Skip to main content
Version: Next

Group Assignments

Runbook Azure

DOCUMENT CATEGORY: Runbook SCOPE: Active Directory group membership PURPOSE: Map accounts to security groups MASTER REFERENCE: Microsoft Learn - AD Prerequisites

Status: Active

Overview

Optional

📋 Optional Step: Group assignments are only required if you created optional security groups in Step 2.

Map accounts to security groups created in Step 2.

info

The active directory information in these documents should have been decided in the planning phase and discovery phases. These are just examples. Please update your scripts with the right OU information, right security groups, DNS, etc.

Prerequisites

  • Security groups created (Step 2)
  • Service and admin accounts created (Step 4)
  • Domain admin access for group management

Variables from variables.yml

Variable PathTypeDescription
identity.accounts.account_lcm_usernamestringLCM account name (cluster ID extracted for group lookup)
identity.active_directory.security_groupsobjectFull security groups configuration object
identity.active_directory.security_groups.<key>.namestringSecurity group name per role
identity.active_directory.security_groups.<key>.membersstringMembers to assign to each group

Procedures

  1. Open Active Directory Users and Computers.
  2. For each group below, right-click → Properties → Members → Add the listed accounts/groups:
Security GroupMembers to Add
SG-AzureLocal-AdministratorsBreak-glass admin, enterprise admin group
SG-AzureLocal-OperationsOperations team group
SG-AzureLocal-ReadOnlySupport / read-only group
SG-AzureLocal-WAC-AdministratorsWAC admin group (may overlap with Administrators)
SG-AzureLocal-WAC-UsersSupport / read-only group
SG-AzureLocal-HyperV-AdministratorsHyper-V admin group
SG-AzureLocal-Storage-AdministratorsStorage admin group
  1. Record membership snapshot in deployment tracking document.

Verification

$groups = @(
 "SG-AzureLocal-Administrators",
 "SG-AzureLocal-Operations",
 "SG-AzureLocal-ReadOnly",
 "SG-AzureLocal-WAC-Administrators",
 "SG-AzureLocal-WAC-Users",
 "SG-AzureLocal-HyperV-Administrators",
 "SG-AzureLocal-Storage-Administrators"
)
foreach ($g in $groups) {
 Write-Host "`n$g" -ForegroundColor Cyan
 Get-ADGroupMember $g -EA SilentlyContinue | Select-Object SamAccountName
}

Validation Checklist

  • All 7 security groups have at least one member assigned
  • Break-glass admin added to Administrators group
  • Enterprise admin group mapped to Administrators
  • Operations team mapped to Operations group
  • Support/read-only group mapped to ReadOnly and WAC-Users
  • WAC-Administrators, HyperV-Administrators, Storage-Administrators populated
  • Membership snapshot documented in deployment tracking

Troubleshooting

Common Issues

"Member already exists": Add-ADGroupMember throws this when the member is already assigned. The scripts handle this with try/catch — safe to ignore.

"Cannot find an object with identity": The account or group name doesn't exist. Verify the SAM account name matches what was created in Steps 2 and 4.

Nested group membership not resolving: If you add a group as a member of another group, members of the nested group inherit permissions only if the application supports nested group evaluation. Azure Local and WAC both support this.

Support Resources

Data verified with internal source [Azure Local Provisioning Runbook] and Docusaurus documentation release note dated 2025-12-08.

Next Steps

After completing group assignments, proceed to Phase 09 - Enterprise Network Readiness Validation to validate network prerequisites, or review the Active Directory Preparation Overview for the complete process.

Task 04: Service & Admin Accounts↑ Part 3: On-Premises ReadinessPhase 02: Enterprise Readiness →

Version Control

VersionDateAuthorChanges
1.02026-01-31Azure Local Cloud Azure Local CloudnologyInitial document
1.12026-03-03Azure Local Cloud Azure Local CloudnologyStandardized runbook format

End of Task