Header-grossesschiff

Phone  +49 6126 710 796 0

Active Directory dynamic security groups

Group memberships can be automatically added or removed just by changing attributes of a user objects with dynamic security groups. Based on LDAP filters the group membership can also be monitored automatically.

FirstWare-DynamicGroup enables you to automate the authorization management in Active Directory environments with dynamic security groups.

Active Directory dynamische Sicherheitsgruppen
DynamicGroup Download DynamicGroup Details

 

Initial Situation AD group management

The granting of permissions in Active Directory environments is managed by group membership. Authorization groups are used to set permissions to file folders, printers or mailboxes.

Many companies define Active Directory groups equal to their organizational structure (levels of departments, branches and so on). In this case permissions can be granted to all employees in a particular department. If a new colleague starts working or changed the department, it is necessary to let him become a member of the appropriate departmental AD group. So he gets the same permissions that all the other members of this department have.

The risk: The longer the employees stay in the company the more permissions they receive. A coworker should be removed from the specific departmental group after leaving a department. So that he finally is a member of the new departmental group only (not both).

In practice, new user accounts are often created by copying an existing user account. If the selected source is a user's account, which already has too many permissions, all of his privileges are directly transferred to the new colleague.

With FirstWare-DynamicGroup, the group memberships are managed and automated based on user properties. As soon as the condition of a predefined LDAP filter does not meet anymore, the corresponding user object is removed from the group automatically.

 


Scenarios and Solutions for AD group management

Automated administration of department groups

Usually local domain groups are used to assign permissions to resources. Global groups instead are used to reflect the organizational structure of a company in the AD.

Global groups can be members of authorization groups for the purpose of granting permission.  In that way departmental groups can be easily created as global groups. All employees of a particular department are then added to this global group.

Use FirstWare-DynamicGroup to create an LDAP filter to assign employees to a certain department group. The basis for this is the Department attribute of the user objects is used.


The filter would look like this:

DynamicGroup-LDAP-Filter-Department

Automated administration of location groups

Many AD administrators maintain location groups that include all user objects of a certain site or location. These groups can get site-specific permissions regarding general file shares, printers or other resources.

To implement a dynamic group at site or location level, the search root of the dynamic group is set to the location OU of the Active Directory:

DynamicGroup-SearchRoot

Additionally, the LDAP filter of the dynamic group is configured so that all user objects are included in this group:

DynamicGroup-UserObjects

Management of company related group membership

If within one Active Directory more than one company is managed, it makes sense to create one dynamic group for each company. This group can be used for assigning permissions and as a base for mail distribution lists. As we manage more than one company with Active Directory, it is possible that several companies use the same department name.


The configuration of the LDAP filter for a department that belongs to a company might look like this:

DynamicGroup-LDAP-Filter-CompanyDepartment

Automated resolution of nested groups

The nesting of groups in Active Directory is an issue that should not be underestimated. If an administrator wants to check a certain permission, he is often forced to look at the memberships of several groups to find out, how a certain user has received the permission.

DynamicGroup allows you to resolute the nested group memberships automatically. The software checks periodically (service) whether or not other groups have been included in a DynamicGroup. 

If a group is included into a dynamic group, the group memberships are automatically analyzed and all the users get a direct membership in the group. The group object (of the included group) is then removed from this group.


For this purpose, DynamicGroup provides the Flat Group Option:

DynamicGroup-FlatGroup

Further Information

If you are interested in an automated Active Directory administration, please feel free to contact us. We are happy to receive your question or request.

Product Info Demo -request

News

  • AD Consolidation Project

    AD Migration with Dell Migration Manager for Active Directory

    more...
  • DynamicGroup 2015 Release

    FirstWare-DynamicGroup 2015 released

    more...
  • AD Specialists in Frankfurt

    AD Consultants running in Frankfurt

    more...
  • Integration of Cloud Services like Office 365

    Integration of Cloud services to the IT infrastructure - Office 365.

    more...
  • Active Directory attributes and Outlook signature

    Using Active Directory attributes for the Outlook signature

    more...
  • Delegate Active Directory User Management to Human Resources

    Easily delegate AD User Management to HR with FirstWare-Admin

    more...
  • Access Based Enumeration Traverse Folder Service

    Building a self-administrating Access Based Enumeration authorization structure

    more...
  • Identity Management for Small to Medium-Sized Enterprises (SME)

    Assign Active Directory a central role as Active Directory based Identity Management System.

    more...
  • Microsoft Windows Remote Desktop Services vs. Citrix XenApp

    Comparison between Citrix XenApp and Microsoft Windows Remote Desktop Services

    more...
  • Windows Server 2012 Active Directory

    With the release of Windows Server 2012, many new features of the Active Directory Domain Services have been introduced.

    more...

©2016 FirstAttribute AG - All rights reserved.

Realization Site Point GmbH

Legal notice