Active Roles 7.6 - User Guide

• About groups
• Group management tasks
• Using temporal group memberships

Groups are Active Directory objects used to collect users, contacts, computers, and other groups into manageable units. There are three kinds of groups:

• Security groups  Used to manage user and computer access to shared network resources. When assigning permissions to access resources, administrators assign permissions to security groups rather than to individual users.
• Distribution groups  Used as e-mail distribution lists. Distribution groups have no security function.
• Query-Based Distribution groups  Used also as e-mail distribution lists but the difference is that members of such a group are not specified statically. Membership of these groups is built in dynamic manner using LDAP queries.

In this document, security and distribution groups are collectively referred to as groups. As for Query-based distribution groups, these are considered a separate category of groups.

Each group has a scope: universal, global, or domain local.

• Universal groups can include groups and accounts from any domain in the domain tree or forest, and can be granted permissions in any domain in the domain tree or forest.
• Global groups can only include groups and accounts from the domain in which the group is defined. Global groups can be granted permissions in any domain in the forest.
• Domain local groups can include groups and accounts from other domains. These groups can only be granted permissions within the domain in which the group is defined.

A group can be a member of another group. This is referred to as group nesting. Group nesting increases the number of affected member accounts and thus consolidates group management. Accounts that reside in a group nested within another group are indirect members of the nesting group.

Active Roles provides the facility to perform administrative tasks such as create copy, rename, modify, and delete groups. It can also be used to add and remove members from groups and perform Exchange tasks on groups.

The following section describes how to use the Active Roles console to manage groups. You can also use the Active Roles Web Interface to perform the group management tasks.

This section covers the following tasks:

• Creating a group
• Finding a group
• Copying a group
• Modifying group properties
• Changing group type and group scope
• Renaming a group
• Assigning a manager over a group
• Adding members to a group
• Removing members from a group
• Performing Exchange tasks on a group
• Moving groups
• Exporting and importing groups
• Deleting groups
• Deprovisioning groups
• Restoring deprovisioned groups
• Administering query-based distribution groups
• Administering dynamic (rule-based) groups

You can create a group as follows: in the console tree, right-click the container where you want to add the group, select New | Group, and then follow the instructions in the wizard.

In the wizard, some property labels may be displayed as hyperlinks. In the following figure, these are Group name and Group name (pre-Windows 2000). The hyperlink indicates that Active Roles enforces certain policy restrictions on the property. To examine policy details, click the hyperlink: the policy information is displayed (see Getting policy-related information earlier in this document).

Figure 10: Creating a group

The policy information is also displayed whenever you supply a property value that violates a policy restriction. The wizard cannot proceed until you enter an acceptable value.