In addition to the Active Directory group for the computers in a computer role, you should have an Active Directory group for each set of users that should have different access rights. By mapping Active Directory groups to role definitions, you can manage group membership and access rights at the same time using your current procedures.
To create an Active Directory group for each set of users linked to a computer role:
- Open Active Directory Users and Computers to create a new Active Directory group for each set of users to link to the computer role.
For example, create separate Active Directory groups for application users, database administrators, and backup operators using a naming convention similar to
ComputerAttribute_Role_UserSet. For example, create the following Active Directory groups:
Select each new group, right-click, then click Properties.
Click the Members tab, then click Add.
Search for and select the users that you have identified as members of the each group, then click OK.
Click OK to save the group membership.