Group Management Server User Guide Table of Contents Getting Started... 3 About... 3 Terminology... 3 Group Management Server is Installed what do I do next?... 4 Installing a License... 4 Configuring Email... 4 Configuring Group Owner Alert Defaults... 5 Configuring Additional Settings... 5 Adding a Domain... 5 Synchronizing with Active Directory... 7 Choosing Licensed Users... 7 Configure Automatic Backups... 9 Assigning Owners... 9 Change Group Privacy Policy Settings:... 11 Viewing group and user status... 12 Administrator Actions... 12 Add members to groups... 12 Remove Members from groups... 14 Add owners to groups... 14 Remove owners from groups... 16 Group Renewal Policies... 17 Creating a Renewal Policy... 18 Workflow... 18 Group Provisioning Workflow... 18 Change user roles... 20 Edit role permissions... 21 Create a new role... 21 Last updated: October 1, 2015
View audit of all changes to roles assigned to users and groups... 21 View audit of all changes to role permissions... 22 Change group privacy policies... 22 View and Retry Requests... 22 Configuration of email... 23 Set up AD domains and sync... 23 See Group and User Audit Report... 23 View License... 24 Owner Actions... 24 HANDLE REQUESTS... 24 CHANGE EMAIL PREFERENCES... 24 User Actions... 25 Join a group... 25 Leave a Group... 25 View Group Details about your memberships... 26 Request Group Provisioning... 27 Page 2
Getting Started ABOUT Group Management Server from Thycotic Software helps your business manage your Active Directory and adds functionality not directly available with Active Directory alone. Provides a modern, easy-to-understand web interface to visualize the groups on your domain, and the members of those groups. Introduces the concept of group ownership. With Group Management Server, you can give users in your organization the ability to manage Active Directory groups without having to know or even have administrator access to the Active Directory server. Provides auditing of all activity so you know the who, what and when of all activity on your domain. Introduces the concept of a group privacy policy. Now you can control exposure to groups on your domain requiring users to request permission to join a group, or hiding a group from non-members completely. Synchronize users and groups across all of your Active Directory domains. TERMINOLOGY Throughout this user guide, the terms below will be used to refer to specific features or concepts within Group Management Server. Group Owner Within Group Management Server, groups can have one or more owners assigned to them. Users who are owners of a group can add and remove people as well as handle user requests for that group. Administrator Permissions to all features within Group Management Server can be separated into different roles. Administrator is one of the default roles installed with Group Management Server. This role can be customized to have different permissions. In this guide, the term administrator will be used when referring to the user(s) who manage the system. Administrators have control over the global security and configuration settings, and are de facto owners of every group within the system. Page 3
GROUP MANAGEMENT SERVER IS INSTALLED WHAT DO I DO NEXT? Installing a License In order to use Group Management Server, it is necessary to install a license. To add a license, select Licenses from the Administration menu and then click Install New License. Enter the License Name and License Key that were provided by your sales representative. Configuring Email It is necessary to configure an email server that Group Management Server will use so that notifications can be sent. Email configuration can be done by selecting Configuration from the Administration menu. Fill in the appropriate fields. To test the configuration before saving, click Test Email. You will be prompted for a recipient email address in which the test email will be sent. Once configuration is completed, click Save. Page 4
Configuring Group Owner Alert Defaults Group Management Server has the ability to notify group owners when events happen for their groups. After installation all options shown here are selected. To change these defaults, check or uncheck the relevant boxes. Individual owners can override these settings through their Preferences menu item. Configuring Additional Settings To force communication over HTTPS (which encrypts data sent to and from the server) select the Force HTTPS/SSL check box. To configure integrated windows authentication, select the Enable Integrated Windows Authentication check box and follow the directions in the linked KB article. Adding a Domain Once licenses are installed and email is configured, the next step is to synchronize with Active Directory. This can be set up by selecting Active Directory from the Administration menu. On this page, click New Domain and then enter information for the domain you want Group Management Server to manage. Page 5
