Active Roles provides the ability to restore deprovisioned groups. The purpose of this operation, referred to as the Undo Deprovisioning operation, is to roll back the changes that were made to a group by the Deprovision operation. When a deprovisioned group needs to be restored (for example, if a group has been deprovisioned by mistake), the Undo Deprovisioning operation allows the group to be restored to the state it was in before the changes were made.
You can restore previously deprovisioned Active Directory groups with the Active Roles Console.
To restore a deprovisioned group
-
In the Console tree, locate and select the folder that contains the group you want to restore.
-
In the details pane, right-click the group, then click Undo Deprovisioning.
-
Wait while Active Roles restores the group.
-
When you click the Undo Deprovisioning command, the operation progress and results are displayed. When the operation is completed, Active Roles displays the operation summary, and allows you to examine the operation results in detail. You can view a report that lists the actions taken during the restore operation. For each action, the report informs about success or failure of the action. In the event of a failure, the report provides a description of the error situation.
A query-based distribution group is a type of distribution group introduced in Exchange Server. The difference from the usual distribution group is that members of a query-based group are not statically placed into it. Email is propagated among the members of the group, but only among those of them who is currently in the state to comply with the specified LDAP query of this distribution group.
You can create new query-based distribution groups with the Active Roles Console.
To create a query-based distribution group
-
In the Console tree, right-click the folder in which you want to add the group, and select New > Query-based Distribution Group.
-
In Query-based Distribution Group name, type a name for the group, then click Next.
-
The box under Apply filter to recipients in and below displays the container to search for recipients. Click Change to select the container that contains the recipients you want the group to include.
TIP: The query returns only recipients in the selected container and its sub-containers. To get the results you want, you may have to select a parent container or create multiple queries.
-
Under Filter, do one of the following:
-
Click Include in this query-based distribution group, then click each item you want to include in the criteria for membership in the query-based distribution group. The following criteria are pre-defined:
-
Users with Exchange mailbox
-
Users with external e-mail addresses
-
Mail-enabled Groups
-
Contacts with external e-mail addresses
-
Mail-enabled Public folders
-
To create your own criteria for the query, click Customize filter > Customize. This displays the Custom Search window where you can specify your search criteria.
Figure 18: Administering query-based distribution groups
-
Click Next to see a summary of the query-based distribution group you are about to create.
-
Click Finish to create the query-based distribution group. The new query-based distribution group is displayed in the details pane.
-
Right-click the query-based distribution group you just created and click Properties.
-
On the Preview tab, click Start to view the query results and verify that the correct recipients are included in the group.
NOTE: Consider the following when administering a query-based distribution group:
-
A query-based distribution group provides the same functionality as a standard distribution group. However, instead of adding or removing members to or from the group manually, it is populated dynamically via an LDAP query. For example, you can configure a query-based distribution group to include all full-time employees of your organization.
-
When creating a query-based distribution group, One Identity recommends using the Preview button to:
-
Verify the validity and the expected results of the query before applying it.
-
Determining how long it takes for the query to run, allowing you to fine-tune the query or rework it into smaller queries to improve performance.
Specifying an LDAP filter string with bad formatting or an incorrect LDAP syntax will result in the query-based distribution group not working correctly. Also, if users send an email to an incorrectly configured query-based distribution group, they will receive a non-delivery report.
Active Roles can automatically keep group membership lists up to date, so that you do not need to add and remove members manually. To automate the maintenance of group membership lists, Active Roles uses the following features:
-
A rule-based mechanism that automatically adds and removes objects to groups whenever object attributes change in Active Directory.
-
Flexible membership criteria that enable both query-based and static group population.
In Active Roles, rules-based groups are referred to as dynamic groups. The groups that have no membership rules specified are referred to as basic groups. Any security or distribution group can be converted to a dynamic group by adding membership rules.
You can create a dynamic group by managing a basic group as follows: right-click the group, click Convert to Dynamic Group, select a rule type, and then configure a rule. For details, see Adding a membership rule to a dynamic group in the Active Roles Administration Guide.
When you convert a basic group to a dynamic group, the group loses all members that were added to the group when it was basic. This is because the membership list of a dynamic group is entirely under the control of membership rules.
Once membership rules are added to a group, the group only includes the objects that comply with the membership rules. Active Roles overrides any changes made directly to the membership list by any administrative tool.
NOTE: In the Active Roles Console, dynamic groups are marked with this icon: . Also, a special note on the General tab makes it possible to distinguish between dynamic groups and basic groups when using administrative tools other than Active Roles.
For dynamic groups, the Properties dialog includes the Membership Rules tab. The Members tab for a dynamic group cannot be used to manage the membership list. It is only used to display a list of group members.
You can return a dynamic group to basic state as follows: right-click the group and click Convert to Basic Group. Then, click Yes to confirm the conversion. This operation removes all membership rules from the group. The group membership list remains intact as of the time of the conversion.
For more information about dynamic groups, refer to Dynamic Groups in the Active Roles Administration Guide.
By using temporal group memberships, you can manage group memberships of objects such as user or computer accounts that need to be members of particular groups for only a certain time period. This feature of Active Roles gives you flexibility in deciding and tracking what objects need group memberships and for how long.
This section guides you through the tasks of managing temporal group memberships in the Active Roles Console. If you are authorized to view and modify group membership lists, then you can add, view and remove temporal group members as well as view and modify temporal membership settings on group members.