After looking at the groups and the types, we need to first bring the existing groups into MIM portal before we make it authoritative for group creation and management, so that all groups will be static in terms of membership. As discussed earlier, we now need to consider the groupType
attribute in AD. We also need to consider whether we have different needs depending on the group type.
At The Financial Company, they have decided that MIM should not delete security groups once created in AD. This is a common approach, since deleting a security group—and thereby its SID (Security ID)—might cause dramatic events if the group is used for some kind of permission. Recreating a group with the same name will not recreate the SID, and will not fix the permissions.
On the other hand, when talking about distribution groups, we want MIM to be able to delete them. The owner might want to delete it, and will use the MIM portal interface to do so. Or, it could be that we have a policy...