Fully Qualified Domain Name Friendly Name the full domain name a short name used for display purposes within the application. Controller (optional) UserName Password Port the IP Address or NetBIOS name of the domain controller. If blank, Group Management Server will find a domain controller. username for querying Active Directory and changing group membership. the user s password. the port to use when connecting to AD (typically 389 for a normal connection, or 636 for a SSL connection). Protocol Version version of the LDAP protocol to use when querying AD (almost always 3). Expired Groups OU Secure Socket Layer Sync Managed By Default a specific organizational unit (OU) in AD where expired groups will be moved to. This setting is only needed if you intend to use Group Renewal Policies. checked if using SSL to communicate with Active Directory. when checked, the AD Managed By user or group will be made a group owner in Group Management Server. when checked, this domain is automatically selected on the login page the first time a user visits Group Management Server. After a user logs in once, Group Management Server will remember the user s previous selection. Page 6
Active uncheck this box if you want to disable all interoperation between Group Management Server and this AD domain. Synchronizing with Active Directory Select Active Directory from the Administration menu, then click Synchronize. The log displayed below will auto-update every few seconds. When it says Synchronization Complete, all users and groups with their relationships have been pulled into Group Management Server. Choosing Licensed Users When you install Group Management Server, every user pulled in from Active Directory is considered licensed this means that they take up one user license. A user must be licensed in order to log in and/or to be moved into/out of groups or to be a group owner. To view or change which users are licensed, select Licenses from the Administration menu and then click Manage Licensed Users. This displays the total number of licensed users as well as why they are licensed. To change which users are licensed, click Edit. Page 7
Users can be designated as licensed or excluded by OU, group, or individually. For example, you can include the mydomain\marketing OU and then exclude the mydomain\marketing\admins OU, then also include a specific administrator by name. You may alternatively license everyone by including the Everyone group. Page 8
Configure Automatic Backups In version 1.4.000000 and later, Group Management Server supports automatic backups. From the Administration menu, select Backup to configure these settings. Assigning Owners On the Home page, click Add Group Owners to start the 3-step wizard. In step 1, filter the list of groups to find groups you would like to choose owners for. Then click the checkbox to move them to the Selected Groups list. To view and/or modify the selected groups, click Selected Items at the top of the grid. When you are finished, click Continue. In step 2, choose groups or users to be owners of your previously selected groups. To view and/or modify the selected owners, click Selected Items at the top of the grid. When you are ready, click Continue. In step 3, verify that you wish to make the users or groups listed in the New Owners section on the right owners of the Selected Groups displayed on the left. Then click Finish to complete the wizard and return to the Home page. Page 9
Add Group Owners - Step 1 Add Group Owners - Step 2 Page 10
Add Group Owners - Step 3 Change Group Privacy Policy Settings: There are four default group privacy policies: Open, Alert, Managed, and Closed. Open Alert Managed Closed can be joined by anyone without any alerting or approval workflow. owners are notified when users join or leave. groups require the owners approval before users can join groups are not visible to users of the system, except the owners and administrators. By default, all groups start as Closed. To change the privacy policy settings for one or more groups, click Change Group Privacy Policy Settings on the Home page. To change the privacy policy for a group, click the link under the Policy column and then choose the new policy from the dropdown. To change the privacy policy for a full page of results, use the link at the top next to Set All. When the desired policy changes have been selected, click Save. Page 11
Viewing group and user status On the home page, click User & Group Status. The Group Status tab shows information on all the groups in the system, and allows you to filter the displayed groups by type, scope, and owner. Click the User Status tab to see information on all the users in the system. Administrator Actions ADD MEMBERS TO GROUPS To add new members to groups, click Add Group Members on the Home page. Adding members is a three-step process. First, choose the groups to add members to. To view and/or modify the selected groups, click Selected Items at the top of the grid. Click Continue. Page 12
