EmpowerID Admin Lab 14: Dynamic Hierarchy Policy for Departmental and Divisional Groups

Purpose

This lab guides you through the process of creating a dynamic hierarchy policy in EmpowerID that automatically generates Active Directory groups for divisions and departments based on attributes found in Person records. You will configure the policy to group users by Division (as parent groups) and Department (as child groups) and store those groups in a specific OU within Active Directory.

---

Prerequisites

1. Access to the EmpowerID training environment.
2. Active Directory domain integrated and visible in EmpowerID.
3. Person records populated with Division and Department attribute values.
4. A designated OU in Active Directory to store the generated groups.

---

Steps

1. Create a New Dynamic Hierarchy Policy

1. Navigate to Dynamic Hierarchies > Policies.
2. Click the + button to create a new policy.
3. In the policy setup form, configure the following:
   • Policy Type: Two-Level Nested Attribute Groups
   • Name: Department and Division Groups
   • Directory: Select your Active Directory domain

2. Enable and Schedule Hierarchy Generation

1. Enable the Hierarchy Generation option.
2. Set the Generation Interval to 5 minutes for lab demonstration purposes.
   • (Note: In production environments, this interval should be longer.)
3. Enable Membership Recalculation.
4. Set the Membership Recalculation Interval to 5 minutes as well.

3. Define Grouping Attributes

1. In the Grouping Configuration section:
   • Set Level 1 (Parent) Attribute to Division.
   • Set Level 2 (Child) Attribute to Department.
2. Select Add Users at All Levels (non-nested membership).
   • This ensures each user is a direct member of both the Division and Department group.

4. Configure Additional Policy Settings

1. Enable Create Level 1 Groups even if no child groups exist.
2. Leave the following settings disabled/unconfigured:
   • Claim matching groups or OUs
   • Create an OU for Level 1 groups
   • Mail-enable groups
   • Alerts and notifications
3. Set the Empty Group Action to No Action.
4. Set Group Type to Security - Universal.

5. Set Group Naming Conventions

1. For Level 1 Group Naming (Division):
   • Enter: {Value1} Division All Users
2. For Level 2 Group Naming (Department):
   • Enter: {Value1} - {Value2} Department All Users

6. Select the OU to Store Groups

1. Click Select OU to browse the directory.
2. Navigate to: EmpowerID > Dynamic Hierarchy Groups
3. Select the OU and confirm your selection.

7. Save the Policy

1. Click Save to create the policy.
2. Return to the Policies page and monitor the job status.

---

Monitoring and Verification

1. Monitor Job Execution

1. Wait approximately 5 minutes for the generation and membership jobs to execute.
2. Monitor the Generation Status and Membership Status on the policy page.

2. Review Generated Groups

1. Navigate to Dynamic Hierarchies > Inbox.
2. Confirm that groups are listed as successfully created.
   • Example: Wealth Management - Trust Services Department All Users

3. Verify in Active Directory

1. Open Active Directory Users and Computers.
2. Browse to: EmpowerID > Dynamic Hierarchy Groups
3. Confirm that:
   • Division groups (e.g., Asset Management Division All Users) exist.
   • Department groups under each division also exist.
   • Users are correctly assigned based on their Division and Department attributes.

---

Notes

• Flattened group structure avoids nested groups and aligns with Microsoft best practices.
• Jobs run at configured intervals—allow time for changes to propagate.
• Empty group creation ensures group structure remains consistent even with no members.

---

Completion

Once all groups are generated,

---

Video Walk-thru

View a video walk-thru of Lab 14 - Dynamic Hierarchy Policy.