title: Group Details & Management category: Directory Browser tags: groups, members, nested, security, distribution, management priority: Normal
Group Details & Management
The Group Details page provides a complete view of any Active Directory group synchronized into IdentityCenter. Navigate to it by clicking a group in the Directory Browser, or go directly to /admin/directory/group-details/{id}.
Overview Tab
The Overview tab displays the group's core identity and configuration.
| Field | AD Attribute | Description |
|---|---|---|
| Group Name | cn / displayName |
The group's display name |
| Description | description |
Purpose or function of the group |
mail |
Email address (if mail-enabled) | |
| Managed By | managedBy |
The designated owner, shown as a clickable link to their detail page |
| Group Type | groupType bitmask |
Security or Distribution |
| Group Scope | groupType bitmask |
Domain Local, Global, or Universal |
| Distinguished Name | distinguishedName |
Full LDAP path of the group |
| When Created | whenCreated |
Date the group was created in AD |
| When Changed | whenChanged |
Date of the last modification |
Group Type and Scope Reference
Active Directory encodes both the group type and scope into a single groupType integer attribute. IdentityCenter decodes this into readable labels.
Group Types
| Type | Purpose |
|---|---|
| Security | Used to assign permissions to resources (file shares, applications, GPOs) |
| Distribution | Used for email distribution lists; cannot be used for access control |
Group Scopes
| Scope | Can Contain | Can Be Used In |
|---|---|---|
| Domain Local | Users, Global groups, and Universal groups from any domain in the forest | Permissions within the same domain only |
| Global | Users and Global groups from the same domain only | Permissions in any domain in the forest |
| Universal | Users, Global groups, and Universal groups from any domain in the forest | Permissions in any domain in the forest |
Common groupType Values
| Value | Meaning |
|---|---|
-2147483646 |
Global Security Group |
-2147483644 |
Domain Local Security Group |
-2147483640 |
Universal Security Group |
2 |
Global Distribution Group |
4 |
Domain Local Distribution Group |
8 |
Universal Distribution Group |
Members Tab
The Members tab lists all direct members of the group. Each member is displayed with a type icon and key details.
| Column | Description |
|---|---|
| Icon | Visual indicator of the member type (user, computer, group, contact) |
| Name | Clickable link to the member's detail page |
| Type | User, Computer, Group, or Contact |
| Status | Active or Disabled |
| Department | Department (for user members) |
Searching and Filtering Members
Use the search bar at the top of the Members tab to filter by name. For large groups (hundreds or thousands of members), this is essential for finding specific entries.
Nested Member Count
Below the member list, IdentityCenter displays the total nested (transitive) member count. This number includes all members reached by expanding nested groups recursively. For example, if Group A contains Group B which contains 50 users, Group A's nested member count includes those 50 users even though they are not direct members.
Tip: A large difference between the direct member count and the nested member count indicates deep nesting. Consider flattening group structures where nesting exceeds three levels.
Member Of Tab
The Member Of tab shows all groups that this group belongs to. This reveals the group's position in the nesting hierarchy and helps you understand the full scope of permissions the group inherits.
| Column | Description |
|---|---|
| Group Name | Clickable link to the parent group's detail page |
| Type | Security or Distribution |
| Scope | Domain Local, Global, or Universal |
Attributes Tab
The Attributes tab displays every synchronized AD attribute for the group in a raw key-value format. This is useful for troubleshooting or verifying specific attribute values that are not shown on the Overview tab.
Understanding Nested Groups
Direct vs. Transitive Membership
| Membership Type | Definition |
|---|---|
| Direct | The object is listed in the group's member attribute |
| Transitive (Nested) | The object is a member of a group that is itself a member of this group, at any depth |
Circular Nesting Risks
Active Directory allows circular group nesting (Group A contains Group B, Group B contains Group A). While AD itself handles this without error, it can cause:
- Unexpected permission inheritance
- Confusion when auditing access
- Policy evaluation loops in some tools
IdentityCenter detects circular nesting and flags it in the AI insights panel.
Nesting Depth Best Practices
| Depth | Recommendation |
|---|---|
| 1 level | Ideal -- simple and easy to audit |
| 2 levels | Acceptable for role-based structures |
| 3 levels | Maximum recommended depth |
| 4+ levels | Avoid -- difficult to audit, troubleshoot, and review |
GroupInsightData and AI Insights
When Intelligence features are enabled, IdentityCenter computes analytics for each group using the GroupInsightData model.
| Metric | Description |
|---|---|
| Inactive Member Count | Number of members who have not logged in within the configured threshold |
| Inactive Member Percentage | Percentage of members who are inactive |
| Nested Group Count | Number of groups contained within this group |
| Nested Group Depth | Maximum depth of group nesting |
| Security vs. Distribution | Analysis of whether the group type is appropriate for how it is being used |
AI-Generated Warnings
The insights panel may surface these common findings:
| Warning | Meaning |
|---|---|
| Large Group | Groups with over 100 direct members may be difficult to review and manage |
| High Inactive Rate | More than 50% of members have not logged in recently |
| Deep Nesting | The group is nested more than 3 levels deep |
| No Owner | The managedBy attribute is empty -- no one is accountable for this group |
| Stale Membership | Several members are disabled or have been inactive for 90+ days |
Best Practices for Group Management
Prefer security groups over distribution lists for access control. Distribution groups cannot be used to assign permissions, so using them for access creates confusion and audit gaps.
Assign an owner to every group. The
managedByattribute should point to a responsible person who can make decisions during access reviews.Limit nesting depth to three levels. Deeper nesting makes it nearly impossible to audit who has access to what.
Review large groups quarterly. Groups with more than 50 members should be reviewed regularly to remove stale entries.
Use meaningful naming conventions. Group names should indicate purpose, scope, and type (e.g.,
SEC-Finance-ReadOnly,DL-Marketing-All).Clean up empty groups. Groups with zero members serve no purpose and clutter the directory. The built-in "Empty Groups" policy can detect these automatically.
Monitor privileged groups closely. Domain Admins, Enterprise Admins, and Schema Admins should have the fewest possible members and be reviewed monthly.
Next Steps
- Browsing Objects -- Navigate and search your directory
- User Details Page -- Explore individual user accounts
- Computer, OU & Other Object Details -- Detail pages for other object types
- Object Write-Back -- Remove group members via AD write-back
- Access Reviews -- Certify group memberships periodically
- Built-In Policies Reference -- Policies that target groups (Empty Groups, Nested Group Depth, Privileged Group Size)
- AI Chat -- Query group membership data in natural language