Systems - MS AD and MS Exchange: Management of Distribution Groups

Distribution group are intended to be used solely as email distribution lists in applications like MS Exchange or OutLook. The group is created with New-DistributionGroup command in Exchange Management Shell. Thanks to WinRM + AD connector we can manage Distribution Groups.

Connector supports these operations with Distribution Groups:

* Create - Create a new distribution group - via WinRM connector * Search - Search distribution group - via AD connector * Update - Update attributes (e.g. email address) of a distribution group - via AD connector * Delete - Delete distribution group - via AD connector

For managing distribution groups we need these cooperations from customer:

* Running WinRM on AD server - Installed Windows Remote Management on the server with Active Directory * Installed Exchange Management Shell on the server - Client for Exchange * Informations about server - IP, Endpoint, Ports, OS, etc. * Informations about Exchange server - IP, Endpoint, Ports, etc. * HTTPS listener - Provide the Secure Socket configuration to the server to expose an HTTPS connection * CredSSP authentication - CredSSP lets an application delegate the user's credentials from the client to the target server for remote authentication. * User to connect to WinRM and Exchange - User which will manage distribution groups * Port for HTTP 5985 and for HTTPS 5986

To manage distribution groups with IdM, we need to use remote connector server.

At first, we must install connector server on the server where IdM is running. For that we will follow this tutorial

After finishing installation of connector-server we want to test if we can connect to WinRM. For test we will follow this tutorial

After connection test, we must insert scripts to connector server to folder /scripts.

Scripts: https://git.bcvsolutions.eu/modules/winrm-ad-connector/tree/master/scripts/DistGroups

Next, we must configure new system in IdM. Configuration is very similar to configuration of Active Directory. We will follow this tutorial for configuration

In the system configuration you will set "Create" operation to be performed only via WinRM connector, not AD connecotr. All of the other operations will be performed only via AD connecotr. Test operation will be performed via both connectors.

In the generated scheme you will do several changes:

1. attribute "name" - check the "Able to create" option
2. add attribute "organizationalunit" of type "java.lang.String" and check only the "Able to create" option, the rest of the options must be unchecked.
3. add the "\_\_UID\_\_" attribute if not present and if you need a synchronization too.

You will need to create a provisioning attributes mapping. Use Entity type "Role". On the Account management tab you should specify which role should be provisioned as a distribution group. We recommend to use a special EAV. In the attributes mapping for provisioning you will set following (expected by the scripts):

• displayName (~displayName in AD)
• name (~CN in AD)
• mail (~PrimarySmtpAddress in AD)
• organizationalunit - only send in create operation. The value is used as a parameter -OrganizationalUnit in New-DistributionGroup command, e. g. "mytestdc.tld/MyOU/MyDistributionGroups" for the suffix of the distinguishedName "OU=MyDistributionGroups,OU=MyOU,DC=mytestdc,DC=tld"
• \_\_NAME\_\_ as the identifier

Only those attributes are supported in the create scripts. You can add more managed attributes from the scheme but these will be set only in the update operation via AD connecotr. Or you can improve the scripts.

If you need to configure a synchronization follow the Systems - AD: Groups synchronization tutorial. If you use an EAV to decide whether the group should be provisioned, don't forget to configure in the synchronization mapping. If you want to filter only distribution groups, use LDAP filter (groupType=8).

Create a role or edit an existing one and set the EAV on which the filter script will decide whether or not will the group be created on the system. The role will be provisioned to the system.