Active Directory does not offer any build in Dynamic Security groups, whereas Exchange does offer Dynamic Distribution lists.
So to solve this problem you could run a PowerShell script based on users in an OU.
The script below will scan one or more OU’s and add each user account to the AD Security group you specify and will remove any user objects that have been removed or moved to a different OU.
When running the Get-ADGroupMember you might experience this error: The size limit for this request was exceeded is so follow these instructions on how to change the default limit.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
## Enter your AD Domain here $Domain = '<dc=domain,dc=com>' ## Enter the name of your Dynamic Security group here $groupname = '<your group name here>' ## Enter the OU's you want to search $OUsToSearch = @( "OU=department,ou=UserObjects,$Domain", "OU=Sub,OU=department,ou=UserObjects,$Domain" ) # Create empty array $users = @() # Loop through OUs and search for users foreach($Path in $OUsToSearch){ $users += Get-ADUser -SearchBase $Path -Filter * } foreach($user in $users) { Add-ADGroupMember -Identity $groupname -Member $user.samaccountname -ErrorAction SilentlyContinue } ## this section will remove any group member that has been moved to a different OU. ## make sure you update the OU's below $members = Get-ADGroupMember -Identity $groupname foreach($member in $members) { if($member.distinguishedname -notlike "*OU=department,ou=UserObjects,$Domain*"` -and $member.distinguishedname -notlike "*OU=Sub,OU=department,ou=UserObjects,$Domain*") { Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname -Confirm:$false } } |
Nice script, thx for sharing. Here’s a free Windows service that will allow you to create an unlimited amount of dynamic groups based on LDAP filtering and OU scope: https://mnt/web010/a3/17/511144617/htdocs/STRATO-apps/wordpress_01/app.easy365manager.com/ad-dynamic-groups/
Great post. We also thought dynamic security groups would be very beneficial in many cases. That’s why we put it one step further FirstWare DynamicGroup – so that you can create complex filters with a GUI.