I need some advice here because I don’t want to accept that is is the best way to do it
We want to manage our EPP permissions for users via AD groups. Therefore we have everything configured on the “groups” level. We have also switched to Azure Active Directory AD-Sync as I encountered a similar problem in the past and had hoped that this is solving the problem.
In our environment it is relatively common that an ad-group gets renamed. If that is the case EPP creates a new group and we therefore have to “transfer” every “right” and “setting” from the old group to this new group with the new name and then delete the old group.
Isn’t there somehwere an option that in this case EPP should NOT create a new group and should only rename the group and keep the configured permissions?
I can’t really believe that this is the way to do it.
Hey, thank you for reaching out. Managing permissions via AD groups is the way to go so you’re definitely on the best possible path.
What you are describing is accurate and known. While there is no button or setting that changes this behaviour unfortunately we do have some recommendations.
For environments where renaming groups is common, we recommend you create clones or copies of the groups that you use in EPP and only sync those. As a result, the names of the AD groups used by EPP will longer change.
If the memberships of the groups also changes frequently, which I guess it does, and you want to address that too you could set up a short PS script + task scheduler task to sync the memberships between the master and clone groups in AD every x minutes. I just had chatgpt come up with a super simple script that does it. So while this will take some extra effort lets call it, it can definitely be achieved with minimal intervention.
Or the second obvious option is to submit a feature request
Thanks for the great question. Hope this answers your question to some degree
thank you for the recommendation, but unfortunately that is definitely not the way to do it for us. This option would create “unnecessary” groups, would create further sources of error and would make the whole AD-synchronization setup really confusing.
