As an Assistant Administrator, you can use DRA to manage groups and modify group properties. Groups enable you to give specific permissions to a defined set of user accounts. Groups let you control which data and resources a user account can access in any domain.
You can manage groups of any type and scope. For example, you can nest groups, allowing one group can inherit permissions from another group. You can also effectively control group memberships across domains by adding groups from trusted domains to other groups in the managed domain and by managing temporary group assignments.
To learn more about managing groups, see the following topics:
This section guides you through administering groups in the Account and Resource Management console. With the appropriate powers, you can perform various group management tasks, such as modifying group memberships. If you select multiple groups, you can perform selected tasks in one operation, such as deleting, moving, or adding members to a group. The Tasks menu indicates which tasks you can perform when you select single or multiple groups.
You can add user accounts, contacts, and computers to a managed group.
NOTE:This task adds multiple accounts to a selected group. You can add a single account to a group by selecting the appropriate account and then clicking Add to groups on the Tasks menu.
If adding an account to another group increases your powers for the account, DRA does not permit you to add the account.
You can nest groups by adding a group to another managed group. When a group is nested in another group, the child group can inherit permissions from the parent group
NOTE:If adding a group to another group increases your powers for the source group, DRA does not permit you to add the group.
You can modify properties for local and global groups. The powers you have determine which properties you can modify for a group in the managed domain or managed subtree. If you installed Exchange and enabled Microsoft Exchange support, you can modify distribution list properties while managing groups.
You can create a group in the managed domain or managed subtree. You can also modify properties, such as group members, for the new group.
NOTE:
Your company may have a naming convention enforced through policy that determines the name you can assign to the new group.
By default, DRA places the new group in the Users OU of the managed domain.
You can add or remove user accounts, contacts, computers, or other groups from the managed group. DRA allows you to only remove foreign security principals. You can also view or modify properties of existing group members, except for foreign security principals.
When you remove members from a group, DRA does not delete the objects. When you add members to a group, you must have the power to modify the objects you want to add.
NOTE:You cannot add user accounts or groups to any of the Windows special groups (Administrators, Account Operators, Backup Operators, or Server Operators) unless you are a Windows administrator or a member of that specific special group.
You can add or remove a group from other groups in the managed domain or managed subtree. You can also view or modify properties of existing groups to which this group belongs.
You can set Active Directory security permissions for group memberships. These permissions specify who can view (read) and modify (write) group memberships using Microsoft Outlook. These settings let you more effectively secure distribution lists and security groups in your environment. You cannot modify inherited security permissions.
NOTE:When you manage group membership security, disabled permissions may indicate inherited permissions.
You can set the ownership of any Microsoft Windows distribution or security groups. You can grant the group ownership permission to a user account, group, or contact. Granting group ownership allows the specified user account, group, or contact to modify the membership of this group.
NOTE:DRA disables the Manager can update membership list check box when group membership is hidden from the Microsoft Exchange server. To enable this check box, click Expose Group Membership on the Exchange tab of the Group Properties window.
You can clone both local groups and global groups in managed domains. Cloning groups creates new groups of the same type and attributes as the original group. DRA also attempts to add all members from the original group to the new group.
By cloning a group, you can quickly create groups based on other groups with similar properties. When you clone a group, DRA populates the Clone Group Wizard with values from the selected group. You can also modify properties for the new group.
NOTE:
Your company may have a naming convention enforced through policy that determines the name you can assign to the new group.
By default, DRA places the new group in the Users OU of the managed domain.
You can delete local and global groups in the managed domain or managed subtree. If the Recycle Bin is disabled for that domain, deleting a group permanently removes the group from the Active Directory. If the Recycle Bin is enabled for that domain, deleting a group moves the group to the Recycle Bin and disables the group properties.
For more information on the Recycle Bin, see Managing the Recycle Bin.
WARNING:When you create a group, Microsoft Windows assigns a Security Identifier (SID) to that group. The SID is not generated from the group name. Microsoft Windows uses SIDs to record privileges in access control lists (ACLs) for each resource. If you delete a group, you cannot return access capabilities for that group by creating a new group with the same name.
You can move a group to another container, such as an OU, in the managed domain or managed subtree.
You can expose group memberships in distribution lists for groups in the managed domain or managed subtree.
You can hide group memberships in distribution lists for groups in the managed domain or managed subtree.
Temporary group assignments enable you to manage group memberships for users who only need group membership for a specific time period. This section guides you through administering temporary group assignments in the Account and Resource Management console. With the appropriate powers, you can perform tasks such as creating new temporary group assignments or removing expired temporary group assignments. You can perform these tasks only on the primary Administration server. The Tasks menu indicates which tasks you can perform when you select single or multiple temporary group assignments.
You can manage properties for temporary group assignments or saved expired temporary group assignments only on the primary Administration server. The powers you have determine which properties you can modify for a temporary group assignment.
You can create a temporary group assignment only on the primary Administration server. You can also modify properties, such as schedules, for the new temporary group assignment.
You can add or remove user accounts from temporary group assignments on the primary Administration server.
NOTE:You can only manage user accounts for temporary group assignments that are not yet active.
You can reschedule temporary group assignments only on the primary Administration server. You can also reschedule a saved expired temporary group assignment.
NOTE:When a temporary group assignment expires, DRA automatically deletes it, unless you saved it for future use.
You can delete any temporary group assignment on the primary Administration server.