Support data attribute specification on the group form

You can specify support data attributes on the group form when you want to assign a group.

You can assign groups to:

  • A container
  • Another group on the Active Directory
Note: Perform the reconciliation operation before you specify the support data attributes on the group form. The operation provides an updated list of containers and groups that are available on the Active Directory. For information about reconciling user accounts and support data attributes, see Reconciling user accounts.
The following attributes are the support data attributes on the group form:
Container attribute
Specify this attribute to associate the group with a container that is selected from the list on the group form of the Active Directory profile. Specifying the container decides the location of the group in an organization hierarchy. For more information about the Container attribute, see Container attribute modification on the group form.

When you do not specify the container attribute on the group form, the group is created on Active Directory under the Groups Base Point DN. The value of the Groups Base Point DN is specified on the service form. If no Groups Base Point DN is specified on the service form, the group is created under CN=USERS container on the Active Directory.

Member of attribute
Specify this attribute to add a group to another group that is selected from the list on the group from of the Active Directory profile. When you do so, one group becomes a member of another group. You can select multiple groups to specify the Member of attribute.

The Active Directory restricts the groups that can or cannot be a member of a specified group. The following table lists the group types, scope, and the groups that can or cannot be a member of the specified group.

Table 1. Group membership details
Group type Group scope Type and scope of the group that this group can be a member of Type and scope of the group that this group cannot be member of
Distribution Universal
  • Security Group - Domain Local
  • Security Group - Universal
  • Distribution Group - Domain Local
  • Distribution Group - Universal
  • Security Group – Global
  • Distribution Group – Global
Distribution Global All group types can be members of this group type.  
Distribution Domain Local
  • Security Group - Domain Local
  • Distribution Group - Domain Local
 -
  • Security Group - Global
  • Security Group - Universal
  • Distribution Group - Global
  • Distribution Group - Universal
Security Universal
  • Security Group - Domain Local
  • Security Group - Universal
  • Distribution Group - Domain Local
  • Distribution Group - Universal
  • Security Group – Global
  • Distribution Group – Global
Security Global All group types are allowed as members of this group.  
Security Domain Local
  • Security Group - Domain Local
  • Distribution Group - Domain Local
 -
  • Security Group - Global
  • Security Group - Universal
  • Distribution Group - Global
  • Distribution Group - Universal
Note: When you add a group member to a group that does not accept a group member of a specified type and scope, the Active Active Directory Adapter fails the request. The adapter generates the message 0x80072035 - The server is unwilling to process the request.