Dynamic Groups in AD
Dynamic groups automate the assignment of group memberships based on criteria which you define. This way you can automate the granting of permissions. However, Microsoft’s standard tools for setting up dynamic groups in AD are very limited. For this reason FirstAttribute, the creative minds behind Active-Directory-FAQ, developed the tool FirstWare DynamicGroup.
Below you will see in more detail how you can effectively use the complex OU structure in your AD in a simplified yet powerful way. Create dynamic groups fast, secure and effective with FirstWare DynamicGroup.
Advantages of Dynamic Groups
Overall, dynamic groups have three main purposes:
- Time saving
Standard procedures such as group administration are time consuming. The automated transfer of permissions with FirstWare DynamicGroups reduces the work load and makes room for other daily tasks. - Security
The automated adding and deleting of user permissions prevents over-permissioning. Permissions will be deleted – and not forgotten – if users change departments or leave the company. - Reduction of errors
Dynamic groups prevent the incorrect assignment or accidental deletion of permissions.
Read more about the basics and multiple ways of using dynamic groups in the article Automated Group Memberships in Active Directory.
Managing OU Groups
While you can assign permissions directly to OUs in Novell’s eDirectory, this option is not available in Microsoft’s Active Directory. Companies that use Active Directory need to create OU Groups – which are ideally self-updating – to assign permissions.
Assigning self-updating permissions to OUs in Active Directory can be achieved with FirstWare DynamicGroups.
Dynamic OU Group for one OU
In the first example we are creating a dynamic group for one single OU. All members of this new group and all user objects in the OU are identical. Any changes to the OU are updated regularly to the OU group by a pre-defined service interval (hourly, daily etc).
By using a dynamic group you can assign permissions easily and fast to all objects of the OU. A big advantage is that you don’t have to manually edit each single object. Follow these steps to create a dynamic group (also referred to as OU Group) for one single OU:
Create a New Group
Create a ‘New Group’ and enter the group name ‘OU-US-BOS-Users’ which stands for
‘OU Group for all users from Boston’.
The tab ‘General’ provides the option to convert a group into a ‘Dynamic Group’. Click on ‘Enable’ and new tabs will become available. These additional tabs offer extra functionalities – such as adjusting ‘Query Settings’ – which will be explained in our second example.
In our present case we can proceed to the tab ‘Member Query’.
In our present case we can proceed to the tab ‘Member Query’.
Select users and view search results
Select ‘Users’ as the new group should only contain user objects. As a next step find all users that should become members of the new OU Group. Click in the field ‘In (Search Root)’ to find the users in your Active Directory. In our case all users are located in the OUs ‘Corp – US – BOS – Users’. In this simplified example the search root and target OU are identical. Click on ‘Preview’ to view the search results.
Confirm your selection with ‘Apply’ to finally create your new OU Group. To view all members of this group click on the tab ‘Update group’.
0 Comments