# Group provisioning {% hint style="info" %} Principal identifier: `SamAccountName` {% endhint %} To create a new group, OpenIAM must send at a minimum `Name` and `GroupScope`. ## Enabling group provisioning in OpenIAM Before group provisioning works, you need to enable the relevant fields in the connector configuration: {% stepper %} {% step %} ## Go to the connector configuration Go to **Webconsole → Provisioning → Connectors → AD PowerShell Connector → Connector configuration**. {% endstep %} {% step %} ## Enable the required checkboxes Enable the following checkboxes: * Base DN for Group * Object Primary Key for Group * Search Base DN for Group * Search Filter for Group {% endstep %} {% step %} ## Save the configuration Click **Save**. {% endstep %} {% step %} ## Update the managed system Open the managed system edit page, populate the new group fields, and save. {% endstep %} {% step %} ## Ensure a policy map exists Ensure a policy map exists for the group object. If not, create one by copying from an out-of-the-box managed system. {% endstep %} {% endstepper %} *** ## Parameters | Parameter | Description | Required | Type | | -------------- | ------------------------------------------------------------------------------------------------------------------------------------- | -------- | --------- | | Name | Name of the group object (LDAP: `name`). | Yes | String | | GroupScope | Scope of the group: `DomainLocal`, `Global`, or `Universal` (LDAP: `groupType`). | Yes | String | | Description | Description of the group (LDAP: `description`). | No | String | | DisplayName | Display name of the group (LDAP: `displayName`). | No | String | | GroupCategory | Group category: `Distribution` or `Security` (LDAP: `groupType`). | No | String | | HomePage | URL of the group's home page (LDAP: `wWWHomePage`). | No | String | | Instance | An existing group to use as a template for the new group. | No | String | | ManagedBy | User or group that manages this object. Accepts DN, GUID, SID, or SAMAccountName (LDAP: `managedBy`). | No | String | | MemberOf | Key-Value pairs of group DNs with values `add`, `nochange`, or `delete`. | No | Key-Value | | Members | Key-Value pairs of member object DNs with values `add`, `nochange`, or `delete`. On creation, only `add` and `nochange` are accepted. | No | Key-Value | | Path | Destination path in Distinguished Name format for the new object. | No | String | | SamAccountName | SAM account name. Maximum 20 characters (LDAP: `sAMAccountName`). | No | String | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs-beta.openiam.com/application-onboarding/connectors/active-directory-powershell-connector/group-provisioning.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.