Applies To:

GroupID 9 & above

Business Use Case:

With the GroupID role-based architecture, we can apply the New Object policy differently for different roles. For example, we can limit the members  of a role, Security Role A, to create group objects in OU1 and OU2 only.

You can specify one or more OUs for each of the object types. For example, you can specify OUA and OUB for Group and OUC for Mailbox objects, so that users can only create groups in OUA or OUB, while mailboxes can only be created in OUC.


  1. In GroupID Management Console, click the Identity Stores node.
  2. On the Identity Storestab, double-click the required identity store to open its properties.
  3. On the Security Roles tab, select a role to manage the policies that apply to it and click Edit.
  4. On the properties page, click the Policies tab and then click New Object in the left pane.
  5. You can do one of the following:
    • Limit role members to create directory objects in the same OU that they reside in respectively. Select the Users can create objects only in their own containers check box to achieve this.
      As a result, the Select Container option will be disabled when role members create new objects.
    • Specify a container for an object type (say Group) to restrict role members to create new groups only in that container.
      1. Select the object you want to specify a container for. You will notice that the arrow for the selected object points downward.
      2. Click Add.
      3. On the Select Container dialog box, select one or more containers that role members can create the particular objects in. If the selected container is a parent, child containers will automatically be selected; you can unselect child containers, if required.
        Role members will only see the selected containers when they create new objects, and they can choose the desired container.
      4. Click OK.
  6. Click Apply and then OK on the New Object page.

Note: Removing all containers for an object type implies that the New Object policy no longer applies to that object type, and that users can create the particular object in any OU in the identity store.

Expected Results:

With the New Object policy applied, role members can create new objects only in the specified container(s).

In Automate:
  • On the Group Options page of the New Group wizard, the user can view only the specified OUs, and can create a new group in any of these.

In the Self-Service portal:
  • On the General page of the Create Group wizard, the user can view only the specified OUs, and can create a new group in any of these.

  • Similarly, on the Account page of the Create Contact wizard, the user can view only the specified OUs, and can create a new contact in any of these.


GroupID Online Help topic: New Object policy