Active Roles provides the capability to automatically keep group membership lists up to date, eliminating the need to add and remove members manually. To automate the maintenance of group membership lists, Active Roles employs the following features:
- Rule-based mechanism that automatically adds and removes objects to groups whenever object attributes change in Active Directory.
- Flexible membership criteria that enable both query-based and static population of groups.
In Active Roles, rules-based groups are referred to as dynamic groups. The groups that have no membership rules specified are referred to as basic groups. Any security or distribution group can be converted to dynamic group by adding membership rules.
You can create a dynamic group by managing a basic group as follows: right-click the group, click Convert to Dynamic Group, select a rule type, and then configure a rule. For details, see “Steps for Adding a Membership Rule to a Group” in the Active Roles Administration Guide.
When you convert a basic group to a dynamic group, the group loses all members that were added to the group when it was basic. This is because the membership list of a dynamic group is entirely under the control of membership rules.
Once membership rules are added to a group, the group only includes the objects that comply with the membership rules. Active Roles overrides any changes made directly to the membership list by any administrative tool.
|
NOTE: In the Active Roles console, dynamic groups are marked with this icon: . Also, a special note on the General tab makes it possible to distinguish between dynamic groups and basic groups when using administrative tools other than Active Roles. |
For dynamic groups, the Properties dialog box includes the Membership Rules tab. The Members tab for a dynamic group cannot be used to manage the membership list. It is only used to display a list of group members.
You can return a dynamic group to basic state as follows: right-click the group and click Convert to Basic Group. Then, click Yes to confirm the conversion. This operation removes all membership rules from the group. The group membership list remains intact as of the time of the conversion.
For more information about dynamic groups, refer to the “Dynamic Groups” chapter in the Active Roles Administration Guide or Active Roles Help.
By using temporal group memberships, you can manage group memberships of objects such as user or computer accounts that need to be members of particular groups for only a certain time period. This feature of Active Roles gives you flexibility in deciding and tracking what objects need group memberships and for how long.
This section guides you through the tasks of managing temporal group memberships in the Active Roles console. If you are authorized to view and modify group membership lists, then you can add, view and remove temporal group members as well as view and modify temporal membership settings on group members.
A temporal member of a group is an object, such as a user, computer or group, scheduled to be added or removed from the group. You can add and configure temporal members using the Active Roles console.
To add temporal members of a group
- In the Active Roles console, right-click the group and click Properties.
- On the Members tab in the Properties dialog box, click Add.
- In the Select Objects dialog box, click Temporal Membership Settings.
- In the Temporal Membership Settings dialog box, choose the appropriate options, and then click OK:
- To have the temporal members added to the group on a certain date in the future, select On this date under Add to the group, and choose the date and time you want.
- To have the temporal members added to the group at once, select Now under Add to the group.
- To have the temporal members removed from the group on a certain date, select On this date under Remove from the group, and choose the date and time you want.
- To retain the temporal members in the group for indefinite time, select Never under Remove from the group.
- In the Select Objects dialog box, type or select the names of the objects you want to make temporal members of the group, and click OK.
- Click Apply in the Properties dialog box for the group.
|
NOTE:
- To add temporal members of a group, you must be delegated the authority to add or remove members from the group. The appropriate authority can be delegated by applying the Groups - Add/Remove Members Access Template.
- You can make an object a temporal member of particular groups by managing properties of the object rather than properties of the groups. Open the Properties dialog box for that object, and then, on the Member Of tab, click Add. In the Select Objects dialog box, specify the temporal membership settings and supply the names of the groups as appropriate for your situation.
|
The list of group members displayed by the Active Roles console makes it possible to distinguish between regular group members and temporal group members. It is also possible to hide or display so-called pending members, the temporal members that are scheduled to be added to the group in the future but are not actual members of the group so far.
To view temporal members of a group
- In the Active Roles console, right-click the group and click Properties.
- Examine the list on the Members tab in the Properties dialog box:
- An icon of a small clock overlays the icon for the temporal members.
- If the Show pending members check box is selected, the list also includes the temporal members that are not yet added to the group. The icons identifying such members are shown in orange.
The list of group memberships for a particular object makes it possible to distinguish between the groups in which the object is a regular member and the groups in which the object is a temporal member. It is also possible to hide or display so-called pending group memberships, the groups to which the object is scheduled to be added in the future.
To view groups in which an object is a temporal member
- In the Active Roles console, right-click the object and click Properties.
- Examine the list on the Member Of tab in the Properties dialog box:
- An icon of a small clock overlays the icon for the groups in which the object is a temporal member.
- If the Show pending group memberships check box is selected, the list also includes the groups to which the object is scheduled to be added in the future. The icons identifying such groups are shown in orange.