This option allows you to grant the permission to perform the desired Active Directory tasks to a group instead of individual users. This option offers the following benefits:
Whenever a user, who is part of a group which has the permissions to perform AD tasks, is disabled or removed from group, the appropriate permissions will also be automatically removed from the user.
How to delegate to groups?
Delegation and inheritance scenarios to be considered:
The following are a list of scenarios that show how inheritance works in group-based delegation. The assumption in every scenario is that User 1 is a member of Group 1, which has been delegated with help desk roles.
1. User 1 is already configured as a technician.
Result: The help desk roles of just User 1, and not Group 1, are assigned to the user.
2. User 1 is removed from Group 1.
Result: User 1 will only be able to login if she/he has directly been configured as a help desk technician. The user will no longer have the roles and permissions she/he initially derived from being a member of Group 1.
3. Group 1 is disabled in the technicians list in ADManager Plus.
Result: User 1 will be able to login only if he/she has been directly configured as a help desk technician. Otherwise, he/she will not be able to login.
4. Group 1 is deleted from the technicians list in ADManager Plus.
Result: User 1 will be allowed to login only if he/she has been directly configured as a help desk technician.
5. Group 1 is deleted from Active Directory
Result: User 1 will only be able to login only if he/she has directly been configured as a help desk technician.
Frequently asked questions about group-based delegation:
1. I have a user who is a member of two groups, Group A and Group B, with different roles delegated to them. What roles will the member user be able to perform?
The user will have the roles of both Group A and Group B.
2. I have enabled Impersonate as Admin for Group A and disabled it for Group B. What will happen to the user who is a member of both groups?
The user will not be able to impersonate as admin. Disabling this option takes precedence over enabling it.
3. While selecting OUs, if I select all OUs for Group A and specific OUs for Group B, which OUs will a user who is a member of both groups have access to?
The user will be able to perform his/her roles in the specified OUs and not all OUs. When the selection of OUs is conflicting, precedence is given to the side with the least number of OUs.
5. How do you calculate licenses for group-based delegation?
Licensing is based on the members of the group and not the group as a whole. All enabled users will be counted towards the licenses. Users without any roles delegated to them will be considered as disabled users and no licenses are required for them.
6. I have added more users to Group A than the number of licenses I have available. In what order will these licenses be allocated to my users?
The users who first login to the product will be assigned the licenses.
7. Can technicians change default templates during user creation?
Technicians who derive their roles from the groups that they are members of cannot modify default templates.