Group Policy Configuration & Examples

9 min

this document describes how to configure and manage policies within activate security group compliance manager (sgcm), including examples for monitoring and enforcing compliance rules across active directory security groups overview sgcm policies define how group membership changes are detected, classified, and remediated they provide automated enforcement of organisational rules around who can be added to sensitive groups, how unauthorised changes are handled, and who receives notifications policy structure each sgcm policy is represented by a connector events parameter applied to a managed group or organisational unit in activate studio these policies define event types and actions to take when group changes occur policies typically include create events – detect when new groups are created outside authorised workflows add events – monitor users added to a group deny events – trigger when an unauthorised addition occurs remove events – monitor users removed from groups setting up group categories to enable appropriate handling, groups are categorised into managed sections under resources > security groups true 330,331left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type groups can be moved between categories directly within activate studio this only affects sgcm’s internal cache and does not alter the structure in active directory example restricted group policy restricted groups focus on awareness and audit \<groups> \<events> \<add> \<notify> \<users>=//group/securitygroupmanagers\</users> \<message> \<subject>restricted group membership added\</subject> \<body>\<!\[cdata\[ notification a user %=//member% has been added to %=//group% (%=//group/domainname%) please review this change for compliance ]]>\</body> \</message> \</notify> \</add> \<remove> \<notify> \<users>=//group/securitygroupmanagers\</users> \<message> \<subject>restricted group membership removed\</subject> \<body>\<!\[cdata\[ notification a user %=//member% has been removed from %=//group% (%=//group/domainname%) ]]>\</body> \</message> \</notify> \</remove> \</events> \</groups> example protected group policy protected groups enforce automatic remediation for unauthorised changes \<groups> \<events> \<deny> \<removemember>\</removemember> \<notify> \<users>=//group/securitygroupmanagers\</users> \<message> \<subject>protected group membership violation\</subject> \<body>\<!\[cdata\[ notification a user %=//member% attempted to join %=//group% (%=//group/domainname%) outside of activate the user has been automatically removed from the group ]]>\</body> \</message> \</notify> \</deny> \<add> \<notify> \<users>=//group/securitygroupmanagers\</users> \<message> \<subject>protected group membership added\</subject> \<body>\<!\[cdata\[ notification a user %=//member% has been added to %=//group% (%=//group/domainname%) ]]>\</body> \</message> \</notify> \</add> \</events> \</groups> example service group policy for groups linked to services (via the mastergroup parameter), sgcm can manage associated service provisioning or deprovisioning \<services> \<events> \<deny> \<removemember>\</removemember> \</deny> \<add> \<createservice>\</createservice> \</add> \<remove> \<deleteservice>\</deleteservice> \</remove> \</events> \</services> this configuration ensures that any group membership changes automatically trigger service creation or removal as defined in the activate platform notification recipients notification recipients are determined by the securitygroupmanagers parameter, typically set at the folder or group level in activate studio this parameter is of type reference and should point to the activate role responsible for group governance (for example, service desk or security administrators) testing policies after defining or updating event policies trigger test changes in a non production domain or ou monitor the sgcm connector logs to confirm event detection verify that notifications and remediation actions execute as expected adjust workflow timing or event scope if necessary best practices apply stricter enforcement (protected category) only to high risk groups maintain clear documentation of connector events configurations for auditing regularly review notification recipients to ensure proper accountability test any schema or workflow changes in a controlled environment before deployment summary sgcm policies translate organisational security requirements into enforceable actions by combining real time detection, workflow automation, and granular categorisation, sgcm ensures active directory group memberships remain compliant with access governance and audit controls