Create provisioned group for administrators

You must create a provisioned group for administrators to enforce administrator group membership. Group provisioning policies preserve the integrity of your local group accounts.

Keep in mind that for provisioned groups to work you must include them in a policy or task. (For instructions about including provisioned groups in a policy or task, go to Apply Provisioned Group.)

To create a provisioned group for administrators, do the following steps:

  1. In the Thycotic Security Manager, go to the Policies tab.
  2. In the file library in the left pane, navigate to Thycotic Solutions > Local Security > Resources > Provisioned Groups.
  3. Right-click Provisioned Groups and click New > Provisioned User Groups, or in the right pane click the New button.
  4. In the New Provisioned Group dialog box under Settings > Account Name, click Standard and choose Administrators.
  5. To enforce exact membership (exact membership ensures that the correct resources are always in the group, but doesn't enforce any other resources) in the administrators group, select the Exact membership check box.
  6. Under Group Membership, go to the Include tab and select Built-in users. Note: Always include the Built-in Administrator Account.


    Include or Exclude Resources

    Every resource that you add under the Include tab will always be included in the group. Every resource that you add under the Exclude tab will never be included in the group.

    You can include or exclude the following resources:

  • Built-in users
  • Domain groups
  • Users