Managing AD/AAD Groups with Active Roles

In addition to managing users and computers, we also have to manage groups. The first thing we want to look at is creating a group. Now I can do this through the web interface or through the MMC console. We're going to do this through the web interface. And as you can see, everything is very easy to do. I can type whatever I want. In this particular case, I don't have a lot of policies in place other than the fact that I'm synchronizing these two pieces of data. I can tell it what type of account-- or what type of group, excuse me-- and what whether it's a security group or a distribution group. I can also tell it whether or not it needs an exchange alias or not. In this case, we'll just say no. I could also fill out a bunch of information about that group. But we won't actually do that in this case. Next, we're going to create something called a dynamic group. A dynamic group is a group that's created using criteria. So instead of me manually adding and removing users from the group and whatnot, the group will actually self maintain based on the information that we tell it to use. Here we're going to take the test group that we created a minute ago. And I can go into this group, and I can say, convert to dynamic group. It's letting me know that it's going to zero out the membership when I do this. And that, of course, is fine. I'm going to tell it, I want to include users by query. But I can just as easily include members of another group, include specific users or objects-- by the way, that doesn't have to be users-- and then excludes the same way. But let's just do an include by query. In this particular case, we're going to include users whose office location is Tokyo. So I'm going to click over here on Advanced, and I'm going to click on Field. And we're going to use office location or physical delivery office as the LDAP name of that. And I'm going to say, is exactly Tokyo. And I click Add. And incidentally, I could add more criteria here. I could do an "and" and an "or." And if I wanted to, I could even do a full LDAP query instead of any of this. One nice feature we have here is I can click on Preview Rule, and it's going to show me exactly who would be added to this group. Yep, that looks about right. My Tokyo office has about 54 people in it, so I think we're in pretty good shape. I click Add Rule, I click Finish. And now, if I open up this group, you can see that it's gone ahead and done that-- and created that group. If I were to open one of these users and change their office location from Tokyo to someplace else, it would remove them from the group virtually instantly. And same if I were to take a different user and add them and put them in the Tokyo office, they would automatically be added to this group as well. Probably one of the most common things that Active Directory administrators do is adding in or removing users from groups. We've simplified this in Active Roles. Here, I can find a particular group-- we'll use this test data group that I have here. I can click on Members. And then I can add a user. So let's add somebody here. And we'll add my test user we've been playing with. Let's see. There he is right there. Incidentally, I can also temporarily add him to this group. So if I click on Temporary Access, I can say, I want to add him tomorrow. And then I want to remove him the next day. I can even set a time of day that I want that to happen as well. And all of this can be done automatically. And so I don't have to room to worry about it. A good example of that is if you have an approval group, or something like that, and somebody goes on vacation, and somebody else needs to take over those responsibilities for a few days, I can use the temporal group membership to add them to the group and then automatically remove them. And I don't even have to leave the ticket open, or remind myself to remove them, or anything like that. Active Roles will do that for me. With Active Directory being used more and more in critical security pieces of an organization, sometimes it's important to have oversight and segregation of duties inside of things that happen in Active Directory itself. With Active Roles Workflows, we can set that and say, hey, if something particular happens, we want somebody to approve it. In this particular workflow, I've told it anytime somebody goes to modify a group membership for a particular group that's set a certain way-- and I'll show that in a second-- then it must be approved. And in this particular case, I've told it it must either be approved by the manager or by one of the secondary managers. In Active Roles, we have a concept of a secondary manager. I'll show you that here. If I were to open up a particular group-- let's say this Sensitive Account group here-- what you can see is that I have membership approval. And I'm telling it that this particular group requires approval by the primary owner. Or I could also say it requires approval by the secondary owner. And you can see the secondary owner right here under Managed By. In this case, I've said an entire group are secondary owners. Meaning anybody in that group could be a secondary owner, which means I could give them a certain amount of access over that group. For example, to add and remove users. So let's walk through what that would actually look like. Here, I have that same sensitive account group. And I'm logged in just as a regular help desk user. I click on Add, and I want to add a user. We'll add our test user we've been looking at the whole time. What happens here, it says, oh, this requires an approval. So I can type whatever I want. I click OK. Now, let me talk about what's happening while we're doing this. Two things. You'll notice here that this particular user did not show up in the group here as being a member of the group. Because it requires an approval, that particular user was sent a notification letting them know that they need to approve them. And here, you can see this email came through. I could either reply to this email and say approved, if I if I wanted to do that. Or, just so you can see what it would look like in a longer form, I click on Approve. It's actually going to open up the web interface for Active Roles. And it's saying, hey, you have that change. What would you like to do? I can put a reason. Let's say-- Or, in this case, I don't need one. And again, all of this is configurable. I could say whether I need a reason, what the reason would be, all of that. And you can see here that that operation has been successfully completed. So now, if I go back into here, and I click on the group again, that we can see the test user is in fact in that group now. So it's done exactly what we wanted. Now obviously the workflow can be configured in a multitude of different ways. I'm just trying to use this as a quick example. And so you can kind of see what's going on and how you can do it. It can get much more complex. You can have escalations, you can have time based escalations, all of that. But that's more complicated than we want to get into in a quick description like this.