Group memberships can be automatically added or removed just by changing attributes of a user objects with dynamic security groups. Based on LDAP filters the group membership can also be monitored automatically.
FirstWare-DynamicGroup enables you to automate the authorization management in Active Directory environments with dynamic security groups.
The granting of permissions in Active Directory environments is managed by group membership. Authorization groups are used to set permissions to file folders, printers or mailboxes.
Many companies define Active Directory groups equal to their organizational structure (levels of departments, branches and so on). In this case permissions can be granted to all employees in a particular department. If a new colleague starts working or changed the department, it is necessary to let him become a member of the appropriate departmental AD group. So he gets the same permissions that all the other members of this department have.
The risk: The longer the employees stay in the company the more permissions they receive. A coworker should be removed from the specific departmental group after leaving a department. So that he finally is a member of the new departmental group only (not both).
In practice, new user accounts are often created by copying an existing user account. If the selected source is a user’s account, which already has too many permissions, all of his privileges are directly transferred to the new colleague.
With FirstWare-DynamicGroup, the group memberships are managed and automated based on user properties. As soon as the condition of a predefined LDAP filter does not meet anymore, the corresponding user object is removed from the group automatically.
Scenarios and solutions for AD group management
Automated administration of department groups
Usually local domain groups are used to assign permissions to resources. Global groups instead are used to reflect the organizational structure of a company in the AD.
Global groups can be members of authorization groups for the purpose of granting permission. In that way departmental groups can be easily created as global groups. All employees of a particular department are then added to this global group.
Use FirstWare-DynamicGroup to create an LDAP filter to assign employees to a certain department group. The basis for this is the Department attribute of the user objects is used.
The filter would look like this:
Automated administration of location groups
Many AD administrators maintain location groups that include all user objects of a certain site or location. These groups can get site-specific permissions regarding general file shares, printers or other resources.
To implement a dynamic group at site or location level, the search root of the dynamic group is set to the location OU of the Active Directory:
Additionally, the LDAP filter of the dynamic group is configured so that all user objects are included in this group:
Management of company related group membership
If within one Active Directory more than one company is managed, it makes sense to create one dynamic group for each company. This group can be used for assigning permissions and as a base for mail distribution lists. As we manage more than one company with Active Directory, it is possible that several companies use the same department name.
The configuration of the LDAP filter for a department that belongs to a company might look like this:
The delegation is based on OUs. Local IT staff with OU admin permissions get a reduced view in the DynamicGroup Console. They only see OUs they are in charge of they can only access the groups and dynamic groups in these OUs. It is not necessary to allow access rights to manage user objects or computer objects.
Example: Reduced view for the delegation of dynamic groups in Active Directory:
Automated resolution of nested groups
The nesting of groups in Active Directory is an issue that should not be underestimated. If an administrator wants to check a certain permission, he is often forced to look at the memberships of several groups to find out, how a certain user has received the permission.
DynamicGroup allows you to resolute the nested group memberships automatically. The software checks periodically (service) whether or not other groups have been included in a DynamicGroup.
If a group is included into a dynamic group, the group memberships are automatically analyzed and all the users get a direct membership in the group. The group object (of the included group) is then removed from this group.
For this purpose, DynamicGroup provides the Flat Group Option:
If you are interested in an automated Active Directory administration, please feel free to contact us. We are happy to receive your question or request.