Home / server / Questions / 488365
Accepted
Vinícius Ferrão
Asked: 2013-03-16 20:56:20 +0800 CST

Creating a Dynamic Group in Active Directory with users from a OU

  • 772

I would like to create a dynamic group with users from a specific OU in my Active Directory. I can do this perfectly using Exchange Dynamic Distribution List, but of course, Ex DDL's are only for mail.

There's any way to create this? I've found some guides using System Center to handle this, but System Center isn't an option.

Thanks in advance,

active-directory

6 Answers

  1. Best Answer

    There is no such thing as a Dynamic Security Group in Active Directory, only Dynamic Distribution groups.

    To accomplish this, I think the most viable option would be to have a Powershell script determining who are in the given OU and updating the security group accordingly, maybe like this:

    Import-Module ActiveDirectory
$groupname = PseudoDynamicGroup
$users = Get-ADUser -Filter * -SearchBase "ou=desiredUsers,dc=domain,dc=tld"
foreach($user in $users)
{
  Add-ADGroupMember -Identity $groupname -Member $user.samaccountname -ErrorAction SilentlyContinue
}
$members = Get-ADGroupMember -Identity $groupname
foreach($member in $members)
{
  if($member.distinguishedname -notlike "*ou=desiredUsers,dc=domain,dc=tld*")
  {
    Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
  }
}
    • 12

  2. I'm answering my own question. With the PowerShell ideas of Mathias I've found this on the internet:

    https://github.com/davegreen/shadowGroupSync

    Features

    • Sync user or computer objects from one or more OUs to a single group.
    • Ability to filter objects included in the shadow group using the PowerShell Active Directory Filter.
    • Ability to choose shadow group type (Security/Distribution).

    The author's blog contains additional information about the design and motives for the tool.

    • 4

  3. This can be done with Adaxes. Technically it will dynamically update group membership once users are updated/moved. Here's an example how to automatically maintain group membership based on Department attribute, but it's very easy to modify it to do same thing based on the OU. http://www.adaxes.com/tutorials_AutomatingDailyTasks_AddUsersToGroupsByDepartment.htm

    • 3

  4. I've also looked for a way to create dynamic security groups in Active Directory, and came to the conclusion as Mathias. My solution wasn't as elegant as his, I use a scheduled powershell-script to remove all users from the groups, and then fill them with the users in the OU. In addition I made sure that the sub-OUs groups got added to the parent OUs security group where it fitted.

    import-module ActiveDirectory
Get-ADGroupMember OU_GroupName | % { Remove-ADGroupMember 'OU_GroupName' -Members $_ -Confirm:$false}
Get-ADUser -SearchBase 'OU=OUName,OU=ParentOUName,DC=DomainName,DC=TopDomainName' -Searchscope 1 -Filter * | % { Add-ADGroupMember 'OU_GroupName' -Members $_ }
Add-ADGroupMember -Identity "OU_ParentName" -Members "OU_ChildOneName", "OU_ChildTwoName", "OU_ChildThreeName"

    Not sure if this scales well in a big company, but the script only use a few minutes in our 300 user company.

    • 1

  5. The easiest way is to use DynamicGroup. http://www.firstattribute.com/en/active-directory/ad-automation/dynamic-groups/

    We are running it in various environments after a migration from Novell to Active Directory.

    It's a software to automatically create OU groups, department groups and so on. Just create the filter and and that's it.

    • 1

  6. To the statement left by another member. If you don't run this from a Domain Controller you will need to either provide a static entry by replacing $domainController or you can add another , followed by $DomainController and pass that info.

    To add a user to a group

    Function AddUserToGroup($Group, $User, $DomainController)
{
 if(!(Get-ADGroupMember -Identity $group | ?{$_.name -eq $User}))
 {
  Add-ADGroupMember -Identity $group -Members $User -Server $DomainController
 }
 else
 {
  return  "The user: $User is already in the $group"
 }
}

    To remove a user you can do the same thing.

    Function RemoveUserFromGroup($Group, $User, $DomainController)
{
 if((Get-ADGroupMember -Identity $group | ?{$_.name -eq $User}))
 {
  Remove-ADGroupMember -Identity $group -Members $User -Server $DomainController
 }
 else
 {
  return "The user: $User is not a member of $group"
 }
}

    Now to use this you can do this...

    $Users = Get-Aduser -Filter *
Foreach($user in $users)
{
  AddUserToGroup "SomeGroup" $user.name "ServerName"  
}

    or

    It would be best to have a disabled users OU or something where this can take place or if you switch OU's such as site or group

    $Users = Get-Aduser -Filter * 
Foreach($user in $users)
{
  RemoveUserToGroup "SomeGroup" $user.name "ServerName"  
}
    • 0