Next, choose the members that to be added. The members being added can be users or other groups. To view and/or modify the selected members, click Selected Items at the top of the grid. In the third and final step, review the choices made. If desired, add a comment in the text field at the right. To specify an expiration for group membership (optional), click the field at the bottom of the blue Page 13
box and select a day from the calendar, or type a date in MM/DD/YYYY format. Click Finish to save changes. REMOVE MEMBERS FROM GROUPS To remove members from groups, click Remove Group Members on the Home page. Removing members is a three step process. In the first step, choose the groups to remove members from. In the second step, choose the members that are to be added. The members being added can be either users or other groups. In the third and final step, review the choices made and click Finish. ADD OWNERS TO GROUPS To add new owners to groups, click Add Group Owners on the Home page. In the first step, choose the groups to add owners to. To view and/or modify the selected groups, click Selected Items at the top of the grid. Page 14
In the second step, choose the owners that are to be added. The owners being added can be either users or other groups. If a group A has a group B as an owner then all users in group B will have an ownership role for group A. To view and/or modify the selected owners, click Selected Items at the top of the grid. In the third and final step, review the choices made and click Finish. Page 15
REMOVE OWNERS FROM GROUPS To remove owners, click Remove Group Owners on the Home page. In the first step, choose the groups to remove owners from. To view and/or modify the selected groups, click Selected Items at the top of the grid. In the second step, choose the owners to remove. To view and/or modify the selected owners, click Selected Items at the top of the grid. Page 16
In the third and final step, review the choices made. Enter a comment if desired, then click Finish. GROUP RENEWAL POLICIES Over time individuals tend to acquire more and more permissions within organizations, and these permissions are rarely reviewed or reduced. Group Management Server helps solve this problem through group renewal policies. These policies allow you to specify an expiration period after which the assigned groups will be moved to a specific organizational unit in AD for review. Notification emails can be sent to owners a certain number of days prior to the group expiring. Owners of the groups can renew them at any time. Page 17
Creating a Renewal Policy To create a group renewal policy, click Group Renewal Policies on the Home page, and then click the Create Group Renewal Policy. Groups can be added to a policy either by organizational unit, or by including specific groups. Administrators can also exclude groups from an OU if they should not be affected by the policy. Workflow If a group owner does not choose to renew the group before it expires, Group Management Server moves the group into the Expired Groups OU specified in the domain settings. Active Directory administrators can review these groups and decide whether they should actually be expired or not. GROUP PROVISIONING WORKFLOW Users can request provisioning of new groups from the Home screen. Administrators with the Approve Group Provision Requests role permission can approve other user s requests. For a user to approve their own requests they must have the Approve All Group Provision Requests role permission. Administrators can go to the Approve Requests section from Home to manage existing group requests. Page 18
Click Manage Request to set advanced Active Directory settings for the group request. In addition to the details filled out by the requester, there are several settings that need to be configured. Group Type Group Scope OU for new group whether this should be a distribution or security group. define the scope on the domain of the new group. the OU to create the group in. Page 19
AD Managed By an optional setting to fill in the AD Managed By attribute in Active Directory to one of the Group Owners selected. CHANGE USER ROLES Select Roles from the Administration menu and then click Assign Roles. Click the Assign Roles tab, select the role being assigned to from the Role dropdown, and click the Add button next to each user to assign to the selected role. To remove roles, click the Unassign Roles tab and then choose the role to be modified. Then click Remove next to each individual or group to be removed from the selected role. Page 20
EDIT ROLE PERMISSIONS From the Administration menu, click Roles and then select a role to edit. Use the arrows on the page to move permissions between the Assigned and Unassigned boxes. Click Save when you are finished. CREATE A NEW ROLE From the Administration menu, click Roles and then enter a name for the new role. Click Create New Role and use the arrows on the page to move permissions between the Assigned and Unassigned boxes. Click Save when you are finished. VIEW AUDIT OF ALL CHANGES TO ROLES ASSIGNED TO USERS AND GROUPS From the Administration menu, select Roles and then click Role Assignment Audit. Page 21
