Applies To:
GroupID 8 and above
Business Scenario:
We have a large number of groups and we want to force a particular group to be the primary owner of multiple groups in bulk. Moreover, we want to prevent users/owners of groups from changing or removing the primary owner. Is this possible?
More Information:
We can use GroupID Management Shell to set a group/user as the primary owner of groups.
We can then use GroupID Management Console to restrict users/owners of groups from changing the primary owner.
Steps to enforce a primary owner:
- Open GroupID Management Shell.
- Type the following command:
Get-Group -SearchContainer " OU=SmartGroups,OU=Corp,DC=abc,DC=com "| Set-Group -
ManagedBy " CN=Roger Woods,OU=Engineering,OU=Corp Users,OU=Corp,DC=abc,DC=com " |OUT-NULL
This command will get all the groups from a certain container and set RogerWoods from Engineering as their primary owner.
To force this setting for all groups regardless of any specific container, remove the following from the commandlet:
-SearchContainer "OU=SmartGroups,OU=Corp,DC=abc,DC=com”
In the commandlet:
- The Get-Group cmdlet retrieves managed groups that are in one or more containers on a domain matching the given criteria.
- The Set-Group cmdlet modifies an unmanaged group in Active Directory. However, you can use this cmdlet to modify those parameters of a SmartGroup that are native attributes of an unmanaged group in Active Directory.
- The Out-Null cmdlet sends its output to NULL, in effect, removing it from the pipeline and preventing the output to be displayed on the screen.
Steps to restrict users from changing/removing the primary owner:
Through GroupID Management Console, you can restrict users/group owners from changing or removing the primary owner that you set using the GroupID Management Shell command.
- In GroupID Management Console, select Self-Service > Portals > [required portal] > Designs > [required identity store].
- On the Properties tab, select Group or SmartGroup from the Select Directory Object drop down list.
- Select Owner in the name list and click Edit.
- On the Edit Design Category dialog box, select Owner in the Fields area and click Edit.
- On the Edit Field dialog box, set the access level to Administrator. Click OK and then save the changes.
Now only the administrator can change a group's primary owner.
Related Articles:
- How To: Enforce a primary owner for groups
- How To: Ensure/enforce minimum number of additional owners for groups
References:
- GroupID Management Shell - User Guide
- Microsoft PowerShell commandlet - Out-Null