Active_Directory_Integration
Active Directory Integration
Feature Reference #: 29213
This feature enables you to manage Prophet 21 users and DynaChange roles with Active Directory (AD) roles. Each role in AD is assigned an “acts like” user in Prophet 21. When that AD role logs in, it will use the security settings for the “acts like” user, including the DynaChange role, and all the User Maintenance settings that user has.
Important! Changes made to AD will flow through to Prophet 21 users; changes in Prophet 21 will have no effect on AD.
Benefits
• Simplified role management through AD, rather than managing both AD roles and Prophet 21 roles
• Automatic disabling of Prophet 21 user accounts when they are removed from AD
Getting Started with AD Integration
The process of setting up AD integration is somewhat complicated. You must accomplish the following tasks:
• Create a linked server in SQL Server
• Create the MMC console with the AD schema snap-in
• Add attributes to your AD schema
• Install the AD user interface extension
• Set up users in AD to use the Prophet 21 integration
• Set up the Prophet 21 system for integration
Using AD Integration
You can use AD integration to add new users only once – in AD – and have the Prophet 21 user permission default based on an existing user. This means that a new user can simply log into Prophet 21 using his or her Windows Active Directory username and password, and the system will automatically create a SQL database user and Prophet 21 user based on the group selected when you created the user in Active Directory.
Creating a New User
You must set up your AD users with the correct settings to access the Prophet 21 system via AD integration.
1. Create a new AD user following the standard procedures defined for your organization.
2. In the Active Directory Users and Computers MMC snap-in, expand your domains node.
3. Click the Users node.
4. Right-click the new user. The shortcut menu appears.
[pic]
5. From the shortcut menu, select P21 AD Integration. The P21 Active Directory Integration dialog opens.
[pic]
6. Set the user’s Active Directory Role and what his default Location and Branch should be. The Active Directory Role corresponds to the role you will enter that links the AD role with an “acts like user” user in Prophet 21.
7. Click Accept.
8. Make sure in the user’s RMB > Properties > Organization tab > Company field is the valid company ID from the Prophet 21 application.
AD Role Associations in Prophet 21
To set up AD or change roles in Prophet 21, you must use the Active Directory Role to Prophet 21 User Maintenance window.
|Field: |Description: |
|Active Directory Role |The AD role that will be entered into the AD integration component of your AD MMC. That role must match |
| |the role you enter in this field. |
|Acts Like User |Determines the default user settings (settings from User Maintenance) that will accompany a user logging |
| |in with this AD role. |
|Status |Determines if the role/user combination is currently valid in the system. |
For each Prophet 21 role you have set up in AD, you must have a corresponding record AD role defined in Prophet 21. You can use the Query tab to find existing roles, and edit them in the Form View or List View tabs.
Getting Started with AD Integration
To set up AD integration, you must perform the following tasks:
• Create a linked server in SQL Server
• Create the MMC console with the AD schema snap-in
• Add attributes to your AD schema
• Install the AD user interface extension
• Set up users in AD to use the Prophet 21 integration
• Set up the Prophet 21 system for integration
Each task is described in one of the following sections.
Create a Linked Server in SQL Server
In SQL Server Query Analyzer (SQL Server 2000) or SQL Server Management Studio (SQL Server 2005) run this script to add the linked server:
EXEC sp_addlinkedserver 'ADSI', 'Active Directory Services 2.5', 'ADSDSOObject', 'adsdatasource'
Create an MMC with the AD Schema Snap-In
To create the Microsoft Management Console (MMC) for the schema snap-in, you must first register the AD schema snap-in, and then include it in a console. Then you must add the Schema snap-in to an MMC.
1. From the Start menu, select Run. The Run dialog opens.
2. In the Run dialog, enter the following:
regsvr32 schmmgmt.dll
3. Click OK. A dialog box informs you that registration is complete.
4. Click OK to close the dialog.
5. Open the Run dialog again.
6. Type “MMC” (without quotes) in the Open field.
7. Click OK. An empty MMC window opens.
8. From the Console menu, select Add/Remove Snap-in…. The Add/Remove Snap-in dialog opens.
9. Click Add…. The Add Standalone Snap-in dialog opens.
10. Find and select the Active Directory Schema snap-in.
[pic]
11. Click Add.
12. Click Close. The Add Standalone Snap-in dialog closes.
13. Click OK on the Add/Remove Snap-in dialog. The dialog closes and the console now includes the Active Directory Schema snap-in.
14. From the Console menu, select Save As…. The Save As dialog opens.
15. From the Save In drop-down menu, select Desktop.
16. Change the file name to Schema.msc.
17. Click the Save button. The Schema MMC will be included as a file on your desktop.
Add Attributes to the AD Schema
You must add several attributes to the AD schema in order for AD and Prophet 21 to interact.
1. If your Schema MMC is not open, double-click the Schema.msc file on your desktop.
2. Expand your current Active Directory Schema in the left pane of the MMC snap-in.
3. Right-click the Attributes node. The shortcut menu opens.
[pic]
4. From the shortcut menu, select Create Attribute. The Schema Object Creation warning box opens. This is telling you that Schema changes are permanent.
5. Click Continue. The Create New Attribute dialog opens.
6. Copy the settings from the following screen capture.
Important! Please be careful with the Unique X500 Object ID column as these are pre-defined values which must match exactly.
[pic]
7. Click OK.
8. Repeat Steps 4-7, except using the attribute settings of the following screen capture.
[pic]
9. Expand the Classes node in the left pane of the Schema snap-in.
10. Right-click the User node. The shortcut menu appears.
11. Select Properties from the shortcut menu. The User Properties dialog opens.
12. On the Attribute tab, select Add…. The Select Schema Object dialog opens.
13. Select location.
14. Click OK. The dialog closes.
15. Repeat Steps 11-14, but with branch instead of location.
16. Repeat Steps 11-14, but with adRole instead of location.
Install the AD User Interface Extension
You must install the AD user interface extension so that you can access the Prophet 21 schema elements from your AD administration interface.
