Creating a Dynamic Group
Using a graphical user interface
Using a command-line interface
The following syntax will create an application group that's based on an LDAP query:
> admodb <GroupDN> groupType::32 sAMAccountType::1073741825 msDS-AzLDAPQuery:: "(&(objectcategory=person)(objectclass=user))" -add
' The following code will create an application group ' that is scoped to an individual application rather than ' the entire authorization store AzManStore = CreateObject("AzRoles.AzAuthorizationStore") Set Application1 = AzManStore.OpenApplication("ERP") Set AppGroup = _ Application1.CreateApplicationGroup("HR Managers",VT_EMPTY) AppGroup.Type = AZ_GROUPTYPE_LDAP_QUERY AppGroup.Description = "Users with hiring authority" AppGroup.LdapQuery = _ "(memberOf= CN=HR Managers,OU=Distribution Lists,DC=enterprise,DC=com)" '----- Persist the changes to the application group and then the app ------ AppGroup.Submit Application1.Submit
Authorization Manager is a new feature in Windows Server 2003 that allows application developers to create role-based authorization groups that are based on a company's organizational structure. Groups created through Authorization Manager are similar to the ones that you would create using Active Directory Users and Computers or a corresponding command-line utility or script, except that AzMan groups are created and maintained for use by a single application or a specific set of applications created by a developer. An application developer or administrator can create AzMan groups without having administrative rights to the domain as a whole, and group membership can be configured so that it is dynamically determined; that is, you can configure a group of users based on a dynamic set of criteria rather than needing to discretely specify each individual group member one at a time. Once a developer or administrator has created a group using Authorization Manager, these groups can be assigned specific roles within an application that allow them to perform certain tasks. These groups are not Windows Security enabled groups and although they have an SID, cannot currently be used to secure resources.
MSDN: Qualifying Access with Business Logic in Scripts, MSDN: Using Dynamic Business Rules in Windows Server 2003 Authorization Manager, MSDN: Authorization Manager Model [Security], MS KB 324470 (How to Install and Administer the Authorization Manager in Windows Server 2003), and MSDN: Dynamic Groups in Windows Server 2003 Authorization Manager