...
- Come up with a way to allow end users to continue managing their mail distribution lists without breaking the existing secondary functionality of the distribution lists as security/access groups in AD.
- Membership of the distributions lists could be individual accounts, other distributions lists, or security/access groups within AD. Any solution implementation had to maintain this structure and allow for it to be carried forward in the future.
- Distribution lists in AD could have a "Managed By" attribute refer to the account or group that manages that DL. Any solution implementation had to maintain this feature.
Solution
- At that time, the IAM team has been looking into Grouper and what it could offer in terms of access management solutions for our users.
- The decision was made to deploy Grouper in a phased approach with Phase 1 addressing the Office 365/Exchange mail distribution lists at hand.
Info title Grouper Setup For an overview of our Grouper setup, please refer to slides 3 and 5 of this presentation
...
The details of getting the distribution list managment management to be managed through Grouper are as are follows:
- Created a top-level OU in AD for Grouper
- This is the OU where any changes made in Grouper for the AD resource would be written to. ie, these are one-way updates from Grouper to AD
- This OU would have sub-OUs that mirror the stem structure in Grouper for the AD resource
- An AD service account had been created for Grouper. This account was given NEARLY full permissions on this OU and all of its child objects. The permissions taken away from this account on this OU and its descendant objects were "Delete", "Delete subtree", "Modify Permissions", and "Modify owner"
- MOVED the mail distribution lists
- Develpoped Developed a "Managed" group type
- Loaded the mail distribution lists into Grouper