With Delegate365 version 8.0, besides many other features, a brand new feature has been added to Delegate365: Group OU's. In short, a Group OU can be used by Scope Admins for using members of another OU they do not manage themselves. See how this works here.
In Delegate365, Scope Admins can manage all objects of their assigned OU's. But, they could not assign other users they don't manage to any group. This is where Group OU's come in. To illustrate this new feature, let's have a look at this sample.
Our scenario is a school environment, with three logical OU's, based on the school location: Seattle, Kirkland and Bellevue, these are located in the Washington state area in the US. In the School Organization, teachers are working basically in one location, but are teaching partly at others schools as well. In their main location, teachers are fully managing their students with Delegate365. In other schools, they shall not be able to manage students there.
So, we have a Scope Admin Adele who is a teacher. Her main school is Seattle, but she also teaches in Kirkland for some hours a week. The red box shows that visually in the screenshot below. Adele is assigned to OU Seattle (her own school, highlighted in yellow), but not to Kirkland.
Now imagine, Adele creates a new Office 365 Group named HistoryCourse in Seattle. She wants to add teaching material to that group and she wants to collaborate with all members of that Office 365 Group HistoryCourse.
The issue: Cannot find users of other OU's
When adding members to Office 365 Group HistoryCourse, Adele can only add members of "her" OU Seattle... but she wants her students of Kirkland to be in that group as well.
In this sample, there exists a user Debra in OU Kirkland, managed by another administrator, but Adele does not see that user.
So, Adele cannot find Debra and add her to the group because she cannot manage OU Kirkland.
The solution: Group OU's
For enabling such a scenario, Group OU's were added to Delegate365. A Group OU is a normal OU and there's no difference to other OU's. Note, the OU management has not changed at all.
What's new is that in the administration / manage administrator's menu there's a new menu named "Edit group OUs" when a user is selected as shown in the following screenshot.
As before, "Edit OUs" assigns a user to be administrator of one or more OU's, nothing changed here.
Now, when a Portal Admin assigns a Group OU to a Delegate365 Admin, this means that that user cannot manage objects in these OU's, but he can see members of these OU's and add them to his own groups.
To align with our scenario, we simply select Adele, click "Edit group OUs" and select Kirkland and save that Group OU assignment.
Now the Group OU Kirkland can be assigned to Scope Admin Adele.
As before, she can manage only objects in Seattle, but now she will see all objects in Kirkland, without being able to manage any objects in Kirkland.
Test it with Group OU assignment
So, now it is possible to add users of OU's and Group OU's as members to any group. Adele now can find user Debra from OU Kirkland.
Finally, with Group OU's, Adele can add users from both OU's, from her own OU Seattle, and from OU Kirkland to her Office 365 Group.
Here, Debra belongs to Kirkland and Adele is assigned to Seattle.
This was not possible before the new Group OU feature.
Group OU's summary
So, here's the summary of the new Group OU's in Delegate365 version 8:
- Any OU can be a Group OU. There is no difference in the OU properties itself, it's just an assignment.
- The OU management has not changed.
- The new Group OU's can be assigned to Delegate365 Administrators (to Portal Admins and to Scope Admins) optionally.
- Portal Admins can assign Group OU's in the same way as they assign OU's in the administration / manage administrators menu.
- Administrators now can add users from assigned Group OU's to their own groups
- Also, users in Group OU's can be used for delegated permissions of mailboxes as Full control, Send as, etc. and for assigning a manager to a user - everywhere where the people picker allows to add users.
- Administrators can only manage objects of their own OU's (as before). They cannot manage objects of their assigned Group OU's.
- Reports, PowerShell cmdlets (coming soon), etc. work only for your own OU's (as before).
Group OU's allow to add or remove users of other OU's as members in your own groups without the possibility to manage the objects itself. So, Group OU's add more delegation features to Delegate365.
We think, the new Group OU's make sense to broaden the functionality for Delegate365 Administrators. See other new Delegate365 features here.