chart from Active Directory are the user names. 15 Ultimus and Microsoft Active Directory ultimus.com

2 Ultimus BPM Suite using dynamic Active Directory integration This section details how to configure and integrate Ultimus BPM Suite to dynamically use Active Directory. This section assumes that Ultimus BPM Server is already functioning in an Active Directory environment. (If your Ultimus BPM environment is not functioning in Active Directory, refer to the Ultimus Migration Guide to migrate from a Windows NT environment to Active Directory.) To understand and evaluate the benefits and limitations of this integration, refer to Benefits and limitations of using Active Directory dynamically in this document s Overview. Configuration This section details how to configure Ultimus BPM Server to dynamically function with Active Directory. Prerequisite to Configuration Before configuring Ultimus BPM Server to dynamically function with Active Directory, the Active Directory Schema snap-in must be installed to Active Directory. The Active Directory Schema snap-in is an administrative tool that is not installed by default by Microsoft. It is available in the Windows 2000 Administration Tools wizard from the Windows 2000 Server compact disc. Windows Server 2003 offers the Active Directory Schema snap-in through the Windows Server 2003 Administration Tools Pack Setup wizard on its compact disc. Without having the Active Directory Schema snap-in installed, the advanced Active Directory Schema permission properties cannot be manipulated. Therefore, installing the Active Directory Schema snap-in is a necessity. Once installed, add the Active Directory Schema snap-in into an MMC console. For more information in this process, refer to Windows Help regarding the installation of the Active Directory Schema snap-in. Installing the Active Directory Schema snap-in on Windows 2000 Server To install the Active Directory Schema snap-in on Windows 2000 Server, follow these steps: 1. Log on as the computer administrator. 2. Insert the Windows 2000 Server compact disc into your CD-ROM drive, then explore the directory structure with Windows Explorer. ultimus.com 16 Ultimus and Microsoft Active Directory

Configuration Prerequisite to Configuration 3. Browse to the folder I386. Double-click on Adminpak.msi, then follow the installation instructions that appear in the Windows 2000 Administration Tools wizard. 4. Once the Windows 2000 Administration Tools wizard is finished, click Start, then select Run. Type mmc /a, then select OK. 5. Select Console»Add/Remove Snap-in, then select Add... 6. Under Snap-in column, double-click Active Directory Schema, then select Close. 7. If no more snap-ins need to be added to the console, select OK. 8. To save this console, select File»Save. When completed, Full Control to the schema can be assigned. The group(s) assigned to have full control of the schema can be used in Ultimus Administrator to extend and edit the schema. To verify that full control is assigned to the schema, right-click on the schema from the Console Root, then select Permissions. Installing the Active Directory Schema snap-in on Windows Server 2003 To install the Active Directory Schema snap-in on Windows Server 2003, follow these steps: 1. Log on as the computer administrator. 2. Insert the Windows Server 2003 compact disc into your CD-ROM drive, then explore the directory structure with Windows Explorer. 3. Browse to the folder I386. Double-click on Adminpak.msi, then follow the installation instructions that appear in the Windows 2003 Administration Tools Pack Setup wizard. 4. Once the Windows 2003 Administration Tools Pack Setup wizard is finished, click Start, then select Run. Type mmc /a, then select OK. 5. Select File»Add/Remove Snap-in, then select Add... 6. Under Snap-in column, double-click Active Directory Schema, then select Close. 7. If no more snap-ins need to be added to the console, select OK. 8. To save this console, select File»Save. When completed, Full Control to the schema can be assigned. The group(s) assigned to have full control of the schema can be used in Ultimus Administrator to extend and edit the schema. (Appendix A, Attributes and objects within Active Directory, details how the Active Directory schema has been extended.) To verify that Full Control is assigned to the schema, right-click on the schema from the Console Root, then select Permissions. 17 Ultimus and Microsoft Active Directory ultimus.com

Configuration Configuring Ultimus BPM Suite to use Active Directory dynamically Configuring Ultimus BPM Suite to use Active Directory dynamically Follow these steps to configure Ultimus BPM Suite to use Active Directory dynamically: 1. In the Active Directory Schema admin console, identify an account in the Active Directory Schema Admins group that will have full control over the schema. Note: By default, Microsoft does not necessarily grant members of the Schema Admin group full control over the schema. It may be necessary to explicitly set this permission for an account. When Ultimus BPM Server first connects to Active Directory, it will use this account to extend the schema as necessary. To verify that full control is assigned to the schema, right-click on the schema from the Console Root, then select Permissions. 2. Open Ultimus Administrator. 3. Right-click on the Server node and select Properties. The following dialog box appears, as shown in Figure 11. Figure 11. The Server node Properties dialog box ultimus.com Ultimus and Microsoft Active Directory 18

