Data
Reader small image

You're reading from  Microsoft Identity Manager 2016 Handbook

Product typeBook
Published inJul 2016
PublisherPackt
ISBN-139781785283925
Edition1st Edition
Tools
Microsoft Identity Manager
Concepts
Identity Management
Right arrow
Authors (2):
David Steadman
David Steadman
author image
David Steadman

David Steadman has been an IT industry influencer and dedicated husband for more than 17 years. He has held prestigious positions at some of the world's most innovative technology companies, including his service as a senior escalation engineer within the identity platform at, possibly, the most famous tech company on the planet, Microsoft. He is an entrepreneur, active learner, and a man constantly looking to develop and expand new skills in order to leverage the technology of the future. When not at his job, David enjoys family time and coaching soccer.
Read more about David Steadman

Jeff Ingalls
Jeff Ingalls
author image
Jeff Ingalls

Jeff Ingalls is a husband, father, and cancer-surviving dyslexic who works out of his Ohio home office in identity and access management. Jeff has been working with Microsoft technologies for over 20 years and with the Microsoft identity software since its conception in 2003. He has provided solutions to various private and public sectors including automotive, DoD, education, health and services, small businesses, and state and local government. He enjoys learning, teaching, and learning some more. Jeff has a graduate degree in information technology and an undergraduate degree in mathematics. In his free time, he enjoys spending time with his family, cooking, and reading non-fiction. You can reach him at jeff@ingallsdesigns.com.
Read more about Jeff Ingalls

View More author details
Right arrow

Chapter 6. Group Management

Once you have user management in place, it is usually time to start looking at group management. In many MIM implementations that we have done, group management capability has been the key reason for choosing MIM. Yet, in order to manage groups, we need to also have the users, who are supposed to be members, managed by MIM.

In this chapter, we will look at the following topics in depth:

  • Group scope and types

  • Modifying MPRs for group management

  • Creating and managing distribution groups

  • Managing groups in AD

  • Installing client add-ins

Group scope and types

We need to understand how groups in MIM work, and since Active Directory is so common, we will use that as a comparison.

Active Directory

If you go into AD and create a group, you are asked about Group scope and Group type.

This selection will end up in the attribute called groupType in AD. This is a bitmask attribute stored in Active Directory, as described in the following table (as well as at http://bit.ly/GroupTypeFlags):

Modifying MPRs for group management

There are less than a dozen Management Policy Rules (MPRs) that control how group objects can be modified by self-service, administrators, or the synchronization engine. But when it comes to group management, almost every MPR is disabled by default:

To start with, let's take a look at the distribution groups.

The Financial Company only wants employees to be able to create static distribution groups. The following steps will be required to allow that:

  1. Enable and change the MPR Distribution List management: Users can create Static Distribution Groups. The MPR allowing the creation of this type of group is Distribution List management: Users can create Static Distribution Groups:

  2. The set called All Active People is the default value of Requestor. We need to change that to All Employees, or confirm that we have employees only:

  3. Lets navigate over to the All Active People set and update the MPR to confirm that it only contains employees. As a note, we need to make...

Managing groups in AD

After looking at the groups and the types, we need to first bring the existing groups into MIM portal before we make it authoritative for group creation and management, so that all groups will be static in terms of membership. As discussed earlier, we now need to consider the groupType attribute in AD. We also need to consider whether we have different needs depending on the group type.

At The Financial Company, they have decided that MIM should not delete security groups once created in AD. This is a common approach, since deleting a security group—and thereby its SID (Security ID)—might cause dramatic events if the group is used for some kind of permission. Recreating a group with the same name will not recreate the SID, and will not fix the permissions.

On the other hand, when talking about distribution groups, we want MIM to be able to delete them. The owner might want to delete it, and will use the MIM portal interface to do so. Or, it could be that we have a policy...

Installing client add-ins

It is now time for the client add-ins to be installed to be able to have your users manage from Outlook. If you are using some approval workflows in your user management, you might have a need for the add-ins earlier in your implementation.

