The Active Roles Console allows you to disable a gMSA so that the gMSA cannot be used for login. For a disabled gMSA, you can use the Console to re-enable that gMSA.
To disable or re-enable a gMSA
-
Right-click the gMSA you want to administer and click Properties.
-
In the Properties dialog, click the Account tab, and examine the Account is disabled check box:
-
If the check box is not selected, then the gMSA is enabled for logon. You can disable the gMSA by selecting the Account is disabled check box.
-
If the check box is selected, then the gMSA is disabled. You can re-enable the gMSA by clearing the Account is disabled check box.
Alternatively, you can use the Disable Account or Enable Account command on the gMSA object to disable or re-enable the gMSA.
Groups are Active Directory objects used to collect users, contacts, computers, and other groups into manageable units. There are three kinds of groups:
-
Security groups: Used to manage user and computer access to shared network resources. When assigning permissions to access resources, administrators assign permissions to security groups rather than to individual users.
-
Distribution groups: Used as email distribution lists. Distribution groups have no security function.
-
Query-Based Distribution groups: Used also as email distribution lists but the difference is that members of such a group are not specified statically. Membership of these groups is built in dynamic manner using LDAP queries.
In this document, security and distribution groups are collectively referred to as groups. As for Query-based distribution groups, these are considered a separate category of groups.
Each group has a scope: universal, global, or domain local.
-
Universal: These groups can include groups and accounts from any domain in the domain tree or forest, and can be granted permissions in any domain in the domain tree or forest.
-
Global: These groups can only include groups and accounts from the domain in which the group is defined. Global groups can be granted permissions in any domain in the forest.
-
Domain local: These groups can include groups and accounts from other domains. These groups can only be granted permissions within the domain in which the group is defined.
A group can be a member of another group. This is referred to as group nesting. Group nesting increases the number of affected member accounts and thus consolidates group management. Accounts that reside in a group nested within another group are indirect members of the nesting group.
Active Roles provides the facility to perform administrative tasks such as create copy, rename, modify, and delete groups. It can also be used to add and remove members from groups and perform Exchange tasks on groups.
The following section describes how to use the Active Roles Console to manage groups. You can also use the Active Roles Web Interface to perform the group management tasks.
You can create new Active Directory groups with the Active Roles Console.
To create a group
-
In the Console tree, locate and select the folder in which you want to add the group.
-
Right-click the folder, point to New and click Group to start the New Object - Group wizard.
-
Follow the wizard pages to specify properties of the new group, such as the group name, pre-Windows 2000 group name, description, scope, type, membership list, and Exchange address settings.
Figure 11: Creating a group
-
If you want to set values for additional properties (those for which the wizard pages do not provide data entries), click Edit Attributes on the completion page of the wizard.
-
After setting any additional properties, click Finish on the completion page of the wizard.
NOTE: Consider the following when creating a group:
-
The behavior of the wizard pages may vary depending on the configuration of Active Roles policies. To determine whether a given item on a page is under the control of a certain policy, observe the text label next to the item: the underlined text label indicates that some policy restrictions are in effect. Click underlined text labels to examine the policies that govern the behavior of the wizard pages. For more information, see Getting policy-related information.
The policy information is also displayed whenever you supply a property value that violates a policy restriction. The wizard cannot proceed until you enter an acceptable value.
-
You can also start the New Object - Group wizard by clicking on the toolbar.
-
To create a group, you can also copy a previously created group. For more information, see Copying a group.
-
A new user account with the same name as a previously deleted user account does not automatically assume the permissions and group memberships of the previously deleted group. To duplicate a deleted group, all permissions and memberships must be manually recreated.
You can find Active Directory (AD) groups with the Active Roles Console.
To find a group
-
In the Console tree, locate the container you want to search.
-
In the details pane, right-click the container, then click Find.
-
In the Find window, select Groups from the Find list, specify your search criteria, and start the search.
In the search results list, you can right-click groups and use commands on the shortcut menu to perform management tasks.
You can list the Active Directory (AD) groups in which an AD user is a member with the Active Roles Console.
To find groups in which a user is a member
-
In the Console tree, locate and select the folder that contains the user account.
-
In the details pane, right-click the user account, then click Properties.
-
Click the Member Of tab.
NOTE: Consider the following when finding groups in which a user is a member:
-
The Member Of tab for a user displays a list of groups in the domain where the user’s account is located. Active Roles does not display groups that reside in trusted domains.
-
On the Member Of tab, you can select the Show nested groups check box in order for the list to also include the groups to which the user belongs because of group nesting.