1. Run the P21ADIntegrationSetup.msi installation program.
2. Click Next until you get a successfully completed message.
3. Check to see if you have ADSI Edit on your server. To check, use the following instructions:
a. Go to Start > Run and type in adsiedit.msc.
b. If that does not work then look for a Support Tools folder under Program Files and look for the adsiedit.msc file there.
c. If it is not found, then download the support tools from Microsoft:
4. Once you have found or installed the support tools run ADSI Edit from the Start > Run dialog by typing adsiedit.msc and clicking OK.
5. In the left pane expand the Configuration, CN=Configuration, CN=DisplaySpecifiers nodes.
6. Select the CN=409 node.
7. In the right pane right-click the CN=user-Display object and select Properties. The CN=user-Display Properties dialog opens.
[pic]
8. In the Attributes: section of the Attribute Editor tab, select the adminContextMenu and click the Edit button.
9. In the Value to add: text box, type: ,&P21 AD Integration, C:\Program Files\Activant\P21ADIntegration\ P21ADIntegration.exe (if for some reason the P21ADIntegration program was installed on your machine elsewhere change the directory appropriately above).
10. Click the Add button.
11. Click OK in the Multi-valued String Editor dialog and then again in the CN=user-Display Properties dialog and the close ADSI Edit.
12. In the Schema console (schema.msc) in the left pane, right-click the Active Directory Schema node. A shortcut menu appears.
13. Select Reload the Schema from the shortcut menu.
14. Save and close the Schema console.
Set Up Users in AD to Use the Prophet 21 Integration
You must set up your AD users with the correct settings to access the Prophet 21 system via AD integration.
1. In the Active Directory Users and Computers snap-in, expand your domains node.
2. Click the Users node.
3. Right-click a user. The shortcut menu appears.
4. From the shortcut menu, select P21 AD Integration. The P21 Active Directory Integration dialog opens.
[pic]
5. Set the user’s Active Directory Role and what his default Location and Branch should be. The Active Directory Role corresponds to the role you will enter that links the AD role with an “acts like user” user in Prophet 21.
6. Click Accept.
7. Make sure in the user’s RMB > Properties > Organization tab > Company field is the valid company ID from the Prophet 21application.
Set up the Prophet 21 system for integration
Finally, you must set up the Prophet 21system for integration with AD. First, you must enable AD integration in the system settings, and then you must set up a series of roles in the Active Directory Role to Prophet 21User Maintenance window.
1. Log into the Prophet 21system with administrator privileges.
2. From the Module menu, select System Setup. The System Setup module opens.
3. From the System menu, select System Settings. The System Settings window opens.
4. Expand the System Setup folder in the left pane.
5. Click the Active Directory node under the System Setup folder. The node’s system settings display in the right pane.
6. Enable the Enable Active Directory Integration checkbox. This will make the rest of the fields in this node editable, and will enable the Active Directory Role to Prophet 21 User Maintenance window.
7. Go to the Active Directory Role to Prophet 21 User Maintenance window and set up your groups. See the Setting Up AD Roles in Prophet 21 section below for more details.
Important! Before you enter any further details or enable any checkboxes here, ensure that you have set up your users for Active Directory integration as described in this section and in the sections above. If you do not, the system will prevent any users not set up from accessing the Prophet 21 system.
8. After you have set up your users, enable the rest of the checkboxes and fields as desired (for more information on each field, see the table below).
9. Click the Save button to save the record.
[pic]
|Field: |Description: |
|Enable Active Directory |Enables access to all of the AD integration logic in the application, including the setup fields for |
|Integration |AD integration on this window, and the Active Directory Role to Prophet 21 User Maintenance window in|
| |this module. This does not make the application check AD logins when users log in. |
|Use Active Directory Roles |Determines if the system checks AD integration information in the Active Directory schema for each |
| |user login. This setting is what “turns on” the integration: after you enable this setting, all of |
| |your users must be set up to use AD integration or they will not have access to Prophet 21. |
|Override User Settings with |Determines if users will keep their user settings when a role changes, or if they will receive only |
|Role Change |the new settings associated with their “acts like user” if their role changes. If this setting is |
| |checked, users will always get the settings of the new role when you change their role in AD. |
|Delete P21 Users that Do Not|Determines if the system makes a nightly check of AD users. If you enable this checkbox, each night |
|Exist in AD |the system will de-activate any Prophet 21 users who do not also have an AD account. |
|Active Directory Domain |Enables you to enter in each partition of your domain name preceded by DC= and separated by a comma |
| |(,) as in the picture above, where the domain is P21AD.local. |
Setting Up AD Roles in Prophet 21
To set up AD roles in Prophet 21, you must use the Active Directory Role to Prophet 21 User Maintenance window.
[pic]
|Field: |Description: |
|Active Directory Role | The AD role that will be entered into the AD integration component of your AD MMC. That role must match |
| |the role you enter in this field. |
|Acts Like User |Determines the default user settings (settings from User Maintenance) that will accompany a user logging |
| |in with this AD role. |
|Status |Determines if the role/user combination is currently valid in the system. |
For each Prophet 21 role you have set up in AD, you must have a corresponding record AD role defined in Prophet 21. You can use the Query tab to find existing roles, and edit them in the Form View or List View tabs.
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- active directory password dictionary check
- active directory banned password list
- active directory users account
- active directory change user name
- active directory account types
- active directory user types
- active directory user permissions
- active directory users and computers install
- active directory users and computers downloads
- active directory users and computers access
- active directory export
- active directory export to excel