Creating group profiles for Active Directory groups

You can create a group profile for any domain local, global, or universal security groups you have defined in the Active Directory forest. Associating a group profile with an Active Directory group also enables you to take advantage of any nested group membership you have defined and any group policies you have applied to a domain or organizational unit.

Although associating a group profile with an Active Directory group can be convenient, there is no predetermined requirement to create group profiles for Active Directory groups. Creating a group profile does not create profiles for any members of the group. User accounts must be explicitly given their own profiles.

Note:   You can automate the provisioning of account profiles through the use of Active Directory groups. For information about configuring your environment for automated provisioning, see the Planning and Deployment Guide.

What to do before creating a new Active Directory group profile

Before you can create Active Directory group profiles, you must have created one or more Active Directory security groups, installed Access Manager, and run the Setup Wizard. You should also identify the specific Active Directory groups for which a group profile is required. In most organizations, only a limited number of Active Directory groups require a zone profile. There are no other prerequisites for performing this task.

Rights required for this task

You must have permission to add groups to a zone. Zone administrators can grant this permission through the Zone Delegation Wizard. If the Active Directory administrator manually sets the permissions, your user account must be a domain user with the following permissions to create group profiles in a zone:

Select this target object To apply these permissions

Parent container object for the group profile within the zone

On the Object tab, select Allow to apply the following permission to this object only:

  • Create serviceConnectionPoint objects

Click the Properties tab and select Allow to apply the following properties to this object only:

  • Read objectClass

Group account object in Active Directory

For example:

domain/Users/group_name

Click the Properties tab and select Allow to apply the following properties to this object only:

  • Read groupType
  • Read objectCategory
  • Read objectClass
  • Read objectGUID
  • Read objectSid

Parent container object for the individual zone

For example, if you are adding a group to the Finance zone:

domain/UNIX/Zones/Finance

Click the Properties tab and select Allow to apply the following properties to this object only:

  • Read objectGUID
  • Write Description

Who should perform this task

A Windows domain administrator performs this task, depending on your organization’s policies. In most organizations, this task is delegated to a specific user or group with administrative authority in the selected zone.

How often you should perform this task

In most cases, you only create new group profiles infrequently to address changes to your organization.

Steps for completing this task

If you choose to create group profiles for Active Directory groups, you can use Access Manager, Active Directory Users and Computers, the Access Module for Windows PowerShell, ADEdit, or the Centrify Windows API.

The following instructions illustrate how to create a new group profile using Access Manager. Examples of scripts that use ADEdit, Windows PowerShell, or the Windows API are available in other guides, the Centrify Software Developer’s Kit, or in community forums on the Centrify website.

To create a group profile for an Active Directory group using Access Manager:

  1. Open Access Manager.
  2. Expand Zones and any parent or child zones required to select the zone name to which you want to add the Active Directory group.
  3. Expand UNIX Data and select Groups, right-click, then click Create UNIX Group.

  4. Type a search string to locate the Active Directory group for which you want to create a profile, then click Find Now.

    For example, type “fin” to display the Finance Users and Finance Admins groups.

  5. Select one or more groups in the results, then click OK.

  6. Review the default zone profile settings for the group and make changes if needed, then click OK.

    You can deselect an attribute to change the default value or to create a partial group profile in the current zone. You can complete the profile by providing a value for an attribute in a child zone of the current zone. For example, if you use the same group name but different numeric identifiers on two set of computers, you can inherit the group name from a parent zone and set the different numeric identifiers in the child zones.

    In the AIX Extended Attributes tab, you can view and set AIX attributes for the group's zone profile. Click Add to add an attribute and a value, click Edit to change an attribute, or click Remove to remove an attribute from the group's zone profile.

    If you selected more than one group, review the profile settings for the each group and modify the default settings, if necessary, then click OK.

    If you are adding groups with similar names, you might want to modify the default group name to distinguish the groups. For example, if you are adding both the Finance Admins and Finance Users groups to the same zone, you can change the default group name to finadmin and finuser to make it easier to tell the groups apart. Keep in mind that in some operating environments group names cannot be more than 8 characters and special characters might not be supported.