Modifying non-encrypted registry settings

To modify the non-encrypted registry settings, complete the following steps:

Procedure

At the Agent Registry Menu, type A to display the Non-encrypted Registry Settings Menu.

Agent Registry Items
-----------------------------------
01. CreateUNCHomeDirectories  'FALSE'
02. DeleteUNCHomeDirectories  'FALSE'
03. delRoamingProfileOnDeprov	'FALSE'
04. delUNCHomeDirOnDeprov		'FALSE'
05. ForceRASServerLookup      'FALSE'
06. ForceTerminalServerLookup 'FALSE'
07. IsRUSRunning              'TRUE'
08. MailboxPermissionsEnabled	'FALSE'
09. ManageHomeDirectories     'FALSE'
10. NotifyIntervalSeconds     '300'
-----------------------------------
           Page 1 of 3

A. Add new attribute
B. Modify attribute value
C. Remove attribute

D. Next Page

X. Done

Select menu option:D
Agent Registry Items
------------------------------------
11. SupportedProxyEmailTypes	'STMP:,X400:'
12. ReconHomeDirSecurity      'FALSE'
13. ReconPrimaryGroup         'TRUE'
14. SearchExchangeApiValues   'False'
15. SearchPasswordSettings    'FALSE'
16. UnlockOnPasswordReset     'FALSE'
17. useDefaultDC					'FALSE'
18. useSSL								'FALSE'
19. WtsDisableSearch          'TRUE'
20. WtsEnabled                'FALSE'
-------------------------------------
           Page 2 of 3

A.  Add new attribute
B.  Modify attribute value
C.  Remove attribute

E.  Prev Page

X.  Done

Select menu option:

Agent Registry Items
-----------------------------------
01. CreateUNCHomeDirectories  'FALSE'
02. DeleteUNCHomeDirectories  'FALSE'
03. delRoamingProfileOnDeprov	'FALSE'
04. delUNCHomeDirOnDeprov		'FALSE'
05. ForceRASServerLookup      'FALSE'
06. ForceTerminalServerLookup 'FALSE'
07. ManageHomeDirectories     'FALSE'
08. NotifyIntervalSeconds     '300'
09. ReconHomeDirSecurity      'FALSE'
10. ReconPrimaryGroup         'TRUE'
-----------------------------------
           Page 1 of 3

A. Add new attribute
B. Modify attribute value
C. Remove attribute

D. Next Page

X. Done

Select menu option:D
Agent Registry Items
------------------------------------
11. SearchPasswordSettings    'FALSE'
12. UnlockOnPasswordReset     'FALSE'
13. useDefaultDC					'FALSE'
14. useSSL								'FALSE'
15. WtsDisableSearch          'TRUE'
16. WtsEnabled                'FALSE'
-------------------------------------
           Page 2 of 3

A.  Add new attribute
B.  Modify attribute value
C.  Remove attribute

E.  Prev Page

X.  Done

Select menu option:

Type the letter of the menu option for the action that you want to perform on an attribute.

Table 1. Attribute configuration option descriptions

Option Configuration task

A Add new attribute

B Modify attribute value

C Remove attribute
Type the registry item name, and press Enter.
If you selected option A or B, type the registry item value and press Enter.

The non-encrypted registry settings menu reappears and displays your new settings.

Table 1. Attribute configuration option descriptions
Option	Configuration task
A	Add new attribute
B	Modify attribute value
C	Remove attribute

Results

The following table describes the registry keys and their available settings:

Table 2. Registry key descriptions
Key	Description
CreateUNCHomeDirectories	If this key is set to TRUE, the key enables creation of the UNC home directory. The default value is FALSE.
DeleteUNCHomeDirectories	If this key is set to TRUE, the key enables deletion of the UNC home directory on delete. The default value is FALSE.
delRoamingProfileOnDeprovision	If this key is set to TRUE, the key enables user profile directory deletion when the user is de-provisioned. After successfully deleting the user from the Active Directory, the adapter deletes the user home directory, subdirectories, and files. If this key is set to FALSE, or if the key does not exist, the adapter does not delete the user home directory. The default value is FALSE.
delUNCHomeDirOnDeprovision	If this key is set to TRUE, the key enables UNC Home directory deletion when the user is de-provisioned. After successfully deleting the user from the Active Directory, the adapter deletes the user home directory, subdirectories, and files. If this key is set to FALSE, or if the key does not exist, the adapter does not delete the user home directory. The default value is FALSE.
ForceRASServerLookup	If this key is set to TRUE, the RASServer is always found from the domain information. If this key is set to FALSE, one of these conditions exist: If the target server is specified in the base point, the target server is used as the RAS server. If the target server is not specified in the base point, the RAS server is found from the domain information. The default value is FALSE.
ForceTerminalServerLookup	If this key is set to TRUE, the terminal server is always found from the domain information. If this key is set to FALSE, one of these conditions exist: If the target server is specified in the base point, the target server is used as the terminal server. If the target server is not specified in the base point, the terminal server is found from the domain information. The default value is FALSE.
ManageHomeDirectories	If this key is set to TRUE, the adapter performs Add and Delete operations for actual directories. If this key is set to FALSE, the adapter updates only the home directory information in the Active Directory. The default value is FALSE.
NotifyIntervalSeconds	This key specifies the interval (in seconds) after which the adapter enabled event notification process starts. It can be modified by using the agentCfg tool. The default value is 300 seconds.
ReconHomeDirSecurity	If this key is set to TRUE, the adapter brings the Home Security information (NTFS security, share name, and share security) during a reconciliation. The default value is FALSE. The reconciliation operation is fast when this key is set to FALSE.
ReconPrimaryGroup	The recon operation does not add the primary group to the group list. The memberof attribute in Active Directory stores the user’s group membership, except the primary group. The primaryGroupID attribute in Active Directory stores the primary group of the user. As a result the primary group must be explicitly added to group list. If this key is set to TRUE, the primary group is added to the group list. If this key is set to FALSE, the primary group is not added to the group list. The default value is FALSE.
SearchPasswordSettings	Most of the password attributes are stored in the Active Directory and are directly retrieved. But some (for example, Require Unique Password and User Cannot Change Password) are not stored in the Active Directory. These attributes must be retrieved by using APIs. If this key is set to TRUE, the password attributes are retrieved by using the respective API. If this key is set to FALSE, the attributes are not retrieved. The default value is FALSE. When this key is set to FALSE, the password flag attributes are not retrieved and the reconciliation operation is fast.
UnlockOnPasswordReset	If this key is set to TRUE, the adapter activates the user on a password change request. The default value is FALSE.
useDefaultDC	This key provides failover capability for the adapter when the host specified in the base point is not available. If the adapter cannot connect to the host specified in the base point and the key is set to TRUE, the adapter connects to the base point without the host name. If this key is set to TRUE, the key affects RASServer and Terminal server lookup behavior. The default value is FALSE.
useSSL	This key enables SSL communication between the adapter and the Active Directory. If this key is set to TRUE, the adapter uses SSL to communicate with the Active Directory. If this key is set to FALSE or does not exist, the adapter does not use SSL. The default value is FALSE.
WtsDisableSearch	This key takes effect only if WtsEnabled is set to TRUE. If set to FALSE, this key enables a reconciliation of the WTS attributes. If set to TRUE, the reconciliation is faster. The default value is FALSE.
WtsEnabled	If this key is set to TRUE, the key enables processing of Windows Terminal Server (WTS) attributes. The default value is FALSE.
UseGroup	You can set this key to one of the following options: CN: When you set this key to CN, the adapter performance for add, modify, and reconciliation is lesser compared to the DN option. This lessening of performance is because adapter must perform extra binds to the Active Directory. DN: When you set this key to DN, the adapter performance for add, modify, and reconciliation is higher compared to the CN and GUID options. GUID: When you set this key to GUID, the adapter performance for add, modify, and reconciliation lesser compared to DN, however, higher compared to CN. Depending on the key the adapter retrieves the value for group during the reconciliation operation and processes during the add and modify operation of the adapter. When you change the value of this key, you must modify the profile and import it again on IBM® Security VerifyIBM Security Identity Governance and IntelligenceIBM Security Privileged Identity Manager. The default value is DN.
ReconMailboxPermissions	When this key is set to FALSE, the adapter does not retrieve the Mailbox Permission information. The reconciliation operation is fast when this key is set to FALSE. The default value is TRUE.
UPNSearchEnabled	When the registry key UPNSearchEnabled is set to FALSE, the adapter does not perform a search on the User Principal Name for uniqueness. It creates the user account with the supplied or generated value of the User Principal Name. When the registry key UPNSearchEnabled is set to TRUE, the adapter performs a search on the User Principal Name to ensure the uniqueness. The default value is TRUE. Note: This key is used only for the user add operation.
UseITIMCNAttribute	When this key is set to `TRUE`, the adapter uses IBM Security VerifyIBM Security Identity Governance and IntelligenceIBM Security Privileged Identity Manager common schema attribute cn. The adapter processes the cn attribute for add, modify, and reconciliation operations. When this key is set to `FALSE`, the adapter uses the erADFullName attribute for add, modify, and reconciliation operations. When you set this registry key to `FALSE`, you must customize the account form. The default value is `TRUE`.
MailUserRenameDelay	When you rename a user account with mail status, the Active Directory might take time to reestablish the user account mail status. This behavior causes the adapter to fail the exchange attributes in the rename request with the error message Error setting attribute name. User does not have a mailbox. In this case, renaming means modifying the Eruid and the User Principal Name attribute. When you use this key, the adapter waits before it modifies the exchange attribute when a user account is renamed. For example, set this key is set to 10 seconds. Submit a user account rename request. The adapter waits for 10 seconds before modifying the exchange attributes that are in the request. The default value of the registry key is 0 seconds. Note: The adapter uses this key only when the Eruid, User Principal Name, and the exchange attributes are modified.
SearchTimeout	In some of the Active Directory setups, the adapter might not complete the reconciliation operation. This failure occurs when the Microsoft ADSI API GetNextRow halts indefinitely. The adapter monitors the reconciliation operation. Set this registry key to a non-zero value. The adapter process ends if there is no activity by the adapter in the reconciliation operation for the time in seconds specified in this key. When you set the value of this registry key to 0 and if the adapter halts during the reconciliation operation, the reconciliation operation does not complete and the operation is timed out on IBM Security VerifyIBM Security Identity Governance and IntelligenceIBM Security Privileged Identity Manager. In this case, restart the adapter service. The default value of the registry key is 0 seconds.
LyncDisableSearch	If this key is set to TRUE, the key disables the Lync attributes. It excludes the Lync attributes, which are not stored as LDAP values and are retrieved with a powershell call, from search results. The Lync attributes can significantly affect the performance during a search. The default value is FALSE.

