As an Assistant Administrator, you can use DRA to manage groups and modify group properties. Groups enable you to give specific permissions to a defined set of user accounts. Groups let you control which data and resources a user account can access in any domain.
You can manage groups of any type and scope. For example, you can nest groups, allowing one group can inherit permissions from another group. You can also effectively control group memberships across domains by adding groups from trusted domains to other groups in the managed domain and by managing temporary group assignments.
To learn more about managing groups, see the following topics:
This section guides you through administering groups in the Delegation and Configuration console via the Account and Resource Management node. With the appropriate powers, you can perform various group management tasks, such as modifying group memberships. If you select multiple groups, you can perform selected tasks in one operation, such as deleting, moving, or adding members to a group. The Tasks menu indicates which tasks you can perform when you select single or multiple groups.
You can add user accounts, contacts, and computers to a managed group.
NOTE:This task adds multiple accounts to a selected group. You can add a single account to a group by selecting the appropriate account and then clicking Add to groups on the Tasks menu.
If adding an account to another group increases your powers for the account, DRA does not permit you to add the account.
You can nest groups by adding a group to another managed group. When a group is nested in another group, the child group can inherit permissions from the parent group
NOTE:If adding a group to another group increases your powers for the source group, DRA does not permit you to add the group.
You can modify properties for local and global groups. The powers you have determine which properties you can modify for a group in the managed domain or managed subtree. If you installed Exchange and enabled Microsoft Exchange support, you can modify distribution list properties while managing groups.
You can create a group in the managed domain or managed subtree. You can also modify properties, such as group members, for the new group.
NOTE:
Your company may have a naming convention enforced through policy that determines the name you can assign to the new group.
By default, DRA places the new group in the Users OU of the managed domain.
You can add or remove user accounts, contacts, computers, or other groups from the managed group. DRA allows you to only remove foreign security principals. You can also view or modify properties of existing group members, except for foreign security principals.
When you remove members from a group, DRA does not delete the objects. When you add members to a group, you must have the power to modify the objects you want to add.
NOTE:You cannot add user accounts or groups to any of the Windows special groups (Administrators, Account Operators, Backup Operators, or Server Operators) unless you are a Windows administrator or a member of that specific special group.
Exporting results: DRA enables you to export the Members results as a CSV file. To export the Members results from the Web Console, go to Management > Search and click Properties. Navigate to the Members tab and click the Download icon.
NOTE:The unsaved changes are not exported. Ensure you save any recent changes so they are available in the exported file.
You can add or remove a group from other groups in the managed domain or managed subtree. You can also view or modify properties of existing groups to which this group belongs.
Exporting results: DRA enables you to export the Member Of results as a CSV file. To export the Member Of results from the Web Console, go to Management > Search and click Properties. Navigate to the Member Of tab and click the Download icon.
NOTE:The unsaved changes are not exported. Ensure you save any recent changes so they are available in the exported file.
You can set Active Directory security permissions for group memberships. These permissions specify who can view (read) and modify (write) group memberships using Microsoft Outlook. These settings let you more effectively secure distribution lists and security groups in your environment. You cannot modify inherited security permissions.
NOTE:When you manage group membership security, disabled permissions may indicate inherited permissions.
You can set the ownership of any Microsoft Windows distribution or security groups. You can grant the group ownership permission to a user account, group, or contact. Granting group ownership allows the specified user account, group, or contact to modify the membership of this group.
NOTE:DRA disables the Manager can update membership list check box when group membership is hidden from the Microsoft Exchange server. To enable this check box, click Expose Group Membership on the Exchange tab of the Group Properties window.
You can clone both local groups and global groups in managed domains. Cloning groups creates new groups of the same type and attributes as the original group. DRA also attempts to add all members from the original group to the new group.
By cloning a group, you can quickly create groups based on other groups with similar properties. When you clone a group, DRA populates the Clone Group Wizard with values from the selected group. You can also modify properties for the new group.
NOTE:
Your company may have a naming convention enforced through policy that determines the name you can assign to the new group.
By default, DRA places the new group in the Users OU of the managed domain.
You can delete local and global groups in the managed domain or managed subtree. If the Recycle Bin is disabled for that domain, deleting a group permanently removes the group from the Active Directory. If the Recycle Bin is enabled for that domain, deleting a group moves the group to the Recycle Bin and disables the group properties.
