Groove Server Manager Functionality
Updated: April 1, 2008
Applies To: Groove Server 2007
The Microsoft® Office Groove® Server 2007 Manager is a Web-based application for managing Microsoft Office Groove. The Office Groove Server 2007 Manager runs on servers installed at an enterprise site. Enterprises can also procure comparable functionality via Microsoft Office Groove Enterprise Services.
Groove clients and administrators communicate with the Groove Server Manager Web site via respective interfaces. The client interface allows the Groove client application to access policies and relay server assignments, and to report Groove usage statistics. Managed Groove clients poll the management server periodically (generally, every 5 hours) for updates to member identity information, policies, relay provisioning, and to report statistics. This periodic contact is the primary mechanism by which all information is transferred between Groove Manager servers and the Groove client software. Groove Manager servers do not initiate client communications. However, Groove Manager servers do contact relay servers to convey managed user relay assignments.
The administrative interface allows administrators to perform the following tasks for a defined management domain:
Assemble Groove users (utilizing onsite corporate directories if integrated with an onsite Groove Manager).
Define Groove usage and security policies, including account backup scheduling.
Provision Groove users with Groove Relays (the Groove Relay component of an onsite Office Groove Server or comparable functionality accessed via Groove Enterprise Services).
View Groove event reports.
Audit Groove client activities (if the Groove Manager, with the Audit option, is installed onsite).
In addition, by publishing user information to an enterprise Groove directory, Groove Manager enables authorized Groove users to find each other easily and safely.
By comparison, in an unmanaged environment, once Groove is installed and an account created, private users are free to publish their contact information, assume passwords, and communicate with whomever they choose, unhindered by centralized usage policies and other corporate security measures. Public Groove relay servers handle cross-firewall communication, offline work, and message distribution for these users.
With the Groove Manager application installed onsite, administrators can manage the server as well as Groove users and devices enrolled in management domains. With Microsoft-hosted Groove Enterprise Services, enterprise administrators manage only Groove users and devices within a management domain.
Groove Manager server-level administration involves the following tasks, performed from the Groove Manager administrative Web interface.
Defining administrator roles
As a recommended added security level, administrators can enable a Role Based Access Control (RBAC) for the Groove Manager, limiting Groove Manager administrative rights to specific administrators defined on the system.
Defining management domains
The Groove Manager supplies an initial domain, to which server administrators can create additional domains. Once the management sever is configured with management domains, domain administrators can add users to the domain and provision them.
Monitoring Groove Manager server events, via the audit log
The Groove Manager logs server events (such as the addition of a new administrator) to an audit log report, accessible from the server-level Reports tab of the administrative Web interface.
Integrating LDAP directories with an onsite Groove Manager
The Groove Manager administrative interface allows server administrators to import user information from directory server organizational units (OUs) into the Groove Manager, automating the process of adding Groove identities to a management domain.
Administrators can use the Groove Manager to accomplish major tasks essential to managing Groove use on a corporate scale, as described next.
In this article:
In an enterprise where IT administrators manage software distribution and use, Groove operations are most effectively managed via onsite Groove Servers or Microsoft-hosted Groove Enterprise Services. Groove Server Manager and Relay, or Enterprise Services, help IT administrators standardize Groove deployment and maintain reliable ongoing Groove communications across their workforce network and beyond to remote associates and contributors.
The basic unit of Groove management is a management domain, a named organizational unit, such as Contoso Corporation, where an administrator assembles Groove users, policies, and relay servers. A domain configured on an onsite server or accessed through Groove Enterprise Services, allows designated administrators to manage and monitor Groove user activities within the domain.
An onsite Groove Manager provides for two basic levels of administration: server administration and domain administration. Both levels of administrators can conduct their respective tasks through the Groove Manager administrative Web interface. The primary server administrator defines administrative roles and domains, and configures any corporate directory servers, laying the foundation for domain management.
Groove Enterprise Services allows immediate administrative access to a Groove Manager domain, which can be managed without the added overhead of server management.
When Groove servers are installed onsite at an organization, administrators can access server-level pages on the Groove Manager administrative Web site, where they can set initial administrative roles, create management domains, integrate an onsite LDAP directory with Groove Manager, and monitor server activity, as follows:
Administrator role-setting – The server Roles pages allow organizations to entrust high-level server and domain administration only to selected individuals. Once the initiating administrator has enabled role-based access control (RBAC) for the Groove Manager administrative Web site, qualified server administrators and domain-level administrators can be assigned as needed. Roles defined for each administrator determine which administrators are responsible for which server-level or domain-level tasks.
Domain creation – An initial Groove management domain is created during initial Groove Manager setup, after which the server administrator can create additional domains for different Groove collaboration teams. Once a domain is configured, it houses Groove user groups, policy templates, and relay server sets, as defined by domain administrators.
