Add or manage Windows AD Group

This guide shows you how to add Windows AD Groups to Nodinite and assign them to Roles for team-based access control.

• ✅ Add AD groups in minutes
• ✅ Assign to multiple roles
• ✅ Maintain centralized access in Active Directory
• ✅ Reduce administrative overhead

Note

New to Windows AD Groups? Read What is a Windows AD Group? first to understand the concept, prerequisites, and when to use groups vs individual Users.

Before You Begin

Ensure you have:

• Roles created in Nodinite to assign to the group
• Administrator permissions in Nodinite
• Active Directory group name ready (format: DOMAIN\GroupName)

Tip

Create your Roles first with appropriate Log View, Monitor View, and Repository Model permissions before adding Windows AD Groups.

Accessing Windows AD Groups Management

Navigate to Administration → Access Management → Windows AD Groups in the Nodinite Web Client.

Location of the "Add Windows AD Group" button in the Windows AD Groups interface.

Step 1: Add a New Windows AD Group

Click the Add Windows AD Group button to create a new Windows AD Group entry in Nodinite.

A form appears for entering the group details.

Example of the Windows AD Group configuration form showing required and optional fields.

Step 2: Enter Group Details

Mandatory Fields

Name

The Name field is required and must match exactly the format used in Active Directory.

Format requirements:

• Domain\GroupName format (e.g., CONTOSO\Integration Team)
• Must match an existing AD security group
• Case-sensitive in some environments
• Backslash (\) separates domain from group name

Example names:

• CONTOSO\Finance Team
• PROD\Integration Developers
• CORPORATE\Business Analysts

Warning

The group name must match exactly with your Active Directory group. If the name is incorrect or the group doesn't exist, users will not be able to authenticate.

Need help with AD group names? See Microsoft's documentation on AD security groups

Optional Fields

Description

The Description field is optional but highly recommended for documentation purposes.

Best practices for descriptions:

• Explain what team or department this group represents
• Note the access level granted (e.g., "Finance team - read-only access to finance logs")
• Include contact information for the group owner
• Mention any special permissions or restrictions

Example descriptions:

• Finance department users - access to SAP and Oracle integration logs
• Integration developers - full access to test environment, read-only in production
• Business analysts from EMEA region - monitor views for customer orders

Tip

Good descriptions help future administrators understand the purpose of each group without needing to look up details in Active Directory.

Step 3: Assign Role Membership

After entering the group details, you must assign the Windows AD Group to one or more Roles to grant access permissions.

Important

A Windows AD Group without any Role assignments grants no access to Nodinite. Users in the group will be able to authenticate but won't see any data or features.

Assign Roles

1. Click the Edit button next to "Roles" to open the role assignment dialog
2. A modal window displays all available Roles in Nodinite

Example of the role selection modal showing available roles.

1. Check the boxes next to the Roles you want to assign to this Windows AD Group
2. You can assign the group to multiple Roles - permissions are cumulative
3. Click Save to persist the role assignments

Example showing a Windows AD Group assigned to multiple roles for comprehensive access control.

Understanding Role Assignment

Permissions are cumulative:

If a Windows AD Group is assigned to multiple Roles, users in that group receive all permissions from all Roles.

Example:

• CONTOSO\Integration Team is assigned to:
  • "Developer" Role - Access to test Log Views, Repository Model
  • "Monitor" Role - Access to production Monitor Views
• Result: All members of CONTOSO\Integration Team have access to test logs, Repository Model, and production monitors

Tip

Common Role assignment patterns:

• Development teams - Assign to "Developer" and "Test Environment" roles
• Operations teams - Assign to "Production Monitor" and "Remote Actions" roles
• Business users - Assign to specific Log View roles for their business domain
• Administrators - Assign to "Administrator" role for full access

Empty Role List?

If the role list is empty, you need to create Roles first:

1. Navigate to Administration → Access Management → Roles
2. Create one or more Roles with appropriate permissions
3. Return to Windows AD Groups to assign the newly created Roles

Note

You can create Roles at any time, even after adding Windows AD Groups. Simply edit the group later to add new role assignments.

Step 4: Save and Verify

After assigning Roles, click Save to create the Windows AD Group entry.

Verification steps:

1. The group appears in the Windows AD Groups list
2. The "Roles" column shows assigned role names
3. Users who are members of this AD group can now log in to Nodinite
4. Have a test user (member of the AD group) log in to verify permissions

Editing Existing Windows AD Groups

To modify an existing Windows AD Group:

1. Open the Windows AD Groups list
2. Click the Edit button on the group you want to modify
3. Update the Description or Role assignments as needed
4. Click Save to apply changes

Changing Role Assignments

Role assignments can be changed at any time:

• Add roles - Grant additional permissions to the group
• Remove roles - Revoke specific permissions
• Replace roles - Uncheck old roles and check new ones

Warning

Removing roles takes effect immediately. Users currently logged in may lose access to features they were using. Consider communicating changes to affected users.

