Applications in Shopping can be configured to enable membership of two selected AD groups, one group for the user and the other for the user's computer. When the application is shopped for the user's user account and/or computer account get added to the group. For example, an organization may want to do this in order to provide self-service access to shares, or use domain groups to grant access to an application database.
The latest version of Shopping also allows AD group membership to be revoked when the application is uninstalled and supports AD group membership rental.
An example application
To illustrate AD integration we will use an example application called ACME DataMater, this application is intended to provide data mining capabilities and so requires access to shares and databases.
The User AD Group we are going to select is one called ACME DataMater DB Access, this is configured in our example network to enable appropriate database access for users of the ACME DataMater application.
The Computer AD Group we will use is one called ACME DataMater Share Access, this is configured in our example network to enable a share on the machine where the ACME DataMater application is installed.
Saving the changes
Having set the groups, we then click OK to store the settings with the application. At this point, Shopping will confirm that the Shopping Central Service Account service account has write access to the selected groups. If this is not the case, a warning dialog will appear and the Properties dialog will not close, preventing the selection of the groups. To resolve this issue, you should contact the AD Administrator and ensure that the Shopping Central Service Account service account gets the appropriate write permission to modify the membership of the selected groups.