Groups in Authorization Manager

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Groups in Authorization Manager

In Authorization Manager, recipients of authorization policy are represented by the following different kinds of groups:

  • Windows Users and Groups--These groups includes users, computers, and built-in groups for security principals. Windows users and groups are not used only in Authorization Manager. They are used throughout Windows.

  • LDAP query groups--Membership in these groups is dynamically calculated as needed from LDAP queries. An LDAP query group is a type of application group.

  • Basic Application Groups--These groups are defined in terms of LDAP query groups, Windows users and groups, and other basic application groups. A basic application group is a type of application group.

  • Application groups--These groups include basic application groups and LDAP query groups as special cases. Application groups are specific to Authorization Manager role-based administration. An application group is a group of users, computers, or other security principals. An application group is not a group of applications.

Windows Users and Groups

For more information about groups in Active Directory, see Understanding Groups. For more information about security principals that are not stored in Active Directory, see Local Users and Groups.

LDAP query groups

In Authorization Manager, you can use LDAP queries to find objects in Active Directory and other LDAP compliant directories. For example, the following query finds everyone except Andy:

(&(objectCategory=person)(objectClass=user)(!cn=andy))

The following query finds all members of the DogLovers alias at northwindtraders.com:

(memberOf=CN=DogLovers,OU=Distribution Lists,DC=nwtraders,DC=com)

You can use an LDAP query to specify an LDAP query group by typing the desired LDAP query in the space provided on the Query tab of the Properties dialog box of the application group.

Basic application groups

Basic application groups are specific to role-based administration.

To define basic application group membership, you need to:

  1. Define who is a member.

  2. Define who is not a member.

Both of these steps are carried out in the same way: First, you specify zero or more Windows Users and Groups, previously defined basic application groups, or LDAP query groups.

Second, the membership of the basic application group is calculated by removing any nonmembers from the group. Authorization Manager does this automatically at runtime.

Nonmembership in a basic application group takes precedence over membership.

Circular membership definitions are not allowed, and result in the error message "Cannot add GroupName. The following problem occurred: A loop has been detected."

Application groups

When you create a new application group, you need to determine whether you want it to be an LDAP query group or a basic application group. For Authorization Manager role-based applications, any authorization you can do with Windows users and groups can also be done with application groups. Application groups are more dynamic and flexible.

For more information about creating application groups, see Create a group within an authorization store and Create a group within an application.

For information about editing the properties of an application group, see Edit the properties of a group within an application and Edit the properties of a group within an authorization store.