How To
- Active Directory
- Windows Server 2008 R2 or higher
- IIS 7.5 or higher
- .net Framework 4.5.1
- less than 10 MB disk space
Define a name under which this service should be found and create A or Alias for the IP of the IIS that will host the page. - As example http://adgmt.
This is required as Kerberos will be used for authentication, trusting for delegation is needed as the changes on the groups will be made as the logged on user's permission.
Copy the entire website to your hard disk, e.g. D:\GroupManagementTool.
Open IIS Management and add it as a new website
Verify that ASP.Net 4 is allowed
On site level, configure Authentication
Enable ONLY Windows Authentication and ASP.NET Impersonation
Configure Advanced Settings for Windows Authentication
Choose Only Kerberos as Provider
Set 'ReadOnly' Permissions for the resource Pool User
Change the other NTFS permissions according to the screenshot
Keep unchanged: System FC, Administrators FC, Users RO
User-Export.ps1 This script exports all the users which can be added to groups. Customize the script to avoid 'admin' or 'generic' accounts and to save the output text file to App_Data folder.
Example output file (without bullet points):
- Abuseta, Khaled; AbuKha
- Bartel, Karina; BarKa
- Chang, David; ChaDa
- Erdogan, Cahit; ErdCa
- Gu, Peter; GuPet
Group-Export.ps1 This script exports all groups which have 'managedBy' attribute plus 'Manager can update membership lists' checked. Customize it to avoid generic Groups and to save the output text file to App_Data folder.
Example output file (without bullet points):
- CN=TM-Plant Managers,OU=Groups,OU=CNSOU,DC=adswork,DC=loc#ErdCa
- CN=Brazil Opex TIM 001,OU=Distribution Lists,OU=BRCWB,DC=adswork,DC=loc#BarKa
- CN=Service-Locations_Nopper,OU=Distribution Lists,OU=DEESS,DC=adswork,DC=loc#IT-Assistant