Directory integration – If an LDAP-compatible directory server of user information is available in-house, server administrators can integrate an LDAP directory with Groove Manager to efficiently import user information into Groove Manager domains. If Active Directory databases are used, LDAP integration also gives access to the automatic Groove account configuration feature that facilitates Groove client deployment.
Server monitoring – Server Reports pages display a log of server-level activity (such as creation of a new domain or addition of a new relay server set) within a defined date range.
Domain Group Management
Domains are defined at the server-level and then may be assigned to individual domain administrators. The domain administrator specifies the Groove user identities, policy templates, and relay server sets that comprise a given domain. Administrators can also divide a domain into subgroups of Groove users. Specific Groove policy templates and relay sets can then be applied to specific domain groups and subgroups, as an organization’s management practices require.
In smaller organizations, creating subgroups in a domain can be a practical alternative to creating multiple domains on a server to reflect an organization’s structure.
Administrators configure a domain or domain group for user management by defining policies that affect all users in the management domain group. Identity-based policies apply to managed member identities, regardless of what device the identity is running on. Identity policies control how domain members interact with Groove, including:
Scheduling of account backups
Publication of user information
Relations with non-domain users
Device-based policies, such as access password rules and the allowance of multiple accounts, apply to all identities on the managed device.
Groove Relay servers must be registered with Groove Manager. Administrators register onsite relay servers with a domain via the Groove Manager administrative Web site. If multiple relay servers are installed onsite, administrators can provision managed users with a sequence of relay servers, to provide relay redundancy and fallback.
For information about Groove Relay server management and operation, see the Groove Relay Administrator’s Guide that accompanies the Groove Server Relay application. For information about Groove Relay provisioning, see the online Help that accompanies the Groove Server Manager application.
Groove Enterprise Services handles relay registration and provisioning, so administration of relay servers is not required.
Groove User Management
Administrators populate management domain groups with user identity information by entering the information manually, uploading it from an .xml or .csv file, or importing it from an onsite LDAP directory that has been integrated with Groove Manager, as described in LDAP Directory Integration. Once members are defined in the domain, configuration codes are distributed to each of them, for entry into Groove. Configuration codes enable users to configure their managed Groove accounts and identities.
Managed identities are Groove Manager domain members. As such, they gain access to domain relay servers and are subject to identity policies that control Groove account backups, vCard publication, identity verification, and other identity-based aspects of Groove operation.
LDAP Directory Integration
The integration of an onsite LDAP directory with an onsite Groove Manager enables the automatic association of enterprise users with Groove Manager domain members and the import of user information to a Groove Manager domain. In addition, if Groove Manager is integrated with an Active Directory database and configured to utilize automatic account configuration, once Groove is installed on user machines, the full rank of Groove users can set up their accounts by simply starting Groove and setting a log-in password; no entry of a configuration code is required.
Note that directory integration is not available for Groove Enterprise Services.
Groove Device Management
Managing devices allows the distribution of client and security policies to devices via the management domain of which the device user is a member. These policies control password creation, Messenger integration, and other device-dependent aspects of Groove operation. Devices running Groove must be registered with a domain on the management server in order to be managed and subject to device policies. Domain administrators can set an identity policy that automatically registers user devices with a domain when a user configures a Groove account or logs into Groove, or they can register user devices explicitly by setting device management registry values via downloaded device registry key that is available from the Groove Manager Device Policy template pages.
Groove Account Backup
Administrators can schedule automatic Groove account backup for members of a selected domain by setting a domain identity policy. Backed-up information includes user contacts, the user's Groove workspace list, identities and contact information, and domain management settings.
A project team often involves a diverse assembly of project leaders, in-house contributors, and external partners and consultants. When access to confidential information by unauthorized personnel is a concern, administrators can set identity policies that govern the interaction of managed users with others outside their organization. Restrictive policies can be used in conjunction with a domain property that enables cross-certification between domains, allowing external users in the cross-certified users to participate in workspaces along with internal domain members.
Password Reset and Data Recovery
If a managed user forgets a Groove password or is removed from a management domain, domain administrators may need to reset the user's password or access the user's Groove data. To prepare for this eventuality, domain administrators can set identity policies for resetting unknown or forgotten user passwords.
Groove Usage Monitoring
When a managed identity exists on a Groove client, the Groove software periodically reports statistics on Groove usage to the Groove Manager, providing information about managed user activities, workspaces, and Groove tools being used. Administrators can view domain reports via the Groove Manager administrative Web site.
Auditing Groove Usage
Groove client auditing is an option available with an onsite Groove Manager. Installed on a separate, dedicated server, the Groove Audit feature enables administrators to oversee Groove activities on client devices. Auditable activities include workspace events (such as member additions) and tool events (such as file creation and deletion).
Groove auditing is not available with Groove Enterprise Services.