VIEW AUDIT OF ALL CHANGES TO ROLE PERMISSIONS From the Administration menu, select Roles and then click Role Audit. CHANGE GROUP PRIVACY POLICIES From the Home page, click Change Group Privacy Policy Settings. Use the policy dropdown selectors on each row to change individual group privacy policies. Use the Set All drop-down at the top of the page to change the privacy policy for every group shown on the current page. VIEW AND RETRY REQUESTS To view pending/failed requests to join or leave a group, select Request Status from the Administration menu. Failed requests can be retried here as well. Page 22
The request status screen will show any requests that are in the process of being added to Active Directory (pending). It will also show you any requests where there was a failed attempt to add or remove a member from a group in Active Directory. This could have been because of network problems. For failed requests, there will be Retry and Cancel buttons that can be used to resend or remove the failed request. One can also view pending and failed requests of a particular group. To see a group s pending and failed requests, go to the group detail page for the group and click the Requests tab. CONFIGURATION OF EMAIL Select Configuration from the Administration menu. See Configuring Email for further details. SET UP AD DOMAINS AND SYNC From the Administration menu, click Active Directory. See Adding Domains and Synchronizing with Active Directory for further details. SEE GROUP AND USER AUDIT REPORT From the Report menu, select Group & User Audit Report. This report displays activity performed for a user or group, including changes to membership, ownership, group privacy policies, and role assignments. The results can be filtered by user, group, start/end date, message text and activity type. Page 23
VIEW LICENSE From the Administration menu, click Licenses. From this screen you will be able to see previously installed licenses and install new licenses. Owner Actions HANDLE REQUESTS An owner of a group is responsible for managing group membership and can respond to requests to join or leave managed groups. Owners can approve and deny requests to join or leave groups which they own by clicking the Approve Requests tab. Administrators can approve and deny requests for any group. The number on the Approve Requests tab indicates how many requests are waiting for approval. The Approve Requests page lists all current requests, and each request can be approved or denied individually. Approve All and Deny All buttons are also available. CHANGE EMAIL PREFERENCES Owners can choose which kinds of emails they wish to receive through the Preferences option on the Tools menu. Once on the preferences page, click Edit and change the selected email types below. Page 24
User Actions JOIN A GROUP To join any available groups, click Join a Group on the Home page. The Join Group page allows a user to filter and page through the available groups. A user may request to join a group by clicking the Join button next to the group. If the group privacy policy is Open or Alert, the request is automatically granted. Otherwise, an approval is required by a group owner. LEAVE A GROUP The process and rules for leaving groups is the same as for joining groups. To see a list of groups to leave, click Leave a Group on the Home page. Page 25
VIEW GROUP DETAILS ABOUT YOUR MEMBERSHIPS To view the details of a group that you are a member of, select the My Memberships tab and then click the name of the group you would like to see. You can use the group details page to see the members of the group, the owners of the group, requests to join the group, and any group activity. Page 26
REQUEST GROUP PROVISIONING Users with the Request Group Provisioning permission (assigned to all users by default) have the ability to request the provisioning of a new group. To start this request click Request Group Provisioning on the Home page. Page 27
Users should fill out the following details: Domain Name Group Policy Description Reason Group Owners the domain that the group should be created in. the name of the group to create. this is the group privacy policy for how membership requests should be handled. the description of the group. a descriptive reason for the approver to review before approving the group. these are the users who will approve any requests to join or leave the group. Page 28
Direct Members Copy From groups or users that should be set as members in Active Directory. Choose this option if any new member of a sub group should always be a member of the requested group going forward. choose a group to copy members from. Choose this option to do a one-time copy of an existing group. The requested group will get the members of that group added as direct members. Once those details are filled out, click Save to submit the request. An approver will review it and fill out additional details for how the group should be created in Active Directory. Pending group provisioning requests can be viewed in the My Requests section. Page 29