If you have groups who are members of other groups, and the criteria for their membership changes, you can easily remove them. When you do so, any entitlements and delegations they received from the group via a policy will be handled in accordance with that policy. For example, if you have a group with an
Exchange mailbox RET policy that specifies a user's mailbox be deprovisioned when that user is no longer a member of the group, the users in the removed group will lose their mailboxes.
This topic demonstrates how to remove groups from groups in EmpowerID and is divided into the following activities:
From the Navigation Sidebar, navigate to the Group Management page by expanding Identities and clicking Groups.
Search for the group from which you want to remove a group and then click the record for that group. You should see a list of contextual actions appear that can be executed against that group appear in the Actions pane.
In the following image, the Locations pane has been collapsed to conserve screen real estate.
Click the Remove Group from Group action.
In the Group Lookup that appears, search for the group you want to remove from the group.
Tick the box beside the group to select it.
Repeat, steps 5 and 6, adding as many groups as needed.
When you have finished adding groups, click Submit.
Click Yes to confirm you want to remove the group(s) to the group and then click OK to close the Operation Execution Summary.
To verify EmpowerID removed the group(s) from the group
Search for the group from which you just removed the nested group(s).
From the grid, click the Logon Name link for the group.
This directs you to the View One page for the group. View One pages allow you to view details about an object in EmpowerID and make changes to those objects as needed.
From the View One page, expand the Nested Group Members accordion. You should see no records for the groups you removed.
If you have an email address that is registered in EmpowerID, you can have EmpowerID email you the group membership by clicking the email icon.
To verify the group was removed from the group in Active Directory
On a server with the Active Directory PowerShell module, run the following PowerShell cmdlet (substituting the group in the cmdlet with the appropriate group from your environment):