Managing groups in AD
We now have some groups in FIM. Both the ones created in FIM and those that come from the HR system.
We now need to configure FIM to export these groups to AD.
As discussed earlier, we now need to consider the groupType
attribute in AD.
We also need to consider if we have different needs depending on group type.
At The Company, they have decided that FIM should not delete security groups once created in AD. This is a common approach, since deleting a security group—and thereby its SID (Security ID)—might cause dramatic events, if the group is used for some kind of permission. Recreating a group with the same name will not recreate the SID and will not fix the permissions.
On the other hand, when talking about distribution groups, ...
Get Microsoft Forefront Identity Manager 2010 R2 Handbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.