You can move groups from one Active Directory container to another with the Active Roles Console.
To move a group
-
In the Console tree, locate and select the folder that contains the group you want to move.
-
In the details pane, right-click the group and click Move to display the Move dialog.
-
In the Move dialog, select the folder to which you want to move the group, then click OK.
NOTE: Consider the following when moving an object:
-
With Active Roles, directory objects can only be moved within the same domain. This means that the folder to which you want to move the object must belong to the same domain as the object.
-
You can move multiple objects at a time with the Move dialog. To open the dialog, select the objects, right-click the selection, and click Move. To select multiple objects, press and hold Ctrl, then click each object.
-
To locate the object that you want to move, use the Find function of Active Roles. Once you found the accounts, open the Move dialog by right-clicking the object, and clicking Move.
-
The Console provides the drag-and-drop function for moving objects. To move objects, you can drag the selection from the details pane to a destination container in the Console tree.
With the Active Roles Console, you can export groups to an XML file and then import them from that file to populate a container in a different domain. The export and import operations provide a way to relocate groups between domains.
To export groups, select them, right-click the selection, and select All Tasks > Export. In the Export Objects dialog, specify the file where you want to save the data, and click Save.
To import groups, right-click the container where you want to place the groups, and then click Import. In the Import Directory Objects dialog, select the file to which the groups were exported, and click Open.
You can delete Active Directory groups with the Active Roles Console.
To delete a group
-
In the Console tree, locate and select the folder that contains the group you want to delete.
-
In the details pane, right-click the group, then click Delete.
NOTE: Consider the following when deleting a group:
-
Deleting a group is a destructive operation that cannot be undone. Once a group is deleted, all permissions and memberships associated with that group are lost. Creating a new group with the same name as the deleted group does not automatically assign the permissions and memberships of the previously deleted group. Instead, you must manually re-create all permissions and memberships.
-
You can delete multiple objects at the same time by selecting the objects, right-clicking the selection, and clicking Delete. To select multiple objects, press and hold Ctrl, then click each object. If you select multiple objects, clicking Delete displays a dialog. To delete all the selected objects, select the Apply to all items check box, then click Yes.
-
As the confirmation message indicates, you can also deprovision groups instead of deleting them. Deprovisioning refers to a set of Active Roles actions that prevents using the group. Active Roles comes with a default policy to automate some commonly-used deprovisioning tasks, and allows administrators to adjust the deprovision policies as needed.
-
To deprovision a group, right-click the group in the details pane, and click Deprovision.
-
To locate groups for deletion or deprovisioning, use the Find function of Active Roles. Once you found the groups, delete or deprovision them by selecting the accounts in the list of search results, right-clicking the selection, and clicking Delete or Deprovision.
-
When attempting to delete an object, you may receive an error message that access is denied to the object. This can typically occur if the object is protected from deletion. To remove this protection, navigate to the Properties > Object tab of the object you want to delete, then clear the Protect object from accidental deletion check box. After that, try deleting the object again.
Active Roles provides the ability to deprovision rather than delete groups. Deprovisioning a groups refers to a set of actions that are performed by Active Roles to prevent the use of the group.
The Deprovision command on a group updates the group object in Active Directory as prescribed by the deprovisioning policies. Active Roles comes with a default policy to automate some commonly-used deprovisioning tasks, and allows the administrator to configure and apply additional policies.
You can deprovision Active Directory groups with the Active Roles Console.
To deprovision a group
-
In the Console tree, locate and select the folder that contains the group you want to deprovision.
-
In the details pane, right-click the group, then click Deprovision.
-
Wait while Active Roles updates the group.
NOTE: Consider the following when deprovisioning a group:
-
You can deprovision multiple groups at a time. Select two or more groups, right-click the selection, then click Deprovision.
-
The Deprovision command is also available in the Active Roles Web Interface.
-
When you click the Deprovision command, the operation progress and results are displayed. When the operation is completed, Active Roles displays the operation summary, and allows you to examine operation results in detail.
-
On a deprovisioned group, you can use the Deprovisioning Results command to view a report that lists the actions taken during the deprovisioning operation. For each action, the report informs about success or failure of the action. In the event of a failure, the report provides a description of the error situation.
-
If a deprovisioned group needs to be restored (for example, if a group has been deprovisioned by mistake), the group can be reset to the state it was in before the deprovisioning occurred. This can be accomplished by using the Undo Deprovisioning command on the deprovisioned group.