Adding Local Windows Servers

If you have Windows servers with local users and groups, you can add those servers to EmpowerID as managed account stores. This allows you to inventory local users and groups and manage those objects from EmpowerID, providing you with automated role-based access control, delegated permissions administration, provisioning policy capabilities with a full audit trail of any actions involving those objects.

Adding Windows Local Servers to EmpowerID involves the following:


To add local Windows servers to EmpowerID

This topic provides a quick overview of the process for connecting to local Windows servers. For a more detailed presentation of the process for connecting EmpowerID to user directories, see Connecting to Active Directory.

  1. From the EmpowerID Management Console, click the EmpowerID icon, and select Configuration Manager from the menu.
  2. In Configuration Manager, expand the User Directories node in the navigation tree, and then click Account Stores.

  3. Click the Add New button above the grid.
  4. In the Add New Security Boundary window that opens, select the Local Windows Users Security Boundary type from the drop-down list and then click OK.
  5. In the Security Boundary Details window that opens, do the following:
    1. Type a name and display name for the local Windows server in the Name and Display Name fields, respectively.
    2. Type the fully-resolvable DNS for the server in the FQN field.
    3. Select Local Windows Users from the Type drop-down. This is the default selection.
    4. If the server is a member of a domain to which EmpowerID has inventoried, select Computer is Member of a Domain. This tells EmpowerID to not create a new computer object for the local users server, but to link it to the inventoried domain computer.
    5. If the server does not belong to an inventoried domain, leave Computer is Member of a Domain deselected. This tells EmpowerID to create a new computer object for the server, which allows the server to be visible in the EmpowerID user interfaces.

    6. Click Save.
  6. Back in the main Configuration Manager screen, locate the Local Windows account store you just created and double-click it or right-click it and select Edit from the context menu.
  7. This opens the Account Store Details screen for the local Windows users server. You use this screen to configure EmpowerID settings for account store. We discuss this in the following section.

To configure the Local Windows server account store

Before configuring EmpowerID to manage the account store, you should determine whether you want to apply any provisioning policies to be applied to the local users inventoried from the server. If you do, as a best practice you should create those policies before inventorying the server. For more information on provisioning policies, see Understanding Resource Entitlements.
  1. In the General pane of the Account Store Details tab, click the Edit button to the right of Connection Account.
  2. In the Proxy Connection Account window that appears, do the following:
    1. Type the net bios for the server in the NetBios Domain field.
    2. Type name of a user account with local admin privileges on the server. This user account can be either a domain user account or a local user account.
    3. Type the password for the account in the Password field.
    4. Click Ok to close the Proxy Connection Account window.
  3. If you selected Computer is Member of Domain when you created the connection earlier, you will see a field for Active Directory Computer. If this is the case, click the Edit button to the right of Active Directory Computer.
  4. If the computer does not belong to an inventoried domain, skip to step 5.
  5. In the Select a Computer window that appears, search for and select the appropriate domain computer and then click OK. This tells EmpowerID that the domain computer has local users and groups that need to be inventoried as well as the domain users and groups.
  6. Please note that the selected computer must belong to an Active Directory domain that EmpowerID is already inventorying or an error will occur when you turn on inventory. For information on connecting to Active Directory, see Connecting EmpowerID to Active Directory.

  7. Back in the General pane of the Account Store Details screen, leave Allow Person Provisioning set to false (red sphere). This is a recommended setting that keeps Person objects from being provisioned for any user accounts discovered during inventory.
  8. Select or deselect Allow RET Provisioning and Allow RET Deprovisioning based on whether you want any provisioning policies to be applied to the local users inventoried from the server.
  9. In the Inventory pane of the Account Store Details screen, toggle Enable Inventory from a red sphere to a green check to turn on inventory.
  10. After several moments, you should the inventory pane update to show the number of local users and computers inventoried.

Managing Local Groups

  1. Log in to the EmpowerID Web application as an administrator.
  2. From the Navigation Sidebar, navigate to Computer Manager by expanding Resources and clicking Computers.
  3. In Computer Manager, search for the local Windows user computer and then click the Display Name link for the computer record .
  4. This directs you to the View One page for the computer. View one pages allow you to view and edit the objects to which they are linked.

    You should see a Local Computer Groups accordion on the page. This accordion only appears on View One pages linked to computers that have been inventoried for local Windows users.

  5. Expand the Local Computer Groups accordion. You should see the local groups on the computer.
  6. From the Local Computer Groups accordion, locate the Administrators group and click the Logon Name link for it.
  7. This directs you to the View page for the Administrators group for the local Windows computer.

    By default, EmpowerID flags the Administrators group as a High Security Group (as can be seen in the Flags section of the group's View page). This is useful for reporting and audit control.
  8. Expand the Group Members accordion. You should see all people who are members of the group. If the computer is a local Windows computer that also belongs to an inventoried domain, you can have both local and domain user accounts in any of the local groups. In the below image, both types are members. You can tell the difference by the value of the Account Domain field. In our example, EID is local and EIDDOC is a full domain.
  9. You can add and remove members from the group as needed. To add a member, you type the name of a user account in the Enter Search field and click the tile for that user account to select it.
  10. You can remove existing members by ticking the box to the left of the user account you want to remove.
  11. Notice that the Added and Removed flags have updated to show the number of user accounts being added and removed from the group.

    You can review what has been added and removed by clicking the drop-down arrow to the right of the flags.

  12. To submit your changes, click either of the Submit buttons. (If you have the drop-down opened, you can click the Submit there, or you can click the larger Submit button.)

As just demonstrated with local groups, you can manage the local users in the Local Windows User account store similarly. This is demonstrated in the below section.

To manage local users

  1. Log in to the EmpowerID Web application as an administrator.
  2. From the Navigation Sidebar, navigate to User Management page by expanding Identities and clicking User Accounts.
  3. In Locations pane of User Management page, search for the Local Windows User computer and then click the node for the location.
  4. You should see all the local user accounts on the server in the grid. This includes all built-in user accounts, such as the Administrator and Guest accounts.

  5. From the grid, select a user account and click the LogonName link for that user account.
  6. This directs you to the View One page for the local Windows user account. View one pages allow to view and edit the objects to which they are linked.

    All user accounts have View One pages; however, View One pages for local Windows user accounts differ in that the amount of information they display is more abbreviated than what displays on the View One pages for domain user accounts.
  7. Expand the Group Membership accordion. You should see all of the local groups in which the user is currently a member.
  8. You can add and remove the user to and from any of the local groups on the local Windows server by typing the name of the group in the Enter name to add field and clicking the tile for that group.
  9. If you don't know the name of the group, you can click the field and press ENTER to bring up all the local groups (shown below).

  10. You can remove the user account from a current group by ticking the box to the left of the group from which you want to remove the user.
  11. Notice that the Added and Removed flags have updated to show the number of groups to and from which the user is being added and removed.

    You can review what has been added and removed by clicking the drop-down arrow to the right of the flags.

  12. To submit your changes, click either of the Submit buttons. (If you have the drop-down opened, you can click the Submit button there, or you can click the larger Submit button.)
  13. The View One page contains several other accordions, similar to the accordions on the View One pages for domain user accounts. These accordions are as follows:
    • Resultant Membership - This accordion allows you to view all groups in which the user account is a member, icluding those granted by indirect means, such as by RET policies.
    • Actions - This accordion displays a list of actions that can be performed against the user account by delegated users, such as Create Person From Account and Delete Account.
    • Additional Information - This accordion allows you to view audit and other reporting information about the user account, such Who Has Access to this User Account and Audit History for this User Account.