Manifest and Active Directory Group Guidelines
Manifest groups are available to be consumed within Active Directory Services. The purpose of this document is to discuss the differences between Active Directory and Manifest groups, and to explain the benefits of originating your groups in the Manifest system.
A thorough explanation of groups in Active Directory, including group types, scope and best practices, can be found in Campus Active Directory - Security Group Management Recommendation.
Manifest groups that are pushed to Active Directory Services are of the AD global group type.
Benefits of Using Manifest Groups
Group maintenance, adding and removing new staff for example, no longer needs to be performed by IT staff. Manifest's easy-to-use web interface allows these tasks to be delegated to anyone with access to the group, such as administrative staff.
Manifest groups can be data-driven. This means that access to resources provisioned via Active Directory Services, such as a local file share or printer, can be driven by affiliation data. For more information about data-driven groups, see Manifest - Data Driven Groups. The most common example of data-driven group usage is that of departmental provisioning by UDDS groups.
Manifest groups may be consumed by a variety of resources outside of Active Directory. Rather than recreating a group to provision a resource in Active Directory, it would be more appropriate to add a Manifest group as a member of a domain local group. Any change to the Manifest group propagates to Active Directory as well as any other system that may be using Manifest for authorization decisions.
When to Use Active Directory Groups
Groups that require a scope other than Global should be created in Active Directory. Domain local and Universal groups pertain exclusively to Active Directory security and resource management; as such it is not appropriate to use Manifest groups to fulfill these purposes.
To provision access to a shared resource connected to Active Directory Services, you might follow a procedure like the one below.
- Join the resource (i.e. printer, file share) to Active Directory Services
- Within Active Directory, create a domain local group
- Configure the shared resource within Active Directory to allow access by members of the newly created domain local group
- Create a group in Manifest with the users or data-driven groups you wish to access the resource and choose the option to push the group to Active Directory Services
- Once the Manifest group has been delivered to Active Directory, add it as a member of the domain local group
By following this procedure, anyone who is a member of the Manifest group will flow into the Active Directory, and will have access to the shared resource. If I new user needs access to the resource, they need only be added to the Manifest group. By taking advantage of Manifest's delegated administration functionality, anyone with the Manifest group's Manager or Administrator role may add new members to the group via the easy-to-use web interface.