If you have groups that are members of other groups, and the criteria for their membership changes, you can easily remove them. When you do so, any entitlements and delegations they received from the group via a policy will be handled in accordance with that policy. For example, if you have a group with an Exchange Mailbox Provisioning Policies that specifies a user's mailbox be deprovisioned when that user is no longer a member of the group, the users in the removed group will lose their mailboxes.
To remove a group from a group
- In the navigation sidebar, expand Identity Administration and click Groups.
Search for the group from which you want to remove a group and then click the record for that group. You should see a list of contextual actions appear that can be executed against that group appear in the Actions pane.
- Click the Remove Group from Group action.
- In the Group Lookup that appears, search for the group you want to remove from the group.
- Tick the box beside the group to select it.
- Repeat, adding as many groups as needed.
- When you have finished adding groups, click Submit.
- Click Yes to confirm you want to remove the group(s) from the group.
- Click OK to close the Operation Execution Summary.
To verify that EmpowerID removed the groups from the group
- From the navigation sidebar, expand System Logs and click Audit Log.
- Search for the group in question.
You should two or more records depending on the number of groups involved.
To verify that the group was removed from the group in Active Directory
On a server with the Active Directory PowerShell module, run the following PowerShell cmdlet (substituting the group in the cmdlet with the appropriate group from your environment):
Get-ADPrincipalGroupMembership "Automation-GVR1"
Verify that the group is no longer a member of the group from which you removed it.