Managing Third-Party Vendor Entitlements When Using Active Directory

When third-party vendors want to use Active Directory with the Delinea Connector The Delinea Connector enables secure communication between the Delinea Platform, Active Directories, and various services within your internal network. For enhanced reliability and efficiency, it is recommended to deploy multiple Connectors to enable failover capabilities and load distribution. to log A record of background events typically related to systems, performance, outages, etc. A log is typically consumed by IT/Ops to help them ensure that things are running optimally and delivered according to the appropriate SLA. in to the Delinea Platform, you must make the following changes to ensure that these third-party vendors can be granted the appropriate entitlements in Secret Server The Delinea secrets vault. Delinea Secret Server is an enterprise-grade secrets storage vault for securely storing, managing, and controlling access to privileged credentials and other sensitive data. See Secret Server on Platform, Secret Server Cloud (SSC), and Secret Server on Premises (SSOP) for distinctions.. (For more information about the Connector, see Using the Delinea Connector.)

Notes:

• Permissions: Ensure you have the necessary permissions to modify user attributes and schema changes.

• Replication: Be aware of Active Directory replication delays if you're working in a multi-domain controller environment.

• Testing: Always test schema changes in a development environment before applying them in production.

• When the user logs A record of background events typically related to systems, performance, outages, etc. A log is typically consumed by IT/Ops to help them ensure that things are running optimally and delivered according to the appropriate SLA. in to the Delinea Platform, they will be granted appropriate third-party vendor entitlements.

To make user attribute and schema changes to ensure that third-party vendors can be granted the appropriate entitlements in Secret Server The Delinea secrets vault. Delinea Secret Server is an enterprise-grade secrets storage vault for securely storing, managing, and controlling access to privileged credentials and other sensitive data. See Secret Server on Platform, Secret Server Cloud (SSC), and Secret Server on Premises (SSOP) for distinctions.:

1. Open the Active Directory Schema Console.

   1. Open a Command Prompt as an administrator.

   2. Type regsvr32 schmmgmt.dll and press Enter to register the Schema Management console.

   3. Type mmc and press Enter to open the Microsoft Management Console (MMC).

   4. In the MMC, choose File > Add/Remove Snap-in.

   5. Select Active Directory Schema and click Add, then click OK.

2. Create an Attribute:

   1. In the Active Directory Schema console, right-click on Attributes and select Create Attribute.

   2. A prompt is displayed, warning that you cannot delete the attribute once it is created. Click Continue.

   3. Create a new custom attribute named platformUserMembershipType. Fill in the required fields: Common Name, LDAP Display Name, and OID.

      

      Ensure you have a unique X500 Object identifier for the attribute that is appropriate for your Active Directory. For more information, see Obtaining an Object Identifier from Microsoft on the Microsoft learning portal.

3. Add an Attribute Class:

   1. Navigate to Classes in the Active Directory Schema console.

   2. Find and right-click the user and select Properties.

   3. Choose the Attributes tab and click Add.

   4. Select the newly created attribute from the list and click OK.

      

4. Assign the Custom Attribute to a User:

   After defining the custom attribute, you can assign it to users using tools like PowerShell or Active Directory Users and Computers (ADUC).

   Using PowerShell:

   To set a custom attribute for a user with PowerShell, use the following command:

   Copy

   PowerShell

   Set-ADUser -Identity $username -Add @{$attributeName = $attributeValue}
   

   Example: To add custom attribute platformUserMembershipType to the user jdoe and assign it a value of vendor:

   Copy

   Set-ADUser -Identity "jdoe" -Add @{platformUserMembershipType = "vendor"} 
   
    

   To update the value for the attribute, use the -Replace parameter instead of -Add:

   Copy

   Set-ADUser -Identity $username -Replace @{$attributeName = $attributeValue } 

   Example: To update the custom attribute platformUserMembershipType to a user jdoe and assign it a value of employee:

   Copy

   Set-ADUser -Identity "jdoe" -Replace @{platformUserMembershipType = "employee"} 

   Using Active Directory Users and Computers:

   1. Open Active Directory Users and Computers from the Administrative Tools.

   2. Click on View and select Advanced Features.

   3. Edit User Properties:

      • Find the user, right-click, and select Properties.

      • Choose the Attribute Editor tab.

      • Locate your custom attribute and enter the desired value.

   4. Click OK or Apply to save the changes.

   Notes:

   • Permissions: Ensure you have the necessary permissions to modify user attributes and schema changes.

   • Replication: Be aware of Active Directory replication delays if you're working in a multi-domain controller environment.

   • Testing: Always test schema changes in a development environment before applying them in production.

   • When the user logs A record of background events typically related to systems, performance, outages, etc. A log is typically consumed by IT/Ops to help them ensure that things are running optimally and delivered according to the appropriate SLA. in to the Delinea Platform, they will be granted appropriate third-party vendor entitlements.