Chat now with support
Chat with Support

Identity Manager 8.0.1 - Administration Guide for Connecting to Active Directory

Managing Active Directory Environments Setting up Active Directory Synchronization Base Data for Managing Active Directory Active Directory Domains Active Directory User Accounts Active Directory Contacts Active Directory groups Active Directory Security IDs Active Directory Container Structures Active Directory computer Active Directory Printers Active Directory Locations Reports about Active Directory Objects Appendix: Configuration Parameters for Managing Active Directory Appendix: Default Project Template for Active Directory Appendix: Authentication Modules for Logging into the One Identity Manager

Active Directory groups

Active Directory groups

Read the documentation for your Windows Server for an explanation of group concepts under Active Directory.

In Active Directory, contacts, computers and groups can be collected into groups for which the access to resources can be regulated not only within a domain but across domains.

We distinguish between two group types:

  • Security groups

    Permissions are granted through security groups. User accounts, computers and other groups are added to security groups and which makes administration easier. Security groups are also used for email distribution groups.

  • Distribution groups

    Distribution groups can be used as email enabled distribution groups. Distribution groups do not have any security.

In addition, a group area is defined for each group type. Permitted group types are:

  • Universal

    Groups within this scope are described as universal groups. Universal groups can be used to make cross-domain authorizations available. Universal group members can be user accounts and groups from all domains in one domain structure.

  • Domain local

    Groups in this scope are described as groups in the domain local groups. Local groups are used when authorizations are issued within the same domain. Members of a domain local group can be user accounts, computers or groups in any domain.

  • Global

    Groups within this scope are described as global groups. Global groups can be used to make cross-domain authorizations available. Members of a global group are only user accounts, computers and groups belonging to the global group’s domain.

Related Topics

Entering Master Data for Active Directory Groups

Entering Master Data for Active Directory Groups

To edit group master data

  1. Select the category Active Directory | Groups.
  2. Select the group in the result list and run Change master data in the task view.

    - OR -

    Click in the result list toolbar.

  3. Edit a group's master data.
  4. Save the changes.
Detailed information about this topic

General Master Data for a Active Directory Group

General Master Data for an Active Directory Group

Enter the following data on the General tab:

Table 65: General Master Data
Property Description

Name

Group identifier The group identifier is used to form the group name for previous versions group name (pre Win2000).

Domain

Domain in which to create the group.

Container

Container in which to create the group.

Distinguished name

Distinguished name of the group. The distinguished name is determined by template from the name of the group and the container and cannot be edited.

Display name

The display name is used to display the group in the One Identity Manager tools user interface.

Group name (pre Win2000)

Name of the group for the previous versions. The group name is taken from the group identifier.

Structural object class

Structural object class representing the object type. Set up groups with the object class "GROUP" in One Identity Manager by default.

Object class

List of classes defining the attributes for this object. The object classes listed are read in from the database during synchronization with the Active Directory environment. However, you can add object classes and auxiliary classes in the input field that are used by other LDAP and X.500 directory services.

Account manager

Manager responsible for the group.

To specify an account manager

  1. Click next to the text box.
  2. Under Table, select the table which maps the account manager.
  3. Select the manager under Account manager.
  4. Click OK.

Group manager can update members list.

Specifies whether the account manager can change memberships for these groups.

Email address

Group's email address

Risk index

Value for evaluating the risk of assigning the group to user accounts. Enter a value between 0 and 1. This property is only visible when the configuration parameter QER\CalculateRiskIndex is set.

For more detailed information about risk assessment, see the One Identity Manager Risk Assessment Administration Guide.

Category

Categories for group inheritance. Groups can be selectively inherited by user accounts and contacts. To do this, groups and user accounts or contacts are divided into categories. Use this menu to allocate one or more categories to the group.

Description

Spare text box for additional explanation.

Remark

Spare text box for additional explanation. Abbreviations for combinations of group type and group area are added in the comment and should not be changed.

Security group

Group type. Authorizations are issued through security groups. User accounts, computers and other groups are added to security groups and which makes administration easier. Security groups are also used for email distribution groups.

Distribution group

Group type. Distribution groups can be used as email distribution groups. Distribution groups do not have any security.

Universal group

Group scope. Universal groups can be used to make cross-domain authorizations available. Universal group members can be user accounts and groups from all domains in one domain structure.

Local group

Group scope. Local groups are used when authorizations are issued within the same domain. Members of a domain local group can be user accounts, computers or groups in any domain.

Global group

Group scope. Global groups can be used to make cross-domain authorizations available. Members of a global group are only user accounts, computers and groups belonging to the global group’s domain.

IT Shop

Specifies whether the group can be requested through the IT Shop. This group can be requested by staff through the Web Portal and granted through a defined approval process. The group can still be assigned directly to hierarchical roles.

Only for use in IT Shop

Specifies whether the group can only be requested through the IT Shop. This group can be requested by staff through the Web Portal and granted through a defined approval process. Direct assignment of the group to hierarchical roles or user accounts is no permitted.

Service item

Service item data for requesting the group through the IT Shop.

Related Topics

Extensions Data for Active Directory Groups

Extensions Data for Active Directory Groups

Enter your custom Active Directory schema extension for the group on the Extensions tab.

Table 66: Extensions data
Property Description
Attribute extension 01 - attribute extension 15

Additional company specific information. Use the Designer to customize display names, formats and templates for the input fields.

Related Documents