Single Group Management
With ADManager Plus, manage individual Active Directory (AD) groups via the Single Group Management feature which allows you to:
Single group creation
Using ADManager Plus you can create groups, add multiple members to them, configure the Exchange attributes of each group, etc. You also have the option of filling in the necessary member attribute details in a CSV file and importing the file in a single instance.
Steps to create single groups
- Log in to ADManager Plus.
- Navigate to Management > Group Management > Create Single Group under Group Creation.
- In the Create Single Group page that opens, select the domain in which you want to create the group from the Selected Domain drop-down box.
- In the Selected Template drop-down box, select the template that you want to apply while creating the group or create a new template using the Create New Template option. By default, the System Template option will be chosen.
- You can copy the attributes of an existing group and apply them to the group you are creating by clicking the Copy Group Attributes button.
- Once you select the domain and templates, proceed to fill out the information in the General, Group, Exchange, and Custom Attributes t abs.
- Under the General tab:
- Under the Group tab:
- You can select between two types of membership:
- Direct Membership: Add members to the group by either importing users from a CSV file containing the necessary group attributes or selecting members individually and clicking OK. Once you have added the members to the group, you have the flexibility to set the time frame of their group membership.
- Dynamic Membership: Unlike traditional AD groups, dynamic membership is rule-based. Group members are automatically updated according to the rules you configure.
- Use the Member Of option to add the group to any of the available groups.
- Use the Managed by option to designate the manager for the group.
- Check the Manager can update the member list box to give the manager permissions to add or remove users from the group.
- Under the Exchange tab:
- The No Mail option is chosen by default.
- To create a group with mailbox, select Mail enabled and proceed with the steps given below:
- In the General section, create an Exchange email address for the group. Before doing this, ensure that the domain is already configured with the Exchange Server.
- Enter the email alias for the group in the Alias field.
- From the drop-down menu, choose the appropriate Associated Administrative Group.
- Enter a display name for the group in the Simple Display Name field.
- To hide the group from Exchange address lists, click the Hide from Exchange address lists check box.
- In the E-Mail Addresses section, you can add additional email addresses if necessary using the plus icon in the Additional E-mail Addresses field. Check the Automatically update e-mail addresses based on e-mail policy box if you want to update email addresses based on an e-mail policy defined in Exchange.
- In the Delivery Restrictions section:
- Set the limit for email sizes using the Receiving message size option.
- Use the Accept Messages option to configure the senders list from which the group can receive messages.
- For the Reject messages from option, the No senders option will be chosen by default. If required, define the users who cannot email the group by adding a list of senders after selecting the Senders in the following list option.
- To ensure that a user receives messages only from domain-authenticated users, check the Requires that all senders are authenticated box.
- In the Send As section, add the users to grant them delegated permissions to send messages on behalf of another user by clicking the plus sign in the Grant this permission to field.
- In the Custom Attributes tab:
- Configure or add additional LDAP attributes for the group you are creating. The attributes created using the Add Additional Attribute option are temporary. If you want to create permanent LDAP attributes, use the Configure Custom attribute.
- In the Custom Script section, check the Run custom script on successful group creation box to execute any actions once the group is created. Check the Ignore Warnings box to overlook any warnings.
- Finally, click Create to create the new group in your AD.
Single group modification
ADManager Plus' feature to modify single groups makes it easy and simple to perform the desired changes for any group in your AD. You will need to update the groups in your AD to align with any changes in organizational requirements and policies as they occur.
With the Modify Single Group feature, you can perform modifications, such as:
- Renaming a group.
- Changing group type and scope, as per the requirements.
- Moving groups from one OU to another.
- Adding users and contacts from multiple domains (cross-domain support) as group members.
- Adding or updating a group's custom attributes.
- Updating a group's membership details, such as adding or removing the group from other groups .
- Specifying Exchange delivery restrictions, adding additional email addresses, etc.
Moreover, you can do all these desired changes in one go. Modifying the groups via templates offers administrators a tighter and easier mechanism to control the changes being made to AD groups, as they can:
- Customize the templates to have only a specific set of attributes. It is also possible to make any attribute hidden, read-only, or editable.
- Proactively update (in the background) specific attributes based on the changes being made to other attributes.
Steps to modify an AD group
- Log in to ADManager Plus.
- Go to Management > Group Management > Group Modification > Modify Single Group.
- On the Modify Single Group page, choose the domain from the Domain drop-down box in which the group to be modified is located. The list of all groups from the chosen domain will be displayed. You can also locate the desired group using the search option.
- After you locate the desired group, click the Modify Group button located in the Action column of this group
- In the Modify Group Properties window that opens up, select the appropriate Group Modification Template from the Selected Template option. If you do not wish to use any specific template, you can continue with just the default template or create a new template from here by clicking the Create New Template button.
- Enter the values for all the required attributes in the required tabs such as General, Group, Exchange, and Custom Attributes. To configure the time-based group memberships for members in the Group tab, refer here.
- Click Preview to display the list of all fields slated for modification, including their current and new values.
- If you wish to make any more changes, click the Back button located on the top-right corner to return to the Modify Group Properties page.
- After making all the desired changes, click the Update Group button to save the changes to the AD group.
Note:
Just-in-time access management
While creating or modifying a new group, technicians can utilize the Revert Duration option to configure the duration until which a user, computer, or any AD object can be a member of that group to ensure that just-in-time access privileges are granted. These changes made by the technicians are audited in the Audit Report, which is available in the Delegation tab. After the specified duration, the group membership of that member would be revoked. The duration of the group member can be set for hours, days, or forever. Moreover, admins can ensure that the privileges to groups are properly managed as part of the organization's access certification systems in place.
Prerequisites
To use this feature while creating or modifying a single group, ensure that:
- You have an Active Directory forest functional level of Windows Server 2016 or higher.
- The privileged access management feature is enabled in the domain.
You can enable the Privileged Access Management feature using the following PowerShell command:
Enable-ADOptionalFeature "Privileged Access Management Feature" -Scope ForestOrConfigurationSet -Target <Forest-Root-domain>
It's important to note that once the Privileged Access Management feature is enabled, you cannot disable it.