Status
This feature is in pilot, and available on a request basis to delegated OU customers. At this time, UW-IT is making use of this feature to enable key capabilities which are blocked otherwise.
Intended purpose
AD Groups are intended for customers who need to programmatically manage groups within the Microsoft ecosystem, for those needs which are not met by the UW Groups Service.
This solution provides a variety of very well-known management mechanisms and the highly available infrastructure of Active Directory, and syncs these groups to Azure Active Directory for use with various Azure services. These groups are not intended to be part of the UW Groups service ecosystem and thus are not synchronized with UW Groups, though they may have UW Groups as members with certain limitations on functionality in Azure.
Comparison of UW Groups Service to AD Groups
| Desired Feature | UW Groups Service | AD Groups |
| Reusable group across non-Microsoft technologies |  |
 |
| Off-the-shelf group management integration | |
 |
| Group in the u_ or uw_ namespace | |
|
| Ability to sub-delegate management of groups | |
 3 |
| Membership dependency1 | |
|
| Effective membership2 | |
|
| Group history | |
|
| Opt-in or out group membership | |
3 |
| Membership viewer controls | |
3 |
| Scalable & performant group edits | |
|
| Can have UW Groups as members | |
|
| Can have AD users as members | |
|
| Can have AD computers as members | |
|
| Can have other AD Groups as members | |
|
| Works in AAD/O365 |  |
|
Symbols reference
|
Symbol
|
Meaning
|
|---|---|
|
Great or recommended |
|
OK or Yes |
|
Some issues |
|
Not recommended, discouraged, or No |
|
Unclear; may depend on the scenario |
Footnotes for the Table
1 For AD Groups: a script using a variation on:
diff (Get-ADGroupMember “Group 1”) (Get-ADGroupMember “Group 2”) -Property ‘SamAccountName’ -IncludeEqual
would give you membership dependency
2 For AD Groups: a script with:
(get-adgroupmember -Recursive -Identity ad_mygroup).SamAccountName
will give you effective membership
3 For all 3 of the capabilities with this footnote, this is possible, but only with UW-IT assistance. For this reason, it isn’t recommended, but if there is no better option, UW-IT is willing to assist to enable this capability.
Approach for Pilot
Each delegated OU can request its own Group OU within the NETID Active Directory at ou=<delou>,ou=delegated,ou=groups,dc=netid,dc=washington,dc=edu. The ability to create & manage groups within a Group OU will be delegated to u_msinf_delou_<delou>_groupadmins, a new OU role group for each delegated OU, with initial membership populated from u_msinf_delou_<delou>_ouadmins.
The namespace for each Delegated OU’s AD Groups is ad_<delou>_<groupname>. We strongly recommend using a naming structure similar to what is used for UW Groups.
Some example AD Group names:
ad_pottery_computers
ad_pottery_lab200_users
The ability to create groups with a name outside the designated namespace can not be prevented by technical controls, but violations will be automatically removed.