Active Directory - Create group

Declaration

<AMACTIVEDIRECTORY ACTIVITY="create_group" AUTHTYPE="text (options)" 
USERNAME="text" LDAPPATH="text" GROUP="text" 
DISPLAYNAME="text" DESCRIPTION="text" GROUPTYPE="text 
(options)" GROUPSCOPE="text (options)" PASSWORD="text (encrypted)" />

Description: Creates a new Active Directory group in the specified parent container. Groups are Active Directory (or local computer) objects that can contain users, contacts, computers, and other groups that can be managed as a single unit.

Active Directory activities require a basic understanding of Active Directory and related components (e.g., Domain Controllers, Trust Relationships, Forests, LDAPs, etc.). Also, to ensure that these activities function appropriately, the target system must be part of a domain.

Practical Usage

Often used to create an Active Directory group in which to add members to. Users and computers that belong to a particular group are referred to as group members.

Group Parameters

Property

Type

Required

Default

Markup

Description

Parent LDAP path

Text

Yes

(Empty)

LDAPPATH=

"LDAP://DC=netauto,DC=com"

The Lightweight Directory Access Protocol (LDAP) path of the parent Active Directory container. This is usually the top most container or rootDSE path, the root of the directory data tree on a directory server. Click the Select Container button to launch a standard Windows dialog box that allows for the selection an Active Directory container.

Name

Text

Yes

(Empty)

GROUP="Group1"

The name of the Active Directory group to be created.

Display name

Text

Yes

(Empty)

DISPLAYNAME="Davelopers"

The display name of the Active Directory group to be created.

Description

Text

Yes

(Empty)

DESCRIPTION=

"Developers"

A description of the Active Directory group to be created.

Group type

Text (options)

No

Security

  1. GROUPTYPE="security"

  2. GROUPTYPE="distribution"

The type of Active Directory group to be created. Sending an e-mail message to a group sends the message to all members of the group. The available options are:

  • Security - Security groups allow you to manage user and computer access to shared resources. You can also control who receives group policy settings. This simplifies administration by allowing you to set permissions once on multiple computers, then to change the membership of the group as your needs change. The change in group membership automatically takes effect everywhere. You can also use these groups as e-mail distribution lists.

  • Distribution - Distribution groups are intended to be used solely as e-mail distribution lists. These lists are for use with e-mail applications such as Microsoft Exchange or Outlook. You can add and remove contacts from the list so that they will or will not receive e-mail sent to the distribution group. You can't use distribution groups to assign permissions on any objects, and you can't use them to filter group policy settings.  

Group scope

Text (options)

No

DomainLocal

  1. GROUPSCOPE="local"

  2. GROUPSCOPE="global"

  3. GROUPSCOPE="universal"

The scope of the Active Directory group to be created. Group scopes normally describe which type of users should be clubbed together in a way which is easy for their administration. The available options are:

  • Domain Local Group (default)- Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain.

  • Global Group - Users with similar function can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in same forest. In other words, Global groups can be used to grant permissions to gain access to resources which are located in any domain but in a single forest as their memberships are limited.

  • Universal Group Scope: (This option is available only when Distribution is selected in the Group Type parameter). These groups are precisely used for e-mail distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security principal (security group type) in a windows 2000 native or windows server 2003 domain functional level domain.

Credentials Parameters

Property

Type

Required

Default

Markup

Description

Authentication type

Text (options)

No

Default

AUTHTYPE="Encryption"

Specifies the types of authentication used. The available options are:

  • Default - Use default authentication type

  • None - Equates to zero, which means to use basic authentication (simple bind) in the LDAP provider.

  • Secure - Requests secure authentication. When this flag is set, the WinNT provider uses NTLM to authenticate the client.

  • Encryption (default) - Attaches a cryptographic signature to the message that both identifies the sender and ensures that the message has not been modified in transit.

  • SecureSocketLayer - Attaches a cryptographic signature to the message that both identifies the sender and ensures that the message has not been modified in transit.

  • ReadonlyServer - For a WinNT provider, ADSI tries to connect to a domain controller. For Active Directory Domain Services, this flag indicates that a writable server is not required for a serverless binding.

  • Anonymous - No authentication is performed.

  • FastBind - Specifies that ADSI will not attempt to query the Active Directory Domain Services objectClass property. Therefore, only the base interfaces that are supported by all ADSI objects will be exposed. Other interfaces that the object supports will not be available.

  • Signing - Verifies data integrity to ensure that the data received is the same as the data sent. The Secure flag must also be set to use signing.

  • Sealing - Encrypts data using Kerberos. The Secure flag must also be set to use sealing.

  • Delegation - Enables Active Directory Services Interface (ADSI) to delegate the user's security context, which is necessary for moving objects across domains.

  • ServerBind - If your ADsPath includes a server name, specify this flag when using the LDAP provider. Do not use this flag for paths that include a domain name or for serverless paths. Specifying a server name without also specifying this flag results in unnecessary network traffic.

Username

Text

No

(Empty)

USERNAME="username"

The username context that this activity will execute under. Leave the Username and Password parameters blank in order to use the logon user's credentials.

NOTE:  A Domain User has permission to access Active Directory information. However, only a Domain Administrator has permission to perform Active Directory modifications.

Password

Text

No

(Empty)

PASSWORD="password"

The password associated to the Username context that this activity will execute under. Leave the Username and Password parameters blank to use the logon user's credentials.

Description tab - A custom description can be provided on the Description tab to convey additional information or share special notes about a task step.

Error Causes tab - Specify how this step should behave upon the occurrence of an error. (Refer to Task Builder > Error Causes Tab for details.)

On Error tab - Specify what AWE should do if this step encounters an error as defined on the Error Causes tab. (Refer to Task Builder > On Error Tab for details.)

Example

The sample AML code below can be copied and pasted directly into the Steps panel of the Task Builder.

Description: Create an Active Directory group of type "SECURITY" by the name of "administrator". The path of the new group's parent is "LDAP://servername.com".

<CREATEADGROUP 
		 LDAPPATH="LDAP://servername.com" USERNAME="administrator" 
		 PASSWORD="AM2LRnogx3fFdk=aME" GROUP="administrator" 
		 DISPLAYNAME="mycompany" DESCRIPTION="Local Security" 
		 GROUPTYPE="SECURITY" GROUPSCOPE="DOMAINLOCAL" 
		 />