Configuration Configuring Ultimus BPM Suite to use Active Directory dynamically 4. Select the OC tab. By default, the Database radio button is selected as the storage option. To change the storage option to Active Directory, select the radio button Active Directory, as shown in Figure 12. Figure 12. Selecting the Active Directory storage option After selecting the Active Directory radio button, the Schema Master, Timeout, Custom Root OU, User Name, and Password fields become enabled. Below is a brief explanation of each: Schema Master: The schema master is the domain controller assigned to control all updates to the schema within a forest. The schema master s name can be found on the Network Identification tab of the system Properties dialog box under My Computer, or obtained from the network administrator. Time Out: This specifies the time interval during which Ultimus BPM Server keeps trying to connect to Active Directory schema. At the end of this interval, a time out message will be displayed. Custom Root OU: By default, Ultimus will read the top-most node in the Active Directory tree structure. However, if Ultimus BPM Server needs to use an Active Directory sub-node as the top-most node, then specify a custom root organizational unit (OU) in the Enterprise Schema as follows: LDAP:\\OU=MyNewOU Individual Org Chart OUs are then created under this root OU, effectively separating Ultimus operations from other Active Directory nodes. 19 Ultimus and Microsoft Active Directory ultimus.com

Configuration Configuring Ultimus BPM Suite to use Active Directory dynamically User Name: The user name should be an account name that has full control permissions to the Active Directory schema. This account name should be a name from the Active Directory Schema Admins group (which is a group created when Active Directory is installed). The account can be a name that is not in the Schema Admins group, but that account should have full control permissions for the Active Directory schema. Password: A security password should be used in conjunction with the user name in the User Name field. 5. Enter appropriate values to the Schema Master, Timeout, Custom Root OU, User Name, and Password fields, then select OK. The first time Ultimus Administrator connects to Active Directory, Ultimus BPM Server extends the default Active Directory schema. Ultimus BPM Server extends the Active Directory schema to store property values of Ultimus Org Chart job functions, Ultimus Groups, user name validation, etc. Caution: If incorrect values are entered in any of Ultimus Administrator s Active Directory fields within the Properties option of the Server node (after logging into Ultimus Org Chart), the user will be presented with a message stating that some of the configuration details are missing or not correct. Furthermore, the Active Directory OUs and names will not appear in Ultimus Org Chart. Once Ultimus Administrator is configured with Active Directory, and the Active Directory schema has been extended, Ultimus Org Chart is ready for use. Appendix A, Attributes and objects within Active Directory, details how the Active Directory schema has been extended. ultimus.com Ultimus and Microsoft Active Directory 20

Integration Characteristics of how Ultimus Org Chart data is stored in Active Directory Integration This section outlines how the Active Directory is dynamically leveraged within the Ultimus environment. Characteristics of how Ultimus Org Chart data is stored in Active Directory It is important to understand the dynamic relationship between Ultimus Org Chart and the Active Directory, since they leverage off one another. Despite this leverage and dynamic exchange of data, there are distinct differences between the two. For an overview of the benefits and limitations of this configuration, refer to Benefits and limitations of using Active Directory dynamically in this document s Overview. The following are attributes and relationships between charts created in Ultimus Org Chart and the Active Directory: a. Each chart created in Ultimus Org Chart is saved as an OU (organizational unit) in Active Directory. For example, if Research and Development, Sales, and Technical Support were all charts created in Ultimus Org Chart, they would display as OUs in Active Directory, as shown in Figure 13. Figure 13. Active Directory OUs populated from Ultimus Org Chart 21 Ultimus and Microsoft Active Directory ultimus.com

Integration Characteristics of how Ultimus Org Chart data is stored in Active Directory b. When a user is added to a chart created in Ultimus Org Chart (as shown in Figure 14), then that same individual will also be added to the OU in the Active Directory. Figure 14. A user placed into a chart in Ultimus Org Chart Here is an example. The user Jane Doe is added to the Active Directory OU Sales (as shown in Figure 15). If the same user is now added to any other chart in Ultimus Org Chart, then an administrative entry is created in Active Directory for that user. Figure 15. The user populating the Active Directory c. A chart in Ultimus Org Chart can have only one job function or user at its top-most level. This rule is not a requirement for an OU in Active Directory. Therefore, if more than one user exists as the top node in the Active Directory OU, the OU will not draw correctly when viewed in Ultimus Org Chart. Furthermore, supervisor- and manager-routing in Ultimus BPM Server will not perform correctly. In order to correct this situation, consider restructuring the OU to contain a sub-ou. ultimus.com Ultimus and Microsoft Active Directory 22

Integration Characteristics of how Ultimus Org Chart data is stored in Active Directory d. The Manager field for each Active Directory individual must be assigned. Ultimus uses this value to understand the reporting inside each OU. The Manager field cannot be left blank. In Active Directory, the Manager field can be filled by right-clicking on the object node, then choosing the Properties option. Then choose the Organization tab, as shown in Figure 16. The Active Directory Manager value correlates with the Ultimus Supervisor value. Without a Supervisor value in Ultimus Org Chart, it does not know the reporting structure any given user has to its associates in the chart. Figure 16. The Organization tab of the user e. The top-most job function or user in each OU must be specified as his/her own manager in Active Directory. 23 Ultimus and Microsoft Active Directory ultimus.com

