Group mappings are used to determine the security or distribution groups that a user should (or should not) be a member of.
When setting up a group mapping, you select the Active Directory group that you want to set up as well as an expression that will determine if the user will or will not be a member.
If the expression evaluates to true, then the user will be a member of the group and if the expression evaluates to false, then the user will not be a member of the group.
We can use either a simple or conditional expression in the mappings. The possibilities of what can be done with expressions are plentiful as any C# expression can be used.
Remember that Connect to AD also supports conditional expressions, which allows you to evaluate multiple conditions before determining which value to use in the mapping.
When setting up a group mapping, there is an option Add only (do not remove users from this group)
If Add only (do not remove users from this group) is switched on, then users that evaluate to false will not be removed from the group if they are currently a member of the group.
Remove from All Groups
The Remove from All Groups mapping is a special group mapping that can be used to remove a user from all the groups they are currently a member of.
When a user matches the defined expression, they will be removed from all their current groups (except their primary group).
This is especially useful for terminated employees. If the expression is set to:
Employment.EmployeeStatusCode == "T"
A terminated employee will meet this condition and they will be removed from all groups and no other group mappings will be processed.