Creating a Dynamic Group

Creating a Dynamic Group


You want to create a dynamic group using the optional Authorization Manager (AZMan) component.


Using a graphical user interface
  1. Install the Authorization Manager component through Add/Remove Programs, if it is not already present.

  2. Open the Authorization Manager MMC snap-in.

  3. Right-click on the Authorization Manager node and select Open Authorization Store.

  4. Under "Select authorization store type," select one of the following:

    Active Directory

    Enter the name of the application partition such as cn=ERP,cn=Program Data,dc=rallencorp,dc=com, or click Browse to select it from the Active Directory tree.

    XML file

    Enter the path to the XML file, or click Browse to select it from the filesystem.

  5. Drill down to Console Root Authorization Manager Authorization Share Application Name Groups.

  6. Right-click on Groups and select New Group.

    This will create a group that is scoped to the entire authorization store. You can drill down to an individual application to create a group that is only applicable within the app itself.

  7. From the New Application Group screen, enter the name of the group and a description. Under Group Type, select LDAP query. Click OK to create the group.

  8. Right-click on the group you just created and select Properties. From the LDAP tab, enter the LDAP attributes that will make up the group. For example, you can configure the group to include only Managers by entering (title=Manager).

  9. Click OK to finish creating the group.

Using a command-line interface

The following syntax will create an application group that's based on an LDAP query:

	> admodb <GroupDN> groupType::32 sAMAccountType::1073741825 msDS-AzLDAPQuery::
	"(&(objectcategory=person)(objectclass=user))" -add

Using VBScript
	' The following code will create an application group
	' that is scoped to an individual application rather than
	' the entire authorization store

	AzManStore = CreateObject("AzRoles.AzAuthorizationStore")

	Set Application1 = AzManStore.OpenApplication("ERP")
	Set AppGroup = _
	  Application1.CreateApplicationGroup("HR Managers",VT_EMPTY)
	AppGroup.Description = "Users with hiring authority"
	AppGroup.LdapQuery = _
	  "(memberOf= CN=HR Managers,OU=Distribution Lists,DC=enterprise,DC=com)"

	'----- Persist the changes to the application group and then the app ------


Authorization Manager is a new feature in Windows Server 2003 that allows application developers to create role-based authorization groups that are based on a company's organizational structure. Groups created through Authorization Manager are similar to the ones that you would create using Active Directory Users and Computers or a corresponding command-line utility or script, except that AzMan groups are created and maintained for use by a single application or a specific set of applications created by a developer. An application developer or administrator can create AzMan groups without having administrative rights to the domain as a whole, and group membership can be configured so that it is dynamically determined; that is, you can configure a group of users based on a dynamic set of criteria rather than needing to discretely specify each individual group member one at a time. Once a developer or administrator has created a group using Authorization Manager, these groups can be assigned specific roles within an application that allow them to perform certain tasks. These groups are not Windows Security enabled groups and although they have an SID, cannot currently be used to secure resources.

See Also

MSDN: Qualifying Access with Business Logic in Scripts, MSDN: Using Dynamic Business Rules in Windows Server 2003 Authorization Manager, MSDN: Authorization Manager Model [Security], MS KB 324470 (How to Install and Administer the Authorization Manager in Windows Server 2003), and MSDN: Dynamic Groups in Windows Server 2003 Authorization Manager

 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows