Active Directory and Exchange Group Management

Ensim Group Manager for Active Directory & Exchange automates and streamlines the provisioning and maintenance of security groups and distribution lists.  End users can be delegated rights to create, edit, delete, and manage their own groups via a self-service web portal while compliance to IT policy guidelines and business rules are automatically enforced.  Automated housekeeping and maintenance ensures that all group objects stay in order and any unused groups are appropriately archived or removed as defined by IT requirements.

Ensim Group Manager for AD & Exchange - Features & Benefits


Self-Service Web Portal for Users & Administrators

Problem:  IT centric and manual group management adds even more load to already stretched IT resources and budgets.  Users make request expecting immediate actions, yet IT must add these support request to an already big stack of pending action items.  In addition, users can be unclear as to their request or make request that require privileges they are not authorized for and IT must take the action to verify their entitlements before granting the request.

Solution:  Ensim enables IT to off load to users the ability to directly create, edit, delete, and manage group members, email aliases, and delivery restrictions all within the boundaries defined by IT policy.  Group owners are the ones best able to accurately and quickly maintain their own groups and they can do so instantly in an easy to use, intuitive, web portal with just a few clicks.  This can result in significant cost savings to IT, reduced workload, and greatly increased user satisfaction.

Granular Role-based Rights Delegation

Problem:  Many companies struggle with delegating simple administrative task to users either because of the inability to control what the user can do once the privilege has been granted or because the task is too complex and the user will not be able to handle the task without IT support.

Solution:  Ensim enables delegated administration at a granular level so users can be granted rights based on their role as well as their specific needs at a fine grain level.  And with the simple, intuitive, Ensim Group Manager web portal, powerful automation of complex tasks means users can get what they need in just a few clicks.

Multi-owner Group Management

Problem: Assigning a single owner to manage a group has been a customary business practice and the only option for most applications.  But what happens when the group owner is unavailable; either temporarily, such as vacation, or permanently, transferring to another department or leaving the company.  This can create both management and security problems as the group may stagnate for lack of a responsible owner.  These orphaned groups can account for more than 40% of all the groups or lists under management in a typical company.

Solution:  Ensim allows organizations to assign multiple ownersx to new or existing groups.  If the primary owner becomes unable to manage the group, control shifts to others in the succession.  For example, a department head may be the primary owner, an assistant manager the secondary owner, and an administrative assistant backing both.  With Ensim Group Manager, organizations and departments get efficient group management and there are no orphaned groups floating around to present potential security problems for IT.

Auto-populated and Dynamically Managed Groups

Problem:  Static groups can become outdated and inaccurate over time without labor intensive manual updating.  With the advent of dynamic groups, there is some improvement via automatic updates based on database queries or criteria, each time an email is distributed.  However, these queries can place a serious performance load on the Active Directory and Exchange servers and there is no way to audit group lists to determine whether the automation is working or not.

Solution:  With Ensim Group Manager, group members are automatically added or deleted on a scheduled basis using defined query criteria.  This ensures accuracy while eliminating performance concerns.  Queries can be simple or complex and include the option to specify an external data source for criteria, such as an HR database.  If,for example, a group member changes departments, and the defined query is looking at the department attribute and the user will be automatically removed from one group and added to another auto-populated group in the new department.  This simplifies the creation and management of groups by providing a self-service option to create and update groups based on specific search criteria.  Once created, these groups are automatically updated as staffing changes occur while policy-based group size limitations are enforced throughout the process.

Dynasty Groups

Dynasty group management dynamically maintains active directory groups and their memberships based on changes to active directory user attributes. By automatically creating, updating and deleting distribution lists and security groups based on defined criteria and changes to users roles, locations, etc, dynasty groups eliminate errors and delays due to manual maintenance of groups and memberships.  Dynasty groups are created based on criteria defined on a set of active directory attributes. Each unique combination of values for these attributes present in AD will result in a group being auto-created. The members of this group will be active directory objects having the particular combination of values.  Additionally administrators can specify the filter criteria to restrict the AD objects used to determine the combinations to be processed. For example, you could create a dynasty based on AD attributes ‘country’ and ‘department’. Processing of this rule will result in a dynasty of groups being created for each of the unique values of the location and department attributes in the active directory such as a dynasty consisting of groups, ‘Group-US-SALES’, ‘Group-FRANCE-SALES’, ‘GROUP-USA-FINANCE’ and so on. A periodical job runs at the administrator defined time interval to check the health of these groups, keeping the membership up-to-date according to the rules, creating new groups as necessary and deleting groups that are no longer needed.  Dynamic group management comes with an intuitive UI and query designer to define as well as list and view details of all the dynasties. Admins can review and update the defined criteria, view all groups within a dynasty, including a snapshot of their members, all from a single management console. There are UI options to process a dynasty on-demand, enforce naming conventions, and specify standard group preferences like AD locations, group scopes, maximum member limits, nested group preferences etc.

Group Lifecycle Management (w/Auto-expiration)

Ensim enables security and distribution groups to be set to expire automatically so the group is deleted if no activity has taken place within a set period of time.  Automatic expiration can also be configured to send an email to the group owner after a predetermined period of inactivity, advising that deletion of the group will take place automatically by a certain date if no response is received.  This removes the need for the time-consuming process of manually purging unused groups.  Other maintenance criteria to automate the expiration of groups can also be set, such as:

Time-based: Administrators can set a time limit for a group to automatically get deleted after a set number of days or at the end of a specific project

Minimum number of group members: Administrators can set a minimum membership limit for each group. Whenever the number of members of the group falls below the specified limit, the system  will mark the group for deletion during the next maintenance cycle.

Last modified or used date: The group owner or administrator can set the idle usage/modification time for the groups. The system automatically archives or deletes the selected groups if they are not used or modified within the specified interval.

Built-in Approval Workflow and Notifications

IT may want to enforce certain approval policies to prevent inaccurate or unauthorized groups from being created or certain groups from being accidentally deleted by group owners or junior members of IT and help desk teams.  Ensim Group Manager provides a granular approval workflow system so IT can create policies that are automatically enforced when groups are created, deleted, modified, subscribed, or when membership changes.  Also, notifications can be sent to; the requesting employee’s manager,a group of approvers, or the IT Administrator, who can review the request and approve or deny.   Once approved the group or action will be automatically processed and logged with Ensim’s central auditing system.  If denied the requester is notified accordingly.  Notifications can also be used just to inform interested parties of the opt-in / opt-out, or request action.  This process is faster, more efficient, and allows the helpdesk to focus on higher priority tasks.

Multi-Domain Support

Ensim Group Manager supports management of objects across all managed domains.  Via role management, the Enterprise Administrator can delegate management access to a certain domain, or to certain OUs in multiple domains.  For example, an organization may have defined a group of help desk employees responsible for managing groups across all domains.  The Enterprise Administrator can create Ensim roles and grant access to certain Organizational Units (Security Groups OU or Distribution Groups OU) across all domains.  Such Help Desk employees can then log in to the secure Ensim web portal and manage only those objects that they have access to manage without requiring access to the entire domain or to native management tools.

Subscription Groups (Opt-in / Opt-out)

Ensim offers a complete array of self-service functionality based on IT policy, enabling self-service subscribe or unsubscribe from security groups and distribution lists without having to contact the helpdesk or group managers.  For groups requiring approval or notification, Ensim has built-in approval workflow capabilities with a notification options.  End users can go to a self-service portal, see a list of groups that are open for them to subscribe as set by IT policies, and then opt-in or opt-out at will. 

Bulk Operations (Import / Export / Change)

Ensim Group Manager enables IT administrators and authorized group owners with powerful bulk import and export capabilities.  Group admins can import from a document, such as a csv file a list of group members.  If list verification is needed, the file can be shared with the party verifying and the list can be edited and then easily imported via the web portal interface based on the group owners authorization.  When a group owner wants to create a new group similar to an existing group or groups, they can simply export the current group lists to a document format, edit the list, create a new group, and import the edited list to add the new groups members.  When exporting a group with nested groups, the members list is automatically expanded to all members are visible.  If group size limit rules are exceeded, Ensim Group Manager can automatically create sub groups in the new group so all members can be in the new group and size limit policies can be compliant.

Clone Groups and Email Distribution Lists

When IT administrators need to create a security group or email distribution list with a large number of members, manually typing in each entry can be tedious and time-consuming.  Scripts can be prone to errors and validation can take longer than writing the script in the first place, not to mention scripts are not relational to other IT tasks.  Ensim enables IT administrators to create an exact duplicate or clone of an existing group in the target system quickly and easily. Cloning enables IT to complete list duplication 20 times faster and in addition there is no need to validate the newly created list.  The administrator simply clones the security groups and distribution lists then assigns it under the company policy, and enforcement is automatic.  When the cloning process is complete, the old groups can simply be deleted.

Automated Prefix Management

Ensim allows administrators to standardize and enforce naming conventions by automatically adding prefixes to groups under management. This provides an easy way to identify and organize groups by location, department, or function.  For example, the finance department company wide may share a prefix.  Similarly the sales organization may wish to have business rules that assign individual prefixes based on specific geographic areas.

