Managing Third-Party Vendor Entitlements When Using Active Directory

When third-party vendors want to use Active Directory with the Delinea Connector to log in to the Delinea Platform, you must make the following changes to ensure that these third-party vendors can be granted the appropriate entitlements in Secret Server. (For more information about the Connector, see Delinea Connector.)

Notes:

Permissions: Ensure you have the necessary permissions to modify user attributes and schema changes.
Replication: Be aware of Active Directory replication delays if you're working in a multi-domain controller environment.
Testing: Always test schema changes in a development environment before applying them in production.
When the user logs in to the Delinea Platform, they will be granted appropriate third-party vendor entitlements.

To make user attribute and schema changes to ensure that third-party vendors can be granted the appropriate entitlements in Secret Server:

Open the Active Directory Schema Console.
1. Open a Command Prompt as an administrator.
2. Type regsvr32 schmmgmt.dll and press Enter to register the Schema Management console.
3. Type mmc and press Enter to open the Microsoft Management Console (MMC).
4. In the MMC, choose File > Add/Remove Snap-in.
5. Select Active Directory Schema and click Add, then click OK.
Create an Attribute:
1. In the Active Directory Schema console, right-click on Attributes and select Create Attribute.
2. A prompt is displayed, warning that you cannot delete the attribute once it is created. Click Continue.
3. Create a new custom attribute named platformUserMembershipType. Fill in the required fields: Common Name, LDAP Display Name, and OID.
  
  Ensure you have a unique X500 Object identifier for the attribute that is appropriate for your Active Directory. For more information, see Obtaining an Object Identifier from Microsoft on the Microsoft learning portal.
Add an Attribute Class:
1. Navigate to Classes in the Active Directory Schema console.
2. Find and right-click the user and select Properties.
3. Choose the Attributes tab and click Add.
4. Select the newly created attribute from the list and click OK.
Assign the Custom Attribute to a User:

After defining the custom attribute, you can assign it to users using tools like PowerShell or Active Directory Users and Computers (ADUC).

Using PowerShell:

To set a custom attribute for a user with PowerShell, use the following command:
Copy
PowerShell
```
Set-ADUser -Identity $username -Add @{$attributeName = $attributeValue}
```
Example: To add custom attribute platformUserMembershipType to the user jdoe and assign it a value of vendor:
Copy
```
Set-ADUser -Identity "jdoe" -Add @{platformUserMembershipType = "vendor"} 

 
```
To update the value for the attribute, use the -Replace parameter instead of -Add:
Copy
```
Set-ADUser -Identity $username -Replace @{$attributeName = $attributeValue } 
```
Example: To update the custom attribute platformUserMembershipType to a user jdoe and assign it a value of employee:
Copy
```
Set-ADUser -Identity "jdoe" -Replace @{platformUserMembershipType = "employee"} 
```
Using Active Directory Users and Computers:
1. Open Active Directory Users and Computers from the Administrative Tools.
2. Click on View and select Advanced Features.
3. Edit User Properties:
  - Find the user, right-click, and select Properties.
  - Choose the Attribute Editor tab.
  - Locate your custom attribute and enter the desired value.
4. Click OK or Apply to save the changes.
Notes:
- Permissions: Ensure you have the necessary permissions to modify user attributes and schema changes.
- Replication: Be aware of Active Directory replication delays if you're working in a multi-domain controller environment.
- Testing: Always test schema changes in a development environment before applying them in production.
- When the user logs in to the Delinea Platform, they will be granted appropriate third-party vendor entitlements.