Note: The following registry keys are no longer used:

AbortReconOnFailure
OverrideX500Addresses

In addition to the listed adapter registry keys, you can add registry keys with a name as the value of Users BasePoint DN on the service form. You can also provide additional target servers for that service. Each target server must be separated by a |.

Example 1

When a Users BasePoint DN specified on service form is OU=TestOU,DC=MyDomain,DC=com, you can specify the list of target server(s) in the adapter registry by using agentCfg.exe as:

Create the registry with name OU=TestOU,DC=MyDomain,DC=com.
Specify the value for the key as DC01|DC02|DC03.

Example 2

When a Users BasePoint DN specified on service form is DC01|DC02|DC03/DC=MyDomain,DC=com, you can specify the list of additional target server(s) in the adapter registry by using agentCfg.exe as:

Create the registry with name DC=MyDomain,DC=com.
Specify the value for the key as DC04|DC05|DC06.

Note: When the base point or target server has Unicode characters, use the regedit to create registry keys under

HKEY_LOCAL_MACHINE\
SOFTWARE\Access360\ADAgent\Specific

The following tasks are performed when the RUS is turned on:

When an Exchange user ID is created, the entry is first created in the Active Directory. Initially, the user is inactive. The RUS activates the user ID, by setting the msExchUserAccountControl attribute to 0.
When a user, group or object is added to or modified in the Active Directory, the RUS determines which of the available address lists it belongs to. The service then adds the updated address list to the showInAddressBook attribute for the user, group, or object.

The adapter considers the msExchUserAccountControl and showInAddressBook attributes attributes and perform the preceding tasks when RUS is turned off and the IsRUSRunning attribute is set to FALSE. When you install the adapter, the default value of the IsRUSRunning flag is TRUE.

The following table lists the adapter behavior, depending on the value of the IsRUSRunning attribute and the status of the RUS:

Table 3. Expected adapter behavior
IsRUSRunning flag	RUS running on the resource	Behavior of the adapter
TRUE	TRUE	The adapter does not manage the msExchUserAccountControl and showInAddressBook attributes.
TRUE	FALSE	The adapter creates an entry in the log file and does not manage the msExchUserAccountControland showInAddressBook attributes.
FALSE	TRUE	The adapter creates an entry in the log file and does not manage the msExchUserAccountControl and showInAddressBook attributes.
FALSE	FALSE	The adapter manages the msExchUserAccountControl and showInAddressBook attributes.