Exceptions for expired groups
Answered
Hello,
We have few outages due to groupID removing mail and mailnickname attributes for expired groups. Is there a way to retain those two attributes even for expired groups? Or is there an option to force people remove every member from the group before marking it expired?
Regards,
Anupam
-
Appreciate your response
What about the next option? We are requesting for one of these feature requests because our production engineering teams heavily depend on these two attributes. The query any user and find out memberOf attribute of groups and then verify the existence of mail and mailnickname attributes. If they don't find then their code breaks and thus creates an outage. If we can ensure no user will remain as memberOf those expired groups then that would be great as well. People tend to forget removing users before expiring groups. An expired group should not have any member as its member. So we have to ensure this policy is enforced so that nobody can expire a group without removing its members.
is there an option to force people remove every member from the group before marking it expired?
-
Typically groups are expired by policy rather than manually (group is aged beyond lifecycle policy and not attested/validated/renewed). A renewal of a group works by restoring the group to its previous state meaning that the membership should still be present. Attributes are changed when you mail disable a DL. Same as if you executed Disable-DistributionGroup from the shell.
If your desire is to truly remove membership, consider making the DL a mail-enabled security group. GroupID in this case has to do a bit more work to ensure that the group is unusable but retains the ability to be renewed. For this to work, a security group must have the membership removed in order to be unusable but retain all of the SID references so that when renewed, it is usable by all of the resources that reference it.
Please sign in to leave a comment.
Comments
3 comments