Common Use Cases

Scenario 1: Onboarding a New Development Team

Goal: Grant 10 new developers access to test environment

Steps:

1. IT creates AD group CONTOSO\NewDevTeam and adds developers
2. In Nodinite, add Windows AD Group named CONTOSO\NewDevTeam
3. Assign to Roles: "Developer", "Test Environment Access"
4. Developers automatically get access when added to AD group

Benefit: No need to add 10 individual users in Nodinite

Scenario 2: Temporary Project Access

Goal: Grant contractors access for 3-month project

Steps:

1. IT creates temporary AD group CONTOSO\ProjectX Contractors
2. In Nodinite, add Windows AD Group with description "Project X - ends Dec 2026"
3. Assign to Role "Project X Log Views"
4. When project ends, IT deletes AD group (or removes Nodinite access)

Benefit: Access management happens in AD, Nodinite automatically respects group membership

Scenario 3: Regional Team Access

Goal: Grant EMEA finance team access to European integration logs

Steps:

1. Use existing AD group CORPORATE\EMEA Finance
2. In Nodinite, add Windows AD Group
3. Assign to Role "EMEA Finance Log Views" (created with geographic filters)
4. Team sees only relevant European log data

Benefit: Centralized regional access control aligned with org structure

Benefit: Centralized regional access control aligned with org structure

Best Practices for Managing Windows AD Groups

Descriptions and Documentation

• Write clear descriptions explaining team/department and access level
• Include contact information for the group owner or manager
• Document special permissions or temporary access grants
• Update descriptions when team structure or purpose changes

Regular Maintenance

• Quarterly reviews - Verify groups still align with business needs
• Remove unused groups - Delete groups no longer needed in Nodinite
• Monitor Log Audits - Track who's accessing what data
• Coordinate with IT - Ensure AD changes are reflected in Nodinite

Troubleshooting

Users in AD Group Cannot Log In

Problem: Active Directory group members cannot authenticate to Nodinite

Solutions:

1. Verify domain trust - Ensure Nodinite server can reach the AD domain controller
2. Check group name format - Must be DOMAIN\GroupName (exact match)
3. Confirm group type - Must be a Security group, not Distribution group
4. Test with domain admin - Verify AD authentication is working

Users Can Log In But See No Data

Problem: Users authenticate successfully but have no access to features

Solutions:

1. Check Role assignments - Windows AD Group must be assigned to at least one Role
2. Verify Role permissions - Assigned Roles must have Log View, Monitor View, or Repository Model permissions configured
3. Check user membership - Confirm user is actually a member of the AD group
4. Wait for cache refresh - Group membership changes can take a few minutes to propagate

"Bad format for domain and user provided" Error

Problem: Error when saving Windows AD Group

Solutions:

1. Use backslash - Format must be DOMAIN\GroupName, not DOMAIN/GroupName
2. Verify domain name - Use NetBIOS name (e.g., CONTOSO), not FQDN (e.g., contoso.com)
3. Check for typos - Group name must match exactly
4. Test in AD - Verify group exists: Get-ADGroup -Identity "GroupName"

Group Shows in List But Permissions Not Working

Problem: Windows AD Group is configured but members don't have expected access

Solutions:

1. Verify Role permissions - Check what the assigned Roles actually grant
2. Check for conflicting access rules - Review Log View and Monitor View filters
3. Test with individual User - Add test user directly to verify it's a group issue
4. Review Log Audits - Check Log Audits for authentication or authorization errors

---

Next Step

Windows AD Groups - Overview – View and manage all Windows AD Groups
Add or manage Role – Create Roles to assign to groups
Permission Set for Log Views – Configure Log View access
Permission Set for Monitor Views – Configure Monitor View access

Related Topics

Access Management

Access Management – Main access control overview
Add or manage User – Add individual users (alternative to groups)
Roles – Understanding role-based access control
What is a Windows AD Group? – Concept overview

Permission Configuration

Permission Set for Log Views – Grant access to log data
Permission Set for Monitor Views – Grant monitoring dashboard access
Permission Set for the Repository Model – Grant integration documentation access

Features and Administration

Log Views – Log data viewing
Monitor Views – Monitoring dashboards
Log Audits – Track user activity and changes
Web Client – User interface

Alternative Authentication Modes

Claims – OIDC/OAuth 2.0 authorization (alternative to Windows AD Groups)
Policies – OIDC/OAuth 2.0 Policy management