Groupsymmetry™

The product features in Groupsymmetry™ provide the means of automating Active Directory group management.

• Group management in real-time—not through manual or scheduled synchronization
• Automated real-time synchronization of groups
• Automated real-time assignment of users to groups
• Supports all Active Directory group types
• Group-assigned policies
• Monitor and Engine services
• Easy-to-use management interface

Automates Your Group Memberships in Real-Time Unlike other group management products that update group memberships through a scheduled or manual synchronization process, Groupsymmetry™ updates groups in real-time. An Event Monitor service continually monitors any changes to a User object in Active Directory and if a change affects group membership, Groupsymmetry takes action by either adding the user to or deleting the user from the group.

Synchronizes Your Groups Automatically Once you establish group policies according to user object location in the domain, Active Directory attributes, and specific inclusion or exclusion settings, Groupsymmetry immediately synchronizes membership according to the policy specifications.

Supports All Active Directory Group Types Groupsymmetry manages group membership for both Active Directory group types: Security Groups and Distribution Groups. Additionally, Groupsymmetry supports domain local/built-in groups, domain global groups, and universal groups.

Group Assigned Policies Groupsymmetry lets you create and associate a specific policy to a specific group. Within the policy, you establish the rules that associate users to groups. For example, the policy can specify that any user that is member of a certain Organizational Unit or has a specific Active Directory attribute is a member of the group. Users can also be included or excluded from groups through inclusion and exclusion settings within a policy.

Easy-to-Use Management Interface All Groupsymmetry management tasks are conducted in a browser-based interface. That means there are no administration utilities to install and administration can take place from anywhere. The administrative interface is easy to use, and most administration takes place on the Group Symmetry Policies page, where policies are created or edited.

The Groupsymmetry™ Engine and Monitor services can be installed on one of the Windows environments below:

Windows Server 2008 or R2 (Member or DC Server)

• Dual or quad core processor with minimum of 4GB of RAM
• 2-4GB of available disk space
• Forest Functional Level 2003 or later in Native mode

Windows 7

• 64 bit operating system with minimum of 4 GB of RAM
• 2-4GB of available disk space
• Must be member of domain that is at Forest Functional Level 2003 or later in Native mode

Supported Web Browsers

• Internet Explorer
• Firefox
• Safari
• Chrome

Q: We have scripts that automate group membership. Why should I consider Groupsymmetry™?

A: Here are a few reasons:

• Scripts must be run periodically either on a schedule or manually. Groupsymmetry is a system process that constantly monitors Active Directory and takes action immediately.
• Scripts tend to be more difficult to understand and modify. The Groupsymmetry browser-based interface provides the means of creating, editing, and previewing Groupsymmetry policies.
• Groupsymmetry makes use of a persistent work queue to ensure that membership operations are retried as appropriate in the event of a network outage, problems in Active Directory, or other situations that might cause scripts to fail.

Q: We use an identity management system to put people in groups, why would I need to look at Groupsymmetry?

A: There are a number of reasons:

• Adding or editing rules in an IDM system can be challenging for a network administator and a hassel for an IDM administrator. Groupsymmetry allows an organization to offload these responsibilities and also ensure that problems are not inadvertently introduced through human error.
• In many organizations, the identity management system is operating under strict change-control processes. Making changes for a new group or adding exceptions may be delayed or otherwise impracticable given the time constraints that typically accompany group membership need requests. Groupsymmetry is a dedicated system for automating group membership and through a simple Web interface is likened more to an administrative tool for the purposes of change management.
• When group membership rules are established using an identity management system, there is often no way to retroactively apply the rules to adjust the group membership.

Q: Does Groupsymmetry support nested groups?

A: By definition, each Groupsymmetry policy applies to a single group and therefore does not inherit down to subgroups of a nested group. This makes the use of Groupsymmetry impractical with nested groups, except for the child groups themselves, whose membership can be managed with the product perfectly well.

Q: What if I change my mind about who should be in a group after Groupsymmetry has been managing that group?

A: Simply change the Groupsymmetry policy definition for the group and save it. Groupsymmetry will make appropriate adjustments to the membership at that point.

Q: What are Shadow Groups in AD and how does Groupsymmetry work with them?

A: Shadow Groups are a concept in Active Directory where a group is supposed to “shadow” or mirror an Organizational Unit with respect to that group’s membership. This methodology is used as a means of granting a permission or giving an assignment to everyone in the Organizational Unit. There is no automated methodology of maintaining this membership. This is a major reason why Groupsymmetry exists.

Q: Does Groupsymmetry extend the Active Directory schema during the installation?

A: No. Groupsymmetry requires no Active Directory schema extension to operate.

Q: How does Groupsymmetry deal with exceptions to the rules about who should be in a group?

A: Exceptions are defined directly as part of the Groupsymmetry policy using explicit “Include and “Exclude” lists.

Q: What Active Directory attributes can be used in a Groupsymmetry policy?

A: Groupsymmetry can use any Active Directory user attribute setting as a factor for including or excluding a user in a group. Groupsymmetry also supports additional non-standard user attributes that are added from extending the Active Directory schema in individual customer environments.

Q: What are the limits of the evaluation version of the software?

A: The Groupsymmetry evaluation license lets you create 10 policies. The software is valid for 30 days starting from the day you download the evaluation license.

Q: Can I base a group policy on “Account Disabled” in Active Directory either solely or partly?

A: Absolutely. “Account Disabled” is not an actual standalone attribute in Active Directory, but rather part of a bitmask attribute called “userAccountControl” where a single bit indicator is used. Groupsymmetry breaks this commonly used information out into its own synthetic attribute for easy use in defining a Groupsymmetry policy.

Q: I have Condrey Corporation’s File System Factory for AD (also sold as Novell Storage Manager) managing my organization’s user home folders and shared storage areas. How does Groupsymmetry work with this product?

A: File System Factory for AD can assign shared storage areas (also known as collaborative storage) to Active Directory groups. When Groupsymmetry adds new members to a group managed through a File System Factory for AD collaborative storage policy, File System Factory for AD grants access to the shared storage area. Likewise, when Groupsymmetry removes a member from a group, File System Factory for AD removes the user’s access to the shared storage area.

Another common example of interaction between the two products is through an inactive users group. When a user is disabled, Groupsymmetry adds the user to the inactive users group. The associated File System Factory for AD inactive users’ policy then moves the users’ personal storage to vault location and removes access rights.