For more information on the Recycle Bin, see Managing the Recycle Bin.
WARNING:When you create a group, Microsoft Windows assigns a Security Identifier (SID) to that group. The SID is not generated from the group name. Microsoft Windows uses SIDs to record privileges in access control lists (ACLs) for each resource. If you delete a group, you cannot return access capabilities for that group by creating a new group with the same name.
You can move a group to another container, such as an OU, in the managed domain or managed subtree.
You can expose group memberships in distribution lists for groups in the managed domain or managed subtree.
You can hide group memberships in distribution lists for groups in the managed domain or managed subtree.
Temporary group assignments enable you to manage group memberships for users who only need group membership for a specific time period. This section guides you through administering temporary group assignments in the Delegation and Configuration console under Account and Resource Management. With the appropriate powers, you can perform tasks such as creating temporary group assignments or removing expired temporary group assignments.
Assistant administrators can only view temporary group assignments for groups that the Assistant Administrator has powers to add or remove members.
You cannot change the associated group or modify the list of users while the temporary group assignment is in the Active state. If you want to modify these items you must cancel the temporary group assignment.
You can manage properties for temporary group assignments or saved expired temporary group assignments.
If you want to reschedule a temporary group assignment, change the schedule in the assignment’s Properties and save your changes.
You can create a temporary group assignment on the primary and secondary Administration servers.
By default when a temporary group assignment expires, it is deleted after seven days unless you have selected the Keep this temporary group assignment for future use option. To change this retention period, right-click the Temporary Group Assignment node under All My Managed Objects, select Properties, and modify the number of days to retain temporary group assignments.
You can add or remove user accounts from temporary group assignments on the primary and secondary Administration servers.
NOTE:You can only manage user accounts for temporary group assignments that are not yet active.
You can delete any temporary group assignment on the primary and secondary Administration servers.
Temporary group assignments enable you to manage group memberships for users who need group membership for a specific time period. In the Web Console, you can create and manage assignments from both DRA primary and secondary servers. However, actions that you can take on existing assignments vary depending on the state the assignment is in.
Assistant administrators can view temporary group assignments only for groups for which they have powers to modify by their ActiveView assignments, such as adding or removing members of the group.
To manage temporary group assignments in the Web Console, navigate to Tasks > Temporary Group Assignments.
You can perform the following actions:
When you search for existing temporary group assignments (TGA), they are listed in the results based on the status of the assignment, which can include the following states:
Pending: The TGA is scheduled to start in the future. You can perform cancel, delete, and re-schedule.
Active: The TGA has started and added applicable members to the group. You can perform cancel and delete.
Active with Error: The TGA has started, but failed to add all applicable members to the group. You can perform cancel and delete.
Completed: The TGA has expired and removed all applicable members from the group. You can perform delete and re-schedule.
Completed with Error: The TGA has expired, but failed to remove all applicable members from the group. You can perform delete and re-schedule.
Canceled: The TGA was canceled by a user and removed all applicable members from the group. You can perform delete and re-schedule.
Canceled with Error: TGA was canceled by a user, but failed to remove all applicable members from the group. You can perform delete and re-schedule.
Error: TGA failed to add or failed to remove all the members. You can perform delete and re-schedule.
You can filter the results based on these states and other criteria including the assignment name, target group, duration time, and administrator who created the assignment.
You can create temporary group assignments using groups for which you have the powers to modify and also specify the domain controller. When the temporary group assignment expires, DRA automatically deletes it after seven days unless you select the option to keep the temporary group assignment for future use.
You can view or modify any of the temporary group assignments that were defined when the temporary group assignment was created. After executing a search for temporary group assignments, select an assignment to view or modify its properties.
If you want to reschedule a temporary group assignment, change the schedule in the assignment’s Properties and save your changes. If the assignment is in the Active state, you can only change the end date.
IMPORTANT:You may not change the associated group or modify the list of users when the temporary group assignment is in the Active state. If you want to modify these items, you must first cancel the assignment.
You can cancel a temporary group assignment only when it is in one of the following states:
Active
Active with Error
Pending
You can select multiple temporary group assignments and delete them. If the selected temporary group assignments are in the Active, Active with Error, or Pending state, then the Cancel option is also enabled.