There are two pieces of client software packaged with MIM—add-ins and extensions, and CM Client. In this chapter, we will only use add-ins and extensions, and will leave CM Client for Chapter 10, Overview of Certificate Management, where MIM CM and smart card management are discussed.

Add-ins and extensions

The following steps show what the manual installation of the add-ins looks like, but in practice, you will deploy the MSI package using your favorite deployment tool, and manage all the settings using group policies. Read more about your options at http://aka.ms/FIMAddIn.

To install manually, locate your MIM 2016 media, and follow the ensuing steps:

  1. The add-ins and extensions are available in multiple languages. Be aware that there...

Creating and managing distribution groups

After allowing employees to create distribution groups earlier, we can now see what they would look like from a user's perspective.

There are different parts and steps involved in managing distribution groups. Let's start with how John creates a new distribution list:

  1. David (who is an employee) logs on to the MIM portal, and selects My DGs. So far, it is empty. He would like to create one, so he clicks on New:

    Note

    Note

    If your users are unable to log in to the portal, confirm that the accountName and Sid are populated with domains. Also confirm that the following two MPRs are enabled:

    • General: Users can read non-administrative configuration resources

    • User management: Users can read attributes of their own

  2. He gives his new group a display name, Hunters, and an e-mail alias, Hunters. A good description is always useful so that others can decide whether this is a group they would like to join:

  3. David will automatically be added as the first member, and he...

Summary

The group management features we have in MIM give us the capability to work with both static and dynamically defined groups. Another great capability is that we make the owner responsible for the management of these groups, but can still define the business rules, such as approvals and expirations. We looked at the various types and scopes of groups, as well as the management policy rules that we need to enable to get the solution configured for The Financial Company.

We looked at a typical scenario of bringing AD groups into the portal first, then flipping the precedence rules so that the portal is authoritative for group management. The last thing we looked at was about security and distribution groups creating sync rules, versus the legacy type of flow rules. Then, finally, we dove into installing the client add-in with the primary focus on the Outlook plug-in. You can see this provides a detailed solution for self-service management and the configuration of most group scenarios...

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 12 of 22
Next Chapter
You have been reading a chapter from
Microsoft Identity Manager 2016 Handbook
Published in: Jul 2016Publisher: PacktISBN-13: 9781785283925
© 2016 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Authors (2)

author image
David Steadman

David Steadman has been an IT industry influencer and dedicated husband for more than 17 years. He has held prestigious positions at some of the world's most innovative technology companies, including his service as a senior escalation engineer within the identity platform at, possibly, the most famous tech company on the planet, Microsoft. He is an entrepreneur, active learner, and a man constantly looking to develop and expand new skills in order to leverage the technology of the future. When not at his job, David enjoys family time and coaching soccer.
Read more about David Steadman

author image
Jeff Ingalls

Jeff Ingalls is a husband, father, and cancer-surviving dyslexic who works out of his Ohio home office in identity and access management. Jeff has been working with Microsoft technologies for over 20 years and with the Microsoft identity software since its conception in 2003. He has provided solutions to various private and public sectors including automotive, DoD, education, health and services, small businesses, and state and local government. He enjoys learning, teaching, and learning some more. Jeff has a graduate degree in information technology and an undergraduate degree in mathematics. In his free time, he enjoys spending time with his family, cooking, and reading non-fiction. You can reach him at jeff@ingallsdesigns.com.
Read more about Jeff Ingalls

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Mastering Tableau 2023

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2
Data Engineering with AWS

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5
Modern Data Architecture on AWS

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5
Practical Guide to Applied Conformal Prediction in Python

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages
TinyML Cookbook

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages

Value

Description

1 (0x00000001)

Specifies a group that is created by the system. If you look at AD in the CN=Builtin container, you will find groups with this flag set.

2 (0x00000002)

Specifies a group with global scope.

4 (0x00000004)

Specifies a group with domain local scope.

8 (0x00000008)

Specifies a group with universal scope.

16 (0x00000010)

Specifies an APP_BASIC group for Windows Server Authorization Manager.

32 (0x00000020)

Specifies an APP_QUERY group for Windows Server Authorization Manager.

2147483648 (0x80000000)

Specifies...