Implementing a custom ActiveView

An ActiveView provides real-time access to specific objects within one or more domains or OUs. You can add or remove objects from an ActiveView without changing the underlying domain or OU structure.

You may think of an ActiveView as a virtual domain or OU, or the results of a select statement or database view for a relational database. ActiveViews can include or exclude any set of objects, contain other ActiveViews, and have overlapping contents. ActiveViews can contain objects from different domains, trees, and forests. You can configure ActiveViews to meet any enterprise management need.

ActiveView Rules

An ActiveView can consist of rules that include or exclude objects such as user accounts, groups, OUs, contacts, resources, computers, resource mailboxes, shared mailboxes, dynamic distribution groups, group Managed Service Accounts, ActiveViews, and Entra ID objects such as Entra ID users, Microsoft Entra Tenants, Entra ID groups, and Entra ID contacts.

An Activeview rule can include or exclude objects from Organizational Units (OUs), Domains, Member Servers, Entra ID Administrative Units, Tenants and Computers.

7-1

Object Types

ActiveView Rule Scope

Accounts Object Types

OUs, Domains, Member Servers.

Directory Object Types

Domains

Resources Object Types

Computers from OUs, Domains

Entra ID Object Types

AUs, Tenants.

The scope can be matched with ‘any’, ‘specific’ or ‘wildcard’ matching. This flexibility makes ActiveViews dynamic.

  • Any: This criteria includes or excludes all objects of the selected type. This broadens the scope of the rule to encompass all OUs or AUs or Domains or Tenants or Member Servers.

  • Specific: This criteria includes or excludes only specific objects of the selected type. This allows you to target specific OUs or AUs or Domains or Tenants or Member Servers.

  • Wildcard: This criteria allows you to use wildcard characters to match multiple objects based on a pattern.

For example, with wildcards, you can define a rule to include all computers with names matching DOM*. This wildcard specification will search for any computer account whose name begins with the character string DOM. Wildcard matching makes administration dynamic because accounts are automatically included when they match the rule. Thus, when you use wildcards, you do not need to reconfigure the ActiveViews as your organization changes.

Another example is defining ActiveViews based on group membership. You can define a rule that includes all members of groups that begin with the letters NYC. Then, as members are added to any group matching this rule, these members are automatically included in this ActiveView. As your enterprise changes or grows, DRA reapplies the rules to include or exclude the new objects in the proper ActiveViews.

ActiveView Object Types

Accounts:

  • Users

  • Groups

  • Computers

  • Contacts

  • Dynamic Distribution Groups

  • Group Managed Service Account

  • Published Printers

  • Published Printer Print Jobs

  • Resource Mailboxes

  • Shared Mailboxes

  • Public Folders

Directory Objects:

  • Organizational Units

  • Domains

  • Member Servers

Delegation Objects (Other):

  • ActiveViews

  • Self Administration

  • Direct Reports

  • Managed Groups

Resources:

  • All Resources

  • Connected Users

  • Devices

  • Event Logs

  • Open Files

  • Printers

  • Print Jobs

  • Services

  • Shares

Entra ID objects:

  • Entra ID Users

  • Entra ID Groups

  • Entra ID Contacts

  • Microsoft Entra Tenants

  • Online Shared Mailbox

Entra ID Administrative Unit Integration

Entra ID Administrative Units are containers within Microsoft Entra ID that support Microsoft Entra ID objects such as Entra ID Users and Entra ID Groups. If the Entra ID objects are configured to AUs ActiveView rules can be set to Entra ID Users and Groups from AUs.

Only a DRA Admin can create Entra ID User AV rules or group AV rules for a specific Entra ID Administrative Unit.

ExtensionAttribute Integration

You can configure any one of ExtensionAttributes 1 to 15 in an ActiveView rule, making it a crucial component in building resource access delegation for Entra ID objects such as Entra ID Users, Entra ID Groups, Entra ID Contacts and Online Shared Mailboxes. This requirement ensures that access control decisions within DRA are influenced by the values stored in the configured ExtensionAttribute.

To Enable ExtensionAttribute

To enable this feature, a specific registry key must be configured:

  1. Path: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mission Critical Software\OnePoint\Administration\Data\Modules\Accounts\AzureAdditionalCachedAttributes

  2. Key: ConfiguredExtensionAttribute

  3. Values: ExtensionAttribute1-ExtensionAttriubte15.

    When you configure ConfiguredExtensionAttribute with a value between ExtensionAttribute1 and ExtensionAttribute15, the Cacheloader collects the specified extension
    attributes during Initial Attribute Collection (IACR) or Full Attribute Collection (FACR). The Win32 server displays options to create rules based on these extension attributes only if this
    key is configured.

    To disable this feature, either clear the value of the key or delete the key.

    It is recommended to enable or disable the registry key only when it is necessary. When enabling or disabling the registry key, the Admin Server must be restarted for the changes to take effect.

Clear database cache using PostgreSQL when ExtensionAttribute is disabled
 

  1. Log in to PostgreSQL.
  2. Add a new server in the PostgreSQL management tool (e.g., pgAdmin).
  3. In the General tab, enter DRA as the server name.
  4. In the Connection tab, enter the following details:
    1. Hostname/Address: localhost
    2. Port: 50105
    3. Maintenance Database: DRA
  5. Navigate to <DRA Install Folder>\build\artifacts\bin.
  6. Copy the GetDBCredentials and GetDBCredentials.exe.config files.
  7. Paste the copied files into the DRA installer folder.
  8. Open Command Prompt from the DRA installer folder.
  9. Run the GetDBCredentials.exe -p command to generate the password.
  10. Copy the generated password.
  11. Return to the Connection tab in PostgreSQL and enter the generated password in the Password field.
  12. Click Save to connect to the DRA database.
  13. For Entra ID objects such as Entra ID Users, Entra ID Groups Entra ID Contacts and Online Shared Mailboxes, select the required query and run the commands.

    UPDATE public.azure_groups
     SET extensionattribute=null;
     UPDATE public.azure_users
     SET extensionattribute=null;
     UPDATE public.azure_contacts
     SET extensionattribute=null;