Manifest and Active Directory Group Guidelines
Manifest allows group administrators to push Manifest group to Campus Active Directory (CAD). The purpose of this document is to discuss the differences between Active Directory and Manifest groups, explain the benefits of originating your groups in the Manifest system and also provide instructions on how to publish Manifest group to CAD.
Background
A thorough explanation of groups in Active Directory, including group types, scope and best practices, can be found in Campus Active Directory - Security Group Management Recommendation.
Manifest groups that are pushed to Campus Active Directory are of the AD global group type. This allows users to manage group membership in a single place, the Manifest UI.
Benefits of Using Manifest Groups
Group maintenance, adding and removing new staff for example, no longer needs to be performed by IT staff. Manifest's easy-to-use web interface allows these tasks to be delegated to anyone with access to the group, such as administrative staff.
Manifest groups can be data-driven. This means that access to resources provisioned via Campus Active Directory, such as a local file share or printer, can be driven by affiliation data. For more information about data-driven groups, see Manifest - Data Driven Groups. The most common example of data-driven group usage is that of departmental provisioning by UDDS groups.
Manifest groups may be consumed by a variety of resources outside of Active Directory. Rather than recreating a group to provision a resource in Active Directory, it would be more appropriate to add a Manifest group as a member of a domain local group. Any change to the Manifest group propagates to Active Directory as well as any other system that may be using Manifest for authorization decisions.
When to Use Active Directory Groups
Groups that require a scope other than Global should be created in Active Directory. Domain local and Universal groups pertain exclusively to Active Directory security and resource management; as such it is not appropriate to use Manifest groups to fulfill these purposes.
Example Usage
To provision access to a shared resource connected to Campus Active Directory, you might follow a procedure like the one below.
- Join the resource (i.e. printer, file share) to Campus Active Directory
- Within Active Directory, create a domain local group
- Configure the shared resource within Active Directory to allow access by members of the newly created domain local group
- Create a group in Manifest with the users or data-driven groups you wish to access the resource and choose the option to push the group to Campus Active Directory
- Once the Manifest group has been delivered to Active Directory, add it as a member of the domain local group
By following this procedure, anyone who is a member of the Manifest group will flow into the Active Directory, and will have access to the shared resource. If I new user needs access to the resource, they need only be added to the Manifest group. By taking advantage of Manifest's delegated administration functionality, anyone with the Manifest group's Manager or Administrator role may add new members to the group via the easy-to-use web interface.
How to Publish Groups to Campus Active Directory
Prerequisites
To publish a group to Campus Active Directory, you must be a CAD customer. If your department does not currently have an Organization Unit (OU) in Campus Active Directory, please request one at https://cads.ad.wisc.edu before proceeding.
For an explanation of when to publish a Manifest group to Campus Active Directory, and when to use a native AD group, please see Manifest and Active Directory Group Guidelines.
Note: Empty Manifest groups will not synchronize to AD. At least one member must be in the group before it will exist in CAD. However, empty groups are not removed once they exist.
New Groups
Create a new group (see Manifest - Create a Group) and click Advanced Options on the Create new group screen.
Under the Delivery/connection options heading, check the Publish to Active Directory Services box.
In the Comments field, enter your Campus Active Directory department code. Your department code is the name of your Organizational Unit (OU) in Campus Active Directory.
Click Create Group.
Once the group has been successfully created, record the UUID from the web page URL (e.g. https://manifest.services.wisc.edu/Group/Index/280abc5d36544efghi8j4k5lmn296770). This will be name (CN) of the group published to Campus Active Directory.
Existing Groups
Navigate to the group you would like to publish by clicking Details in My groups.
Click the More actions dropdown and then click Edit delivery/connection options.
Under the Delivery/connection options heading, check the Publish to Active Directory Services box.
In the Comments field, enter your Campus Active Directory department code. Your department code is the name of your Organizational Unit (OU) in Campus Active Directory.
Record the Manifest group UUID from the web page URL (e.g. https://manifest.services.wisc.edu/Group/Index/280abc5d36544efghi8j4k5lmn296770). This will be name (CN) of the group published to Campus Active Directory.
Click Save.
What Happens Next?
Once you have requested that your group be published to Campus Active Directory, it will be reviewed by administrators. After verifying that the group will be used by a valid Campus Active Directory customer, the request will be approved. If you are not yet a Campus Active Directory customer, administrators will request that you submit a CAD request at https://cads.ad.wisc.edu.
Once your publish request has been approved, it will be pushed to Campus Active Directory. Groups with more than 1000 members will be published overnight following approval.
If you would like a status update regarding the request to be pushed to Active Directory, please contact activedirectory@doit.wisc.edu.
How to Use the Group in Campus Active Directory
This section assumes a general knowledge of Active Directory group structure and functionality. If you have questions about groups in Active Directory, please contact activedirectory@doit.wisc.edu.
The most effective way to leverage a Manifest group that has been pushed to Campus Active Directory is to add it as a member of a Domain Local or another Global group located in your OU. If you will be using the Manifest group frequently, it is recommended that you add it as a member of a Global group in your OU to facilitate searching. Please see Campus Active Directory - Security Group Management Recommendation for AD grouping best practices.
Manifest groups will be published to the following location in Campus Active Directory:
Location: OU=Manifest,OU=Groups,OU=WiscYou may also search for the group using the name (CN) or the description which will appear as follows in Campus Active Directory:
Name (CN): 280abc5d36544efghi8j4k5lmn296770
Description: uw:domain:mysite.wisc.edu:my_group_id