Integration Characteristics of how Ultimus Org Chart data is stored in Active Directory f. The Title field within Active Directory must be specified for each user in Ultimus Org Chart, as shown in Figure 17. The Active Directory Title value correlates with the Ultimus Job Function value. Without a Job Function value in Ultimus Org Chart, any workflow process using job function routing would stall. Figure 17. The Title field populated in Active Directory g. Users can be deleted from a chart through Ultimus Org Chart. However, the deletion does not remove the name from Active Directory. It simply removes the name from the corresponding OU and places it in the OU root level. h. Reporting changes inside a chart through Ultimus Org Chart (such as dragging a subordinate into a supervisor position) are also written back to Active Directory. Thus, the reporting relationships in Active Directory are changed as well. i. Changes to Active Directory are automatically reflected in Ultimus Org Chart. If the chart is open at the time the Active Directory changes are made, simply refresh the chart (using the Ultimus refresh function) to view the new changes. ultimus.com Ultimus and Microsoft Active Directory 24

Integration Active Directory groups Violations of any of these rules will cause the chart in Ultimus Org Chart to display in a vertical tree structure (as shown in Figure 18) instead of the standard Ultimus Org Chart diagram. This vertical tree display indicates the reporting structure in the Active Directory OU is not configured completely. Figure 18. Broken reporting structure as shown in Ultimus Org Chart Tip: Review all Manager values for all users in the OU. If people from this OU are used in Ultimus workflows (with the Manager values incorrect), there is a possibility that the workflow processes will stall. Active Directory groups An Active Directory group can have one of three levels of scope: domain local, global, and universal. Furthermore, there are two group types: security and distribution. By design, Ultimus BPM Suite exposes only groups whose scope is universal and whose type is distribution. No other Active Directory groups can be viewed in Ultimus BPM Suite. In addition, any group created in Ultimus BPM Suite is saved in Active Directory as a universal distribution group, as shown in Figure 19. Figure 19. Proper parameters for a universal distribution group in Active Directory 25 Ultimus and Microsoft Active Directory ultimus.com

Integration Active Directory groups New groups created from Ultimus Org Chart are reflected in Active Directory as Ultimus groups, as shown in Figure 20. Figure 20. An Ultimus group as shown in Active Directory ultimus.com Ultimus and Microsoft Active Directory 26

A Attributes and objects within Active Directory Ultimus BPM Suite uses some of the default Active Directory properties as well as extends the Active Directory schema with some of its own objects and attributes. The schema is extended when Ultimus BPM Suite first connects to Active Directory. Ultimus Org Chart inherits the Active Directory relationships and user information. Additionally, there are some Ultimus-specific relationships (such as job function groups and assistants) that must be set up in Ultimus Org Chart. For this reason, Ultimus must extend the Active Directory schema. Ultimus BPM Suite exposes and uses the following existing Active Directory objects and attributes: User and Organizational Unit. Their corresponding attributes to Active Directory objects are described in Tables 1 and 2. Table 1. Attributes used by the User object Active Directory Field Used in Ultimus Org Chart Title Manager EmployeeID SAMAccountName Displayname Job Function Supervisor Employee Id Short Name Full Name Table 2. Attributes used by the Organizational Unit object Active Directory Field Used in Ultimus Org Chart AdsPath OU Department ID Name ultimus.com 27 Ultimus and Microsoft Active Directory

Ultimus BPM Suite also extends the attributes to existing Active Directory objects. Table 3 describes the added attributes to the User object. Table 3. Additional attributes for the User object Addtional Attribute Description Ultimus rights Ultimus box Ultimus client views Ultimus user prefs This is used to store Ultimus Client Access Rights, as defined in Ultimus Administrator. This is used to store Ultimus Org Chart attributes, such as color and text label information. This is used to store settings from the Customize View of the Ultimus Client. This is used to store user preferences set in the Ultimus Client. Table 4 describes the added attributes to the Organizational Unit object. Table 4. Additional attributes for the Organizational Unit object Additional Attribute Description Name Active Directory path This is the name of the OU. This is the path to the OU. Ultimus BPM Suite extends the schema by adding two new objects and by adding new attributes to two existing objects. These new objects, Ultimususer and Ultimusgroup, are described in Table 5. Table 5. New Objects introduced by Ultimus BPM Suite Object Name Description Ultimususer Ultimusgroup This object is used to store any user s secondary job function. This object is used to store Ultimus group information. Ultimus BPM Suite also creates the following administrative keys in Active Directory for the Ultimus-only objects that are in Ultimus Org Chart: Assistants, Job Function Groups, and Org Chart Labels. Note: These administrative keys are not visible from within Active Directory. ultimus.com Ultimus and Microsoft Active Directory 28