We now have some groups in FIM. Both the ones created in FIM and those that come from the HR system.
We now need to configure FIM to export these groups to AD.
As discussed earlier, we now need to consider the groupType
attribute in AD.
We also need to consider if we have different needs depending on group type.
At The Company, they have decided that FIM should not delete security groups once created in AD. This is a common approach, since deleting a security group—and thereby its SID (Security ID)—might cause dramatic events, if the group is used for some kind of permission. Recreating a group with the same name will not recreate the SID and will not fix the permissions.
On the other hand, when talking about distribution groups, we want FIM to be able to delete them. The owner might want to delete it and will use the FIM Portal interface to do so. Or, it could be that we have a policy stating that distribution groups where the owner has left the company and no new owner...