Active Directory Group (Create, Manage, Delete, Query)

Use the Active Directory Group Tasks to create an Active Directory Group; or to change, delete and query all Active Directory Groups:

  • in a specific Active Directory folder (optionally including subfolders).
  • with a group name that matches a specific wildcard pattern.
  • with a specific value for a specific Active Directory Computer property.
  • without any members.

With Create Active Directory Group, you can create an Active Directory Group with a specific name in a specific Organizational Unit, and you can determine the group scope and type.

With Manage Active Directory Group, you can set and change the Group properties, members and the group memberships of Active Directory Groups.

  • On the Members tab, you can add or remove users as members of the Group. You can also create a new list of members to replace the entire existing list of members.
  • On the Member of tab, you can make the target Group member of other Groups, or remove membership of other Groups. You can also create a new list of Groups to replace the existing memberships of the target Active Directory group.

With Delete Active Directory Group, you can delete Active Directory Groups. Combined with the filter Only apply to groups without members, for example, you can use this Task to clean up empty Active Directory Groups.

With Query Active Directory Group, you can obtain overviews of all Active Directory Groups, filtered by Organizational Unit, by group name, property value and/or by lack of members.

Configuration

  • If you are going to run the Task on a Domain controller, you can leave the Domain controller field on the Settings tab empty and select Local Agent (domain controller) instead.
  • On the Settings tab, group name refers to the pre-Windows 2000 name.
  • In the Filter by property field, use wildcards only in combination with the operators LIKE and NOT LIKE.
  • By default, group memberships defined on the Member of tab are added to any existing group memberships. To replace the existing list with the list defined in the Task, select Replace all existing group memberships.

When you configure a Task to change or delete Active Directory Groups that match a set of criteria, there is a risk that more Active Directory Groups are targeted than expected. By selecting the option Fail this Task if the number of items affected exceeds [x], you can create a safety net that prevents undesired results.

  • When configuring a Task Manage Active Directory Group, use Multi-select List parameters when specifying members on the Members tab and Members of tab. This makes it easier to specify these members when scheduling the Task in a Job.
  • When you browse for a specific OU, this information is automatically pasted in the relevant field and takes the following format: OU=IT,OU=Amsterdam,OU=Netherlands,DC=d-energy,DC=local. However, if you set a parameter in this field, the data will have to be provided at the moment of input - in the correct format. To provide an example of the format, copy a sample path and paste it as the default value for the relevant parameter. With the Input setting Show previous value, the example will be shown whenever input is required for the parameter.
  • In Tasks to set Active Directory properties for Active Directory objects, the variable %username% will be resolved as the name of the user under which the Ivanti Automation Agent runs. If you want to refer to the actual user name of the target Active Directory object instead, for example when you are setting a user's home drive using the Task Manage Active Directory User, use the variable %accountname%. This will be resolved as the pre-Windows 2000 user name of the Active Directory User, Computer, Group or Object that is being managed. This option is not available for Organizational Units.
  • The execution speed of Active Directory Queries may depend on the number of additional Active Directory properties that are to be reported in the query. On the Computer Properties tab, you can select a maximum number of 90 Active Directory properties.
  • When browsing for an Organizational Unit, the list of Organizational Units that is shown depends on the Security context and the Domain controller. If the Domain controller field is empty, the list of Organizational Units depends on the Domain.
  • It is possible to abort long running Active Directory Query Tasks. It may take around 10 seconds for the abort to be detected by the Agent, after which the Job will fail with status Aborted. Long running Active Directory Tasks that update, move or delete Active Directory objects cannot be aborted - the Task will always run until it is completed.
  • When configuring a Task Manage Active Directory Group, and you select the option Replace all existing members on the Members tab, Ivanti Automation will not replace the members for which the specified group has been marked as primary group.