Managing group permissions

Use the Group permissions tree to associate local or Active Directory groups with roles you've created. This combination of roles and groups is called a group permission. When you add or edit group permissions, only Active Directories that you've provided authentication credentials for are visible.

You can't assign permissions to an individual, only a group. If you want to assign rights to an individual, you must put them into a group first and then assign rights to that group.

You can assign multiple roles to a single Active Directory group. If there are conflicting rights among the selected roles, the group permission consists of the sum of the combined roles and scopes. For example, if one included role allows remote control and another included role denies it, the resulting group permission will allow remote control.

Generally, you should avoid assigning group permissions to the default local groups: LANDesk Management Suite, LANDesk Script Writers, and LANDesk Administrators. Assigning group permissions to a group affects everyone in the group. Since all console users must be a member of one of these three groups, you could unintentionally restrict everyone's access to console features.

Also, make sure users aren't in multiple groups that have different group permissions. In this scenario, users will only get one of their assigned group permissions and the group permission they get may vary from login to login.

NOTE: The LANDesk Administrators group permission associates the LANDesk Administrator role with the LANDesk Administrators local users group. This group permission can't be edited or deleted.

To create a group permission
  1. In the Users tool, right-click Group permissions and click New group permission.
  2. In the Group permissions dialog, enter a Name for your group permission.
  3. Select an AD authentication source. This determines which groups appear in the Available AD groups box.
  4. Use the >> and << buttons to move groups from the Available AD groups box to the Targeted AD groups box.
  5. Select the roles you want assigned to this group permission.
  6. Click Save.