8

I would like to create a dynamic group with users from a specific OU in my Active Directory. I can do this perfectly using Exchange Dynamic Distribution List, but of course, Ex DDL's are only for mail.

There's any way to create this? I've found some guides using System Center to handle this, but System Center isn't an option.

Thanks in advance,

Vinícius Ferrão
  • 5,400
  • 10
  • 52
  • 91

6 Answers6

12

There is no such thing as a Dynamic Security Group in Active Directory, only Dynamic Distribution groups.

To accomplish this, I think the most viable option would be to have a Powershell script determining who are in the given OU and updating the security group accordingly, maybe like this:

Import-Module ActiveDirectory
$groupname = PseudoDynamicGroup
$users = Get-ADUser -Filter * -SearchBase "ou=desiredUsers,dc=domain,dc=tld"
foreach($user in $users)
{
  Add-ADGroupMember -Identity $groupname -Member $user.samaccountname -ErrorAction SilentlyContinue
}
$members = Get-ADGroupMember -Identity $groupname
foreach($member in $members)
{
  if($member.distinguishedname -notlike "*ou=desiredUsers,dc=domain,dc=tld*")
  {
    Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
  }
}
Community
  • 1
Mathias R. Jessen
  • 24,907
  • 4
  • 62
  • 95
  • +1 Can I have such a script run on my Active Directory periodically to make sure my AD groups are up-to-date? Or maybe somehow subscribe to some event system? I'm a developer not an administrator but I can influence the administrator and my manager – Lzh Feb 19 '14 at 06:29
  • I'd do the removes first, just so it doesn't recheck user objects we just checked (and added) – xXhRQ8sD2L7Z Sep 07 '15 at 10:30
4

I'm answering my own question. With the PowerShell ideas of Mathias I've found this on the internet:

https://github.com/davegreen/shadowGroupSync

Features

  • Sync user or computer objects from one or more OUs to a single group.
  • Ability to filter objects included in the shadow group using the PowerShell Active Directory Filter.
  • Ability to choose shadow group type (Security/Distribution).

The author's blog contains additional information about the design and motives for the tool.

Community
  • 1
Vinícius Ferrão
  • 5,400
  • 10
  • 52
  • 91
  • 1
    If Mathias was the one who helped you, then you should accept his answer. He give you the insight! – Lzh Feb 19 '14 at 06:27
3

This can be done with Adaxes. Technically it will dynamically update group membership once users are updated/moved. Here's an example how to automatically maintain group membership based on Department attribute, but it's very easy to modify it to do same thing based on the OU. http://www.adaxes.com/tutorials_AutomatingDailyTasks_AddUsersToGroupsByDepartment.htm

Anton Pozdnyakov
  • 79
  • 3
1

I've also looked for a way to create dynamic security groups in Active Directory, and came to the conclusion as Mathias. My solution wasn't as elegant as his, I use a scheduled powershell-script to remove all users from the groups, and then fill them with the users in the OU. In addition I made sure that the sub-OUs groups got added to the parent OUs security group where it fitted.

import-module ActiveDirectory
Get-ADGroupMember OU_GroupName | % { Remove-ADGroupMember 'OU_GroupName' -Members $_ -Confirm:$false}
Get-ADUser -SearchBase 'OU=OUName,OU=ParentOUName,DC=DomainName,DC=TopDomainName' -Searchscope 1 -Filter * | % { Add-ADGroupMember 'OU_GroupName' -Members $_ }
Add-ADGroupMember -Identity "OU_ParentName" -Members "OU_ChildOneName", "OU_ChildTwoName", "OU_ChildThreeName"

Not sure if this scales well in a big company, but the script only use a few minutes in our 300 user company.

Espen Olsen
  • 31
  • 6
  • From a practical vantage point, your solution is fine (for a few hundred users). However, by adding all first (and suppressing warnings/errors for duplicates), and then removing only non-matches, you 1) minimize the number of attribute updates to the AD object and 2) workaround the risk of somebody authenticating and missing a Security Group in their token, should they happen to come online while your script is running. – Mathias R. Jessen Apr 05 '13 at 21:05
1

The easiest way is to use DynamicGroup. http://www.firstattribute.com/en/active-directory/ad-automation/dynamic-groups/

We are running it in various environments after a migration from Novell to Active Directory.

It's a software to automatically create OU groups, department groups and so on. Just create the filter and and that's it.

Matthias
  • 11
  • 1
0

To the statement left by another member. If you don't run this from a Domain Controller you will need to either provide a static entry by replacing $domainController or you can add another , followed by $DomainController and pass that info.

To add a user to a group

Function AddUserToGroup($Group, $User, $DomainController)
{
 if(!(Get-ADGroupMember -Identity $group | ?{$_.name -eq $User}))
 {
  Add-ADGroupMember -Identity $group -Members $User -Server $DomainController
 }
 else
 {
  return  "The user: $User is already in the $group"
 }
}

To remove a user you can do the same thing.

Function RemoveUserFromGroup($Group, $User, $DomainController)
{
 if((Get-ADGroupMember -Identity $group | ?{$_.name -eq $User}))
 {
  Remove-ADGroupMember -Identity $group -Members $User -Server $DomainController
 }
 else
 {
  return "The user: $User is not a member of $group"
 }
}

Now to use this you can do this...

$Users = Get-Aduser -Filter *
Foreach($user in $users)
{
  AddUserToGroup "SomeGroup" $user.name "ServerName"  
}

or

It would be best to have a disabled users OU or something where this can take place or if you switch OU's such as site or group

$Users = Get-Aduser -Filter * 
Foreach($user in $users)
{
  RemoveUserToGroup "SomeGroup" $user.name "ServerName"  
}
  • This response servies no purpose and adds no value to the question at all. The functions are inefficient and provide no inherent value; both functions 1. double the amount of calls to be made, 2. Specifically only work if the CN of the user is used (limit the native cmdlets functionality), 3. do not follow the recommended Verb-Noun naming pattern of PowerShell functions, and 4. the second function actually ADDs users to a group, instead of removing them. The accepted answer from 6 years ago is accurate, complete, and functional. I see no reason why any an additional answer was needed. – Semicolon Jul 16 '19 at 22:11
  • You zealot! It does you're just narrow minded –  Jul 16 '19 at 22:15
  • One more thing. I have this exact script in my org with over 5000 users and it works just fine. You just need to feed the function the information. Also note, we have triggers done on a task DC where it does a triggered event run when a new user is created or disabled. Please, think outside of the box................ –  Jul 16 '19 at 22:17
  • $DomainController is undefined. Your "RemoveUserFromGroup" function uses the "Add-ADGroupMember" cmdlet. Your "Remove" (if the Remove-ADGroupMember cmdlet was actually just a typo used) only works if the user is not in the group. Nor do you reference even remotely the task of obtaining users from a specified OU. At best, it is a needs-work partial solution -- when a complete solution was already submitted and accepted. – Semicolon Jul 16 '19 at 22:21
  • Awe, I see what you were talking about. LOL - I just copied the top and pasted it to the bottom. I have since corrected it... $DomainController was put there just in case this user doesn't run the script from a DC. Again, the user and group is provided. You can run a simple Get-ADUser -Filter * if you want, but that seems mundane... It would be better to just read the DC event logs and pull the new user instead of cycling through every user. But hey, there are more than one way to skin a cat –  Jul 16 '19 at 22:25