Microsoft Windows relies on the user account type to determine access permissions for the associated user account. A user account can be global or local. DRA also supports InetOrgPerson objects, but recognizes InetOrgPerson objects as normal users.
A user account that can be used in any domain that trusts the domain in which the user account was created. You can grant specific permissions to a user account. You can also make a user account a member of a group and then assign permissions to that group. Grouping user accounts helps simplify the process of managing network permissions for many user accounts.
A user account that is restricted to the computer on which it was created. Local user accounts allow users from NetWare, LAN Manager, and IBM LAN Server environments to use resources in a Microsoft Windows computer.
Microsoft Windows stores user account and group definitions in the directory of the managed domain. Therefore, an Administration server cannot modify the directory information from a trusted domain unless that domain is also managed by DRA.
For example, in the Account and Resource Management console, you may see user accounts and groups that you cannot modify. These user accounts and groups are defined in domains trusted by one of the managed domains. However, you can add accounts and groups from a trusted domain to other groups in the managed domain.
To modify user accounts or groups in a managed domain, you must first connect to the Administration server managing that domain. You must also have the appropriate powers to modify those user accounts or groups.
DRA offers you the ability to quickly and efficiently transform user accounts. When the individual associated with a user account transitions to new job responsibilities, you can use the transform capabilities of DRA. Taking advantage of job role templates, you can quickly add, remove, or update the group memberships associated with an account. Whether an individual is promoted, changes departments, or leaves the company, the ability to transform a user account will save you time, money, and guesswork.
You can use the transform user account capabilities to fulfill any of the following needs:
Remove group memberships from a user account
Add group memberships to a user account
Change user properties
Remove particular group memberships while adding other group memberships to a user account
Consider the following process before attempting to transform a user account:
Decide whether you need to add, remove, or both add and remove group memberships.
Review your current subtractive and additive templates to ensure you have the necessary template user accounts.
If necessary, create any required template accounts.
Complete the Transform User wizard.
As DRA transforms a user, the group memberships designated by the subtractive template are removed from the user account, while those memberships designated by the additive template are assigned to the user account. DRA leaves any memberships outside of the subtractive or additive templates intact. For example, an individual in your outside sales department is transferred from US sales to European sales. Within your organization, you have both distribution groups and security groups that are unique for these sales teams and a number that are shared across all sales teams. The US sales team has the US Hotspots DL and the US Sales Mang DL distribution groups while the European sales team has Euro Hotspots and Euro Sales Mang distribution groups. Both teams are members of the Global Sales Sec security group, but also have individual site‑specific security groups.
Your subtractive template, named US Sales Template, would be assigned the following group memberships:
US Hotspots DL
US Sales Mang DL
Global Sales Sec
US Sec
Your additive template, named Euro Sales Template, would be assigned the following group memberships:
Euro Hotspots DL
Euro Sales Mang DL
Global Sales Sec
Euro Sec
During the transformation process, the user account of the transferred sales person is first removed from all the group memberships designated by the US Sales Template, and then added to all the group memberships designated by the Euro Sales Template. If this individual was also a member of the Poker Players distribution group, this group membership remains untouched.
The following powers allow an Assistant Admin to further modify a user account during the transformation process:
Modify Address Properties while Transforming a User Account
Modify Description while Transforming a User Account
Modify Office while Transforming a User Account
Modify Telephone Properties while Transforming a User Account
You can also restrict the ability to add or remove group memberships by giving an Assistant Admin only one of the following powers:
Add a user to groups found in a template
Remove a user from groups found in a template
You can use either of these power-based limiting options to create a layer of security within your organization. By allowing certain individuals the power to only remove groups found in a template, you can create interim user accounts. These interim accounts can then be reviewed before a different Assistant Admin uses an additive template account to grant the new group memberships.
Transformation of user accounts is directly tied to the roles and job ladders of your organization. Consider creating a template for each role or job within your company. DRA makes no distinction between a user account template used as subtractive versus additive. Create a single template user account for each role within your organization. During the transformation, you select the template as subtractive or additive. Selecting a template as subtractive does not stop the same template from being used as additive in a future transformation.
To create a user transformation template, you must have the powers to create a user account and assign that user account to the appropriate groups. These powers can be obtained through associating your account with the Create and Delete User Accounts and the Group Administration roles in the appropriate ActiveViews or through the assigning of individual powers.
Transforming a user account allows you to add, remove, or both add and remove user account group memberships. Use this workflow to help you when individuals transition from one job responsibility to another within your organization. You must have the Transform a User role or a role that contains the appropriate powers to transform user accounts.
To transform a user account:
In the left pane, expand All My Managed Objects.
To specify the user account you want to manage, complete the following steps:
If you know the account location, select the domain and OU that contains this user account.
In the search pane, specify the account attributes, and then click Find Now.
In the list pane, select the appropriate user account.
Click Tasks > Transform.
Review the Welcome window, and then click Next.
On the Select User Template window, use Browse to the select the appropriate subtractive template user.
If you want to review the properties of the subtractive template user account, click View.
Use Browse to the select the appropriate additive template user.
If you want to review the properties of the additive template user account, click View.
If you have the appropriate powers, you can check Change other properties of the user and select properties to modify. Click Next to navigate through the properties available. For more information, click ?.
Click Next.
Review the Summary window, and then click Finish.