View or modify permission entries
Perform the following steps to manage Active Directory permission entries using the Active Roles console.
To view or modify permission entries
- On the View menu, check Advanced Details Pane. 
- In the console tree, expand Active Directory and browse the domain to locate and select a directory object or container. 
- In the lower sub-pane of the details pane, click the Native Security tab. 
This tab displays a list of all permission entries for the selected object or container. 
- On the Native Security tab, right-click an entry in the list, and then click Properties to examine the selected permission entry. 
The ACE Properties window displays the following properties of the permission entry you have selected:
 
- Type  Permission type (Allow or Deny).
- Status  For an entry specified by using an Access Template, view whether the entry is in sync with Active Roles (OK if in sync or, otherwise, an indication of a problem). Disregard if the entry is specified in a different way.
- Trustee  Security principal to which the permission entry is assigned.
- Source  For an entry specified by using an Access Template, identifies the name of the Access Template. <None> or Default AD Security if the entry is specified in a different way.
- Inherited from  Container from which the permission entry is inherited (if any).
- Applies to  Where the permission entry is applied (this object only, this object and all child objects, etc.).
- Permissions  A list of permissions specified by the permission entry.
 
- To delete a permission entry, right-click the entry, and then click Delete. 
- To start the native Active Directory ACL editor, right-click a permission entry, and then click Edit Native Security. 
You can use the ACL editor to add new permission entries and view or modify existing permission entries. 
 
    Manage native security with Access Templates
To add permission entries to Active Directory using an Access Template, perform the following steps in the Active Roles console.
To apply Access Template to Active Directory
- Select an Active Directory container to which you want to add permission entries. 
- Right-click the selection and click Delegate Control. 
- In the Active Roles Security window, click Add. 
- Follow the steps in the Delegation of Control wizard. 
- On the Permissions Propagation page, select the Propagate permissions to Active Directory check box. 
- Complete the Delegation of Control wizard. 
- In the Active Roles Security window, click OK. 
Once you have completed these steps, new permission entries are created in Active Directory. You can examine them using the Active Roles console.
To examine permission entries
Active Roles maintains one-way synchronization from Active Roles security to each permission entry defined with the Permissions Propagation option.
To manage synchronization of permissions
- Go to the Active Roles Security tab in the advanced details pane. 
The Sync to Native Security column indicates whether permissions are synchronized to Active Directory. 
- On the Active Roles Security tab, right-click an entry with the Yes label in the Sync to Native Security column, click Desync to AD, and then click Yes. 
The label in the Sync to Native Security column changes to No. 
- Go to the Native Security tab and refresh the view (press F5). 
Active Roles removes the permission entries corresponding to the entry you selected on the Active Roles Security tab in Step 2. 
- Go to the Active Roles Security tab, right-click the entry you selected in Step 2, and then click Sync to AD. 
The label in the Sync to Native Security column changes to Yes. 
- Go to the Native Security tab and refresh the view (press F5). 
Active Roles adds the permission entries corresponding to the entry you selected on the Active Roles Security tab in Step 4. 
- Go to the Active Roles Security tab, right-click a blank area of the tab, and then click Add. 
- Follow the steps in the Delegation of Control Wizard to apply an Access Template. 
- On the Permissions Propagation page of the wizard, select the Propagate permissions to Active Directory check box. 
- Go to the Native Security tab and refresh the view (press F5). 
Active Roles adds the permission entries corresponding to the Access Template you have applied by using the Delegation of Control Wizard. 
 
    Using dynamic groups
The groups whose membership lists are automatically maintained by Active Roles are referred to as dynamic groups. For dynamic groups, Active Roles ensures that their membership lists include only those objects that match membership rules, even if administrative tools other than Active Roles are used to manage groups.
To automate the maintenance of group membership lists, Active Roles provides:
- Rules-based mechanism that automatically adds and removes objects from groups whenever object attributes change in Active Directory 
- Flexible membership criteria that enable both query-based and static population of groups 
The membership criteria fall into these categories:
- Include Explicitly  Ensures that specified objects are included in the membership list regardless of any changes made to the objects. 
- Include by Query  Populates the membership list with objects that have certain properties. When an object is created, or when its properties are changed, Active Roles adds or removes it from the membership list depending on whether the object’s properties match the search criteria specified. 
- Include Group Members  Populates the membership list with members of specified groups. When an object is added or removed from those groups, Active Roles adds or removes that object from the membership list. 
- Exclude Explicitly  Ensures that specified objects are not in the membership list regardless of any changes made to those objects. 
- Exclude by Query  Ensures that objects with certain properties are not in the membership list. Active Roles automatically removes objects from the membership list depending on whether the objects’ properties match the search criteria specified. 
- Exclude Group Members  Ensures that members of specified groups are not in the membership list. When an object is added to any one of those groups, Active Roles automatically removes that object from the membership list. 
Active Roles processes membership rules in the following order by rule category:
- Include by Query 
- Include Group Members 
- Exclude by Query 
- Exclude Group Members 
- Include Explicitly 
- Exclude Explicitly 
This section outlines the procedures to follow in order to configure dynamic groups and to examine the behavior of dynamic groups.
 
    Configure a dynamic group
To configure a dynamic group, perform the following steps using the Active Roles console.
To create a dynamic group
- Right-click a group, and then click Convert to Dynamic Group. 
- In the confirmation message box, click Yes. 
The New Membership Rule wizard starts. 
- Select a rule type, such as Include Explicitly. 
- Click Next. 
- Click Add and select any objects to include in the group. 
- Click Finish. 
NOTE: Once you have added a membership rule to a regular group, the group becomes a dynamic group. This behavior does not depend on the type of the rule. When a group is converted, all of its previous members are removed. Therefore, after you complete these steps, the group only includes the objects you selected.
 
Next, add membership rules to further configure the dynamic group. To accomplish this task, perform the following steps.
To set up membership rules
- Right-click the dynamic group and click Properties. 
- In the Properties dialog box, click the Membership Rules tab. 
- On the Membership Rules tab, click Add. 
This displays the Membership Rule Type dialog box. 
- In the list of rule types, click Include by Query. Click OK. 
This displays the Create Membership Rule dialog box.
- From the Find list, select Users. 
- From the In list, select your test domain. 
- In the Name box, type a. 
- Click Add Rule. 
As a result, the group will include all users whose names begin with the letter a. (You might specify a different query-based rule.) 
- On the Membership Rules tab, click Add. 
- In the list of rule types, click Include Group Members and click OK. 
- In the Select Objects window, select the Domain Admins group, click Add, and then click OK. 
As a result, the group will include all members of the Domain Admins group. (You might choose a different group.) 
- On the Membership Rules tab, click Add. 
- In the list of rule types, click Exclude Explicitly. Click OK. 
- In the Select Objects window, select the Administrator account, click Add, and then click OK. 
As a result, Administrator will be excluded from the group. (You might choose a different user account to exclude.) 
- In the Properties dialog box, click OK. 
If you no longer want the group to be dynamic, right-click the group and then click Convert to Basic Group. This operation only removes all membership rules from the group, whereas the group membership list remains intact.