Creating a Dynamic Group in Active Directory with users from a OU

groups active-directory dynamic

I would like to create a dynamic group with users from a specific OU in my Active Directory. I can do this perfectly using Exchange Dynamic Distribution List, but of course, Ex DDL's are only for mail.

There's any way to create this? I've found some guides using System Center to handle this, but System Center isn't an option.

Thanks in advance,


Solution 1:

There is no such thing as a Dynamic Security Group in Active Directory, only Dynamic Distribution groups.

To accomplish this, I think the most viable option would be to have a Powershell script determining who are in the given OU and updating the security group accordingly, maybe like this:

Import-Module ActiveDirectory
$groupname = PseudoDynamicGroup
$users = Get-ADUser -Filter * -SearchBase "ou=desiredUsers,dc=domain,dc=tld"
foreach($user in $users)
{
  Add-ADGroupMember -Identity $groupname -Member $user.samaccountname -ErrorAction SilentlyContinue
}
$members = Get-ADGroupMember -Identity $groupname
foreach($member in $members)
{
  if($member.distinguishedname -notlike "*ou=desiredUsers,dc=domain,dc=tld*")
  {
    Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
  }
}

Solution 2:

I'm answering my own question. With the PowerShell ideas of Mathias I've found this on the internet:

https://github.com/davegreen/shadowGroupSync

Features

  • Sync user or computer objects from one or more OUs to a single group.
  • Ability to filter objects included in the shadow group using the PowerShell Active Directory Filter.
  • Ability to choose shadow group type (Security/Distribution).

The author's blog contains additional information about the design and motives for the tool.

Solution 3:

This can be done with Adaxes. Technically it will dynamically update group membership once users are updated/moved. Here's an example how to automatically maintain group membership based on Department attribute, but it's very easy to modify it to do same thing based on the OU. http://www.adaxes.com/tutorials_AutomatingDailyTasks_AddUsersToGroupsByDepartment.htm

Related

Is it possible to run two services on the same ports with different IP but on the same machine?
Backup a remote directory with duplicity
How do I verify that my hosting provider gave me SSDs?
How are Windows MachineKey Container File Name's Derived?
How to delete directories contents (and not the directory itself) using find -exec and rm?
How can I use a web interface that requires a much older browser?
How to mount new logical volume (adding to fstab and mtab)?
What type is the 'return' keyword?
How can I know if a non-required RenderSection exists?
Can I write native iPhone apps using Python? [closed]
Bad Request - Invalid Hostname IIS7
How to find current zoom level in a Google Map?