Chat now with support
Chat with Support

On Demand Group Management Current - User Guide

Group roles

Group roles in Group Management include Owner and Member. Group owners can manage their group via Self-Services in the self-service portal. This includes:

  • Manage group owners and members
  • Create group attestations
  • Delete group

NOTE: Only one owner is allowed for groups of some types. For more information, see Group types.

Group attestations

The flow chart below shows the group attestation processes in Group Management.

Figure 2: Group attestation processes

Group Management provides the following group attestations that enable group owners and members to review and confirm their membership:

  • Attestation for group owners: Each group owner receives a request to confirm if they still want to keep the group.
    • The attestation process completes as long as one owner selects to keep the group and confirms the membership.
    • If all the owners select to delete the group, the group will be automatically deleted.
    • If no owner responds to the request before the due date, the group will be automatically deleted.
  • Attestation for group members: Each group member receives a request to confirm if they still want to stay in the group.
    • The members who select to stay in the group will not be removed.
    • The members who select to leave the group will be automatically removed.
    • The members who do not respond to the request before the due date will be automatically removed.

A group attestation process can be launched by the following methods:

  • A Group Management administrator can create a group attestation in the admin portal.
  • A group owner can submit a request to attest the group in the self-service portal. This needs approval before the attestation is launched.
  • The group setting Automatic Attestation triggers the process periodically.

Getting started

Prerequisites

The following prerequisites must be met before you enter the Group Management module:

  1. Your tenant must have been added to On Demand.
  2. The tenant admin consent must have been granted to the Group Management module.

For more information about adding a tenant and granting admin consent, refer to On Demand Global Settings User Guide.

Opening Group Management

To open the Group Management module, click Group Management in the side navigation panel.

The Group Management dashboard page is displayed on the right. For more information about the dashboard, see Viewing the dashboard.

TIP: If you have multiple tenants managed by Group Management, you can click the filter icon at the top right of the page to switch tenants.

Supporting hybrid mode

Group Management supports tenants in hybrid mode to manage your on-premises groups. The flow chart below shows the process of enabling hybrid mode in Group Management.

Figure 3: Enabling hybrid mode

A local agent is required to query and perform management actions on on-premises groups. Agents run as a service on a machine in the local network. The machine must have sufficient privileges to perform the actions required. You must install the agent on the local machine.

This section contains information on installing and configuring an agent. For information about configuring default OU, see Organizational Units.

Installing an agent

  1. On your local machine, create a folder to store the agent install file and installation key.
  2. In the On Demand navigation panel, click Settings.
  3. In the main panel menu bar, click AGENTS.
  4. Under Download Agent, click Download and save the file in the folder you created.
    If your browser automatically saves the file in a default folder, locate the file and copy it into the folder you created.
  5. Go to the folder you created and extract the contents of the zip file into the folder. An Agent folder is created.
    NOTE: The installer must be extracted to a folder before you launch it.
  6. Return to the On Demand Settings > AGENTS page and under Generate Installation Key, click Generate and save the generated file in the Agent folder. If your browser automatically saves the file in a default folder, locate the installation key file and copy it into the Agent folder.
    NOTE: If you do not copy the key file into the Agent folder, you will be prompted for the path to the file during the installation.
  7. In the Agent folder, double click Setup.exe.
    A console window opens.
    NOTE: Before the installation, make sure the file bin\OPGMService.exe in the Agent folder is unblocked (File Properties > General > Security > Unblock), otherwise the installation will fail.
  8. In the console window, you are prompted to confirm the installation. Type y and press Enter.
  9. In the console window, you are prompted to confirm the installation. Type y and press Enter.
  10. You are prompted to enter the Agent name. Press Enter to accept the default or type a name and press Enter.
    The agent is installed and the console window closes.
  11. Return to the On Demand Settings > AGENTS page and click Refresh.
    In the Modules pane, the agent name is listed under the Group Management module.
  12. Click on the agent name to display the Agent Information.

Enabling and disabling the agent

If an agent is enabled, it is returned in a request for available agents within the organization. For example, a service may request an agent for domain xyz.corp in organization A. The agent management service looks for all enabled agents that support domain xyz.corp for organization A. Any agents that have been disabled are ignored. If the agent has been disabled, it is not used.

To enable or disable an agent

  1. In the On Demand navigation panel, click Settings.
  2. In the main panel menu bar, click AGENTS.
  3. In the Modules panel, select the agent under the Group Management module.
  4. The Enabled / Disabled toggle is at the top right of the Agent Information fields.
  5. Click on the toggle to change the state of the agent.
NOTE: You can start and stop the agent from a console window. See Additional agent commands.

Adding and configuring domains

You must add your on-premises Active Directory domains to the domain list of the agent, and provide required authentication information. The agent validates the domain name when it is added. For example, if you add domain xyz.corp and it does not exist or cannot be connected to, you receive an error.

The agent must be enabled and online to add a domain name to the list. Check the Enabled and Online icons at the top right of the Agent Information fields.

To add and configure a domain

  1. In the On Demand navigation panel, click Settings.
  2. In the main panel menu bar, click AGENTS.
  3. In the Modules panel, select the tenant under the Group Management module.
  4. The Domains field is below the Agent Information. Enter the domain name in the text box and click Add Domain.
    If the operation is successful, the domain is added to the domain list.
  5. Click CONFIGURE on the domain you added.
  6. In the Domain Authentication section, provide an account with the following permissions:
    • Read users
    • Read/Edit groups, group owners, and group members
    • Delete groups
  1. (Optional) In the Exchange Authentication section, provide the on-premises Exchange server URL (in the format: http://<ExchangeServer>/powershell) and Exchange admin credentials.
    If the account you provided in step 6 is also an Exchange admin, select the check box Use Domain Authentication Credentials instead of entering the credentials.
    NOTE: This step is only required for managing on-premises mail-enabled security groups and distribution lists.
  2. Click SAVE.

Uninstalling the agent

Prerequisites

You must know the location of the agent setup.exe file. See Installing an agent

To uninstall an agent

  1. Open a console window and navigate to the folder where the agent setup.exe file is located.
  2. Type setup.exe uninstall and press Enter.
  3. You are prompted to confirm the uninstall. Type y and press Enter.

Additional agent commands

The following commands and switches can be used from the Windows console command line. To use a command or switch, you must first navigate to the folder where the agent setup.exe file is located or provide the path to the file as part of the command syntax.

Prefix each command or switch with setup.exe. For example setup.exe install.

Table 5: Agent commands
Type Syntax Description
Command

install

or

i

Installs the agent.
Command

uninstall

or

u

Uninstalls the agent.
Switch -q Do not ask for install or uninstall confirmation.
Switch

-keyfile

or

-kf

The full path to the agent installation key file.
Switch -key A string representation of the installation key.
Switch

-name

or

-n

The name of the agent.
Switch -user The username to run the Windows service under.
Switch -password The password for the username of the Windows service account.
Command start Starts the agent.
Command stop Stops the agent.
Command restart Restarts the agent.
Command status Gets the status of the agent. Status can be Running or Stopped.
Switch

-h

or

-?

Displays the help screen.
Related Documents