Skip to main content

Articles in this section

See more
Print

AD Groups Certification Review

  • Updated

AD Groups Certification Review

Rule description

This rule returns Active Directory groups based on the specified query and then sends a request to the group's owner(s) to certify the group membership accuracy and/or the need for the group's continued existence.

For more details about group certification, please see the Configuration of Group Membership and Team Certification article.

NOTE: This rule doesn't support certification of the nested groups.

When to use this rule

Without proper periodic control, Active Directory and Microsoft 365 may become polluted with an excessive amount of groups. This problem increases if you have both on-premises and cloud-based directories. One of the solutions to keep the growing number of groups under control is to enforce group attestation and certification processes. Group Certification is a process in which group owners review and certify that the group itself and its membership are correct and current.

Use this rule when you need the owners of Active Directory groups to check and certify:

  • The Active Directory group exists.

  • The Active Directory group membership accuracy.

  • Both the Active Directory group existence and the group membership accuracy.

NOTE: In case the replication group is configured in your environment, Cayosoft recommends running certification rules on the publisher for better performance.

Rule settings

Query section

Setting name Description

General Settings

Limit scope to this domain or OU

This setting defines the search query scope. To improve query performance, limit the scope to a specific OU.

IMPORTANT: To test the rule configuration, limit the rule scope to an OU that contains test accounts or objects and use the Preview feature.

Query criteria

Query criteria are sent with the query and may improve query performance.

TIP: For additional information on the criteria builder, see the How to use Query Builder dialog for Query Criteria and Filter rule settings.

Suspended groups 

Select one of the possible values:

  • Exclude

  • Include

  • Suspended groups only

Certification period (days)

Specify the certification period in days. By default, a new certification task is created for each group every time the rule runs.

The rule’s schedule determines the certification period. You can set a custom number of days if you want the rule to run more frequently. If a group has a pending or completed certification task within the set period, the rule will skip creating new tasks for that group. Once the specified number of days passes, new certification tasks will be created the next time the rule runs.

Other Query Settings

Properties to display

Properties to display, specified in the rule, are not the actual properties used in the Output report. The output report has a special, non-changeable format. It displays id, group name, assigned to, status, and error fields. 

If the Id field is empty in the report, it means that the work item for certification was not created for the group. This may happen if the group doesn't have an owner, for example.

System properties

List of properties required for this rule to be executed correctly.

Filter

 

Set the filtering conditions to hide unwanted data based on criteria not supported in the Query criteria setting.

Example: filter by the found object Distinguished Name.

TIP: For optimal performance, use the Query criteria setting above to filter objects whenever possible.

Sort by

Sort result object list.

Initialization script

Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule.

Due to the PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria.

IMPORTANT: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.

Example: Update AD users, created in the last ten days.

  1. Add this initialization script

    Copy
    {$global:DatePeriod = (Get-Date).AddDays(-10)}

  2. Use the $DatePeriod variable in the query criteria builder:

LDAP Filter

 

Set the low-level filtering conditions using LDAP syntax, to only return objects or data that need to be processed by the rule.

When defined this filter will override the Query criteria setting.

Action section

Setting name Description

Type of certification

 

There are three types of certification:

The group is still needed - the certifier should check whether he needs this group or not. Group membership is not essential in this case.

The group's membership is accurate - the certifier should certify the membership of the group is correct, and mark those members that need to be removed.

The group is still needed, and the membership is accurate - the certifier should check both whether he needs this group and the membership of the group.

Work Item Title

Work item title

The work item title describes the work item for the user in notification emails and the list of work items in the Web Portal.

Work item comment

Specify the comment for the created work items.

Certifiers

Owner (Managed by) of the target group

Specify if the owner of the target group should be the certifier. In this case, the group owner must provide group certification.

NOTE: If a group does not have a manager assigned you will see the error in the rule execution history and a certification request won't be created.

Co-owner (msExchCoManagedByLink) of the target group 

Specify whether the co-owner of the target group will be the certifier.

Selected user(s) or group(s)

Select users or groups to be certifiers if needed.

Defined by script

You can use a script that sets the certifiers. The script should return an array of strings; each string equals the object ID of the certifier.

Example:

{ @(CN=user1,DC=domain,DC=gov;CN=group1,DC=domain,DC=gov) } 

Remediation and Expiration

Group removal by user

Select what action to perform when the certifier chooses to remove the group during certification:

  • Suspend group.

  • Delete group.

Certification review expires in (days)

Specify the number of days for certifiers to complete the certification review. If the review is not completed within the given period, the certification request is set to Expired, and remediation actions are taken, as configured below.

Remediation

Select what action to perform when the certification review expires:

NOTE: To perform a remediation action, the Cancel Expired Work Items rule should be run, and the 'Expired' notification should be enabled.

  • Send a report to the certifier.

  • Send a report and suspend the group.

  • Send a report and delete the group.

Suspend policy

You can use the default suspend policy or custom suspend policy file.

Email Notifications

Notification

Select events and configure email notifications to send upon these events:

  • A new certification request was created - a notification is sent when the certification rule runs.

  • The group is certified - notification is sent when the 'Certify' web action is performed.

  • The certification request expired - notification is sent when the Cancel Expired Work Items rule runs.

  • The certification request was canceled - notification is sent when the 'Certify' web action is performed.

Output section

This section defines the output format of this rule.

To get more information about this section, please see the Rule Output section article.

Enforce/Schedule section

This section defines the schedule for how often to run the rule.

To get more information about this section, please see the Rule Enforce/Schedule section article.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.