Sample Screen Shots

Distribution Group Management

Delegated Administration - ?The Ensim Group Manager portal allows users and administrators to perform a variety of delegated operations such as; Adding, Deleting or Updating Groups, Managing Group Members, Cloning Groups, Bulk Import or Export of Group Members, Setting Delivery Restrictions or Managing Email Aliases.

Employee Dashboard

Total Control - ?Administrators can configure prefixes for group names and display names to organize their groups based on location, department, function, etc.  Delegated owners can set or manage the group scope, location, or maximum group size, as well as the complete group lifecycle.

Employee Quick-Start Dashboard

Complete Automation - A unique feature called Auto-populated groups allows users or administrators to set and manage group membership based on a set of queries thereby providing them with a more accurate way of managing group membership.  This feature allows group membership based on a set of Active Directory attributes as well as any external data source such as SQL.

Management of Distribution Groups Hidden from the GAL

Many organizations have a large number of distribution groups which are managed by specific users and they usually like to manage these groups directly from Outlook.  Exchange Administrators may not want some of these lists to be shown in the company’s Global Address List or GAL.  Once the Distribution Group or List is hidden from the GAL, users will no longer be able to manage them directly from Outlook as they can’t see them.  These users then have to go through the Help Desk for their group management needs, adding additional burden on the help desk.  Ensim’s Group Manager allows users with delegated administration rights to manage such hidden Distribution Groups from Ensim's secure web portal while auditing their actions for future review in case they inadvertently hide a group from the GAL.  Administrators can also delegate or restrict the ability for certain users to hide the DG from the GAL, thus getting the most flexibility when delegating options for group management, and users no longer have to call the help desk for managing Distribution Groups or Lists hidden from the GAL

Manage email Aliases and Set Delivery Restrictions

An email alias in an alternate way of sending email to a person or a group.  Each mailbox has an Exchange alias and a display name associated with it.  The exchange alias is used with address lists as an alternative way of specifying the user in the To, Cc, or Bcc fields of an e-mail message.  The alias also sets the primary SMTP address associated with the account.  In Exchange, you can place restrictions on how messages are delivered to individual recipients.  Message Delivery restrictions apply to all recipient types and can be useful for controlling access to specific recipients in your Exchange organization.  In most organizations, these options are only controlled and managed by the Exchange Administrators, who get over-burdened and frustrated catering to department manager requests for setting email aliases or delivery restrictions on certain departmental groups, keeping them away from their core tasks of managing exchange and ensuring smooth operations.  Ensim Group Manager allows complete management of distribution groups including the option to set primary email aliases, adding secondary email aliases or setting delivery restrictions on Distribution groups from its secure web portal.  Access to these features is governed by roles, therefore Administrators can grant this capability to everyone or to a limited number of users, Group Owners, Help Desk personnel or other Admins without requiring them to have access to native exchange management tools.  These delegated Administrators can also configure individual delivery restrictions on Distribution groups under their management by specifying a list of senders from which to accept messages.  This allows Exchange Administrators to configure larger distribution groups required for company-wide communications while restricting who can send to such a group.  Complete audit logs are available to meet compliance requirements.

Group Size Limit and Control (w/Automatic Nesting)

Ensim enables administrators to establish a limit on the maximum number of members in a group to prevent token bloat.  Large groups can be automatically nested into smaller groups of manageable sizes, thereby improving performance and operational efficiency.

Dynamic Preview of Group Size and Members

With Ensim Group Manager, group owners can preview members of a dynamic or auto-populated group prior to creating it, making it significantly easier to build groups of the right size and scope.

Enforce Group Scope and Location

Microsoft supports three group types for both Security and Distribution Groups; Domain Local, Global or Universal groups.  Each group type has a direct impact on how that group can be used and where it can be used.  Understanding group scopes and their usage is not easy unless you are a Microsoft Administrator with advanced training.  Many organizations over the years have accumulated a large number of groups in their Active Directory.  Due to organizational boundaries, mergers, acquisitions, improper management and many other reasons, groups may get scattered making it difficult and cumbersome to find and manage those groups.  Also,over time these groups may have been created inconsistently.  With Ensim Group Manager, part of the Ensim Automation Suite, companies can begin organizing their Active Directory data by consolidating groups into a single or common location, by restricting the types of groups that can be created and by ensuring that delegated users or administrators who are allowed to create and manage groups, create those groups by following the rules set by their IT departments.  With Ensim Group Manager, administrators can enforce group scope rules, such as universal scope, or default location setting.

Quick and Easy Installation

Ensim Group Manager can be installed and configured in under and hour without requiring professional services.  Companies can gain an immediate ROI as well as meet security and compliance requirements.  The Ensim Group Manager Quick Start guide assists the administrator in configuring the required parameters and the portal embedded help files as well as detailed context relational on-line help files, guide administrators along the way.