Clean up your test environment
The policy you configured and used in this section may interfere with the policies discussed in the sections that follow. To prevent this issue, you should block the effect of the E-mail Alias Generation policy on your test domain before you proceed to the next sections.
To block the effect of the E-mail Alias Generation policy
- In the Active Roles console, right-click your test domain, and click Enforce Policy.
- In the Active Roles Policy window, locate the list entry named E-mail Alias Generation, and select the Blocked check box in that entry.
- Click OK to close the Active Roles Policy window.
Enforce group scope restrictions
This scenario describes how to configure a policy to ensure that only non-universal groups are permitted to be created. The script prevents Active Roles from creating universal groups.
The policy is based on a script that detects the group scope setting and disallows the creation of groups with universal scope. The script comes with Active Roles SDK. You can access the Active Roles SDK documentation by selecting Active Roles 7.5.3 SDK on the Apps page or Start menu, depending upon the version of your Windows operating system.
Prepare the script module
To implement this policy, you first need to prepare a script module using the Active Roles console.
To prepare the script module
- In the console tree, expand Configuration, right-click Script Modules, and then click Import.
- Use the Import Script window to open the file RestrictGroupScope.ps1, located in the folder %ProgramFiles%\One Identity\Active Roles\7.5.3\SDK\Samples\RestrictGroupScope\
- In the Script dialog box, click OK.
The module RestrictGroupScope is created in the Script Modules container. You can view the script code in the details pane by selecting the module in the console tree.
Create and apply the Policy Object
Once you have prepared the script module, you can create, configure, and apply the Policy Object using the Active Roles console.
To create and apply the Policy Object
- In the console tree, expand Configuration | Policies, right-click Administration, and select New | Provisioning Policy.
- On the Welcome page of the New Provisioning Policy Object wizard, click Next.
- In the Name box, type the name of the Policy Object: Group Scope Restrictions. Click Next.
- On the Policy to Configure page, select Script Execution. Click Next.
- On the Script Module page, select RestrictGroupScope. Click Next.
- On the Policy Parameters page, click Next.
- On the Enforce Policy page, click Add.
- In the Select Objects window, select your test domain, click Add, and then click OK.
- Click Next, and then click Finish.