Inclusion of group members
To examine the behavior of membership rules based on group membership, perform the following steps using the Active Roles console. These instructions assume that you have configured your dynamic group to include the members of the group Domain Admins.
To examine inclusion of group members
- Open the Properties dialog box for your dynamic group, and go to the Members tab: the members of the Domain Admins group are in the membership list (except those removed from the dynamic group by exclusion rules).
- Add a member to the Domain Admins group.
- Go to the Members tab in the Properties dialog box for your dynamic group, and click the Rebuild button: the new member of the Domain Admins group is added to your dynamic group (unless that member is removed from the dynamic group by exclusion rules).
- Remove a member from the Domain Admins group.
- Go to the Members tab in the Properties dialog box for your dynamic group, and click the Rebuild button: the object you removed from the Domain Admins group is also removed from your dynamic group (unless that object is added to the dynamic group by explicit inclusion rules).
Enforcement of membership rules
When changes are made to the membership list of a dynamic group, Active Roles detects the changes regardless of their origin, and reapplies membership rules. This ensures that the group membership list is in compliance with the rules even if it was modified by using an administrative tool other than Active Roles. For example, you can use the Active Directory Users and Computers tool to make changes to the membership list of a dynamic group, and see how Active Roles reapplies membership rules.
Perform the following steps in the Active Directory Users and Computers.
To examine enforcement of membership rules
- Open the Active Directory Users and Computers tool (run dsa.msc from a command prompt).
- In any OU in your test domain, create a user account with a full name that begins with the letter a.
- Open the Properties dialog box for your dynamic group, and go to the Members tab: the new user is in the group membership list.
- On the Members tab, select that user, and click Remove. Click Yes. Click OK.
- Open the Properties dialog box for your dynamic group, and go to the Members tab: the user is still in the group membership list.
Active Roles has detected the removal, and added the user to the group in accordance with the membership rules.
Delegating computer resource management
Active Roles provides the capability to delegate administration of computer resources, such as network shares, services, and logical printers. It is also possible to delegate administration of local users and groups on member servers and workstations. Delegated administrators can use the Active Roles Web Interface to manage computer resource.
Active Roles comes with a suite of Access Templates that facilitate the delegation of computer management tasks. When applied to an OU, Access Templates from that suite provide for the following levels of access to the computers placed in that OU:
- Full Control Perform all management tasks on computer resources.
- Local Account Operator Create, modify, and delete local user accounts and groups.
- Network Share Operator Create, modify, and delete network shares.
- Print Operator View and modify properties of logical printers; manage print jobs.
- Service Operator Start/stop services; view/modify service properties.
- Server Operator Start/stop services; create, modify, and delete network shares; pause/resume/cancel printing; view properties of all computer resources.
This section outlines the procedure you can use to assign the Server Operator role to a delegated administrator for an OU, and briefly describes how to perform computer management tasks using the Active Roles Web Interface for Administrators.
Assign the Server Operator role for an OU
When you assign the Server Operator role to a group for a given OU, you authorize the members of that group to perform all management tasks on the services, network shares, and logical printers on any computer in that OU and its child OUs.
You can assign the Server Operator role using the Active Roles console as follows.
To assign the Server Operator role for OU
- In the Active Roles console, right-click the OU and then click Delegate Control.
- In the Active Roles Security window, click Add.
- Follow the steps in the Delegation of Control wizard.
- On the Users or Groups page, click Add.
- Select the group you want to designate as the delegated administrator and click OK.
- Click Next.
- On the Access Templates page, expand Computer Resources, select the check box next to Computer Management - Server Operator, and then click Next.
- Click Next two times, and then click Finish.
To enable the delegated administrators to browse OUs in the domain, you must grant them the Read All Properties permission on the OU objects at the domain level.
To grant the Read All Properties permission
- Select the domain and use the Delegation of Control wizard as described in the previous procedure.
- On the Access Templates page, expand Active Directory, and select the check box next to OUs – Read All Properties.