When managing user access permissions to various resources in an Active Directory domain, an administrator may have to create dynamic AD user groups. Dynamic groups make it easier for an administrator to grant permissions on file servers, shared folders, workstations, etc. Such a dynamic group should automatically add users to the group or remove them from it depending on the user account properties in the domain.
For example, you want to automatically add users from the specific OU to the security group or to create a group that includes all user accounts of the specific department (the Department field in the AD user properties), etc.
On-premise Active Directory doesn’t have built-in tools for implementing dynamic security groups. However, you can create a PowerShell script to automatically select users from Active Directory by a certain criterion and add them to an existing AD security group (you can temporarily assign members) or remove the accounts that no longer meet the requirements. When any of the AD user attributes are changed, the script must automatically add or remove a user from the group.
To use dynamic AD groups, you must keep the relevant fields of all domain user accounts up-to-date (for example, when creating new users with the PowerShell script, you must immediately specify the city, the department, the company, etc.).
- In Exchange Server there are Dynamic Distribution Lists (groups) that are populated automatically based on some user criteria, like the value in the Company/City field in AD, the OU a user belongs to, the Exchange server, on which a mailbox is located, or any other user attribute in Active Directory. However, dynamic distribution groups may be used to create a distribution, but not the security groups;
- There are built-in dynamic groups in Azure Entra ID. In this cloud directory, you can create different rules of dynamic membership in the security or Office 365 groups.
- Partially the Dynamic Access Control (DAC) in Windows Server 2012 or later can be used to replace some features of dynamic security groups.
Suppose, you want to automatically add to the existing security group all users from several OUs having the value ‘Sales’ in the Department field in the properties of the AD user. I have written the following PowerShell script (to run it, you need to install the Active Directory for Windows PowerShell Module; the Get-ADUser cmdlet is used to get the user properties, and Add-ADGroupMember, Get-ADGroupMember, and Remove-ADGroupMember are the cmdlets to manage AD group memberships.)
## Your AD domain name
$ADDomain = 'dc=woshub,dc=com'
## Dynamic group name
$ADGroupname = 'EastSales'
## OU list to search users
$ADOUs = @(
"OU=Users,OU=NewYork,$ADDomain",
"OU=Users,OU=Chicago,$ADDomain"
)
$users = @()
# Searching users in the specified OUs
foreach($OU in $ADOUs){
$users += Get-ADUser -SearchBase $OU -Filter {Department -like "Sales"}
}
foreach($user in $users)
{
Add-ADGroupMember -Identity $ADGroupname -Members $user.samaccountname -ErrorAction SilentlyContinue
}
## Make sure that each user in the group meets the selection criteria. If not (moved to another OU, changed the Department field), they must be removed from the group
$members = Get-ADGroupMember -Identity $ADGroupname
foreach($member in $members)
{
if($member.distinguishedname -notlike "*OU=Users,OU=NewYork,$ADDomain*" -and $member.distinguishedname -notlike "*OU=Users,OU=Chicago,$ADDomain*")
{
Remove-ADGroupMember -Identity $ADGroupname -Members $member.samaccountname -Confirm:$false
}
if ((Get-ADUser -identity $member -properties Department|Select-Object Department).department -notlike "Sales" )
{
Remove-ADGroupMember -Identity $ADGroupname -Members $member.samaccountname -Confirm:$false
}
}
Run the script and make sure that all users from the specified OUs with ‘Sales’ in the Department field have been automatically added to the EastSales group. The users who do not match these criteria are removed from the group.
You have to run the script manually, but it is better to run it regularly through a separate task in the Task Scheduler under the account that has permissions to manage users and groups in AD. (It is not recommended to run the script under the domain admin account, you should delegate AD group management privileges to a common user/admin account or a gMSA account.)
You can use this PowerShell script as a framework of your own rules for creating dynamic user groups in AD.
11 comments
You have a slight typo in Lines 20 and 28 and 32 “-Member” instead of “-Members”, at least that’s what it took for me to get it to work.
Thanks, this is fantastic. I just manually created a group last week and this took 10 minutes to do the same task.
Indeed, there was a mistake. Thanks!
I just wanted to say thanks! I just used this to create and populate groups for computers instead of users. Worked like a charm. I am assuming that the typo mentioned by LIMEY is actually fixed in your post as it did not trip me up whatsoever. MANY THANKS!
Could you please share your script for the dynamic computer group?
Thanks
For example, you need to create a dynamic AD group based on OU. Just replace Get-AdUser to Get-ADComputer in the source script.
## Your AD domain name
$ADDomain = ‘dc=woshub,dc=com’
## Dynamic group name
$ADGroupname = ‘EastSalesComps’
## OU list to search computers
$ADOUs = @(
“OU=computers,OU=NewYork,$ADDomain”,
“OU=computers,OU=Chicago,$ADDomain”
)
$computers = @()
# Searching computers in the specified OUs
foreach($OU in $ADOUs){
$computers += Get-ADComputer -SearchBase $OU -Filter *
}
foreach($computer in $computers)
{
Add-ADGroupMember -Identity $ADGroupname -Members $computer.samaccountname -ErrorAction SilentlyContinue
}
## Make sure that each computer in the group meets the selection criteria. If not (moved to another OU), they must be removed from the group
$members = Get-ADGroupMember -Identity $ADGroupname
foreach($member in $members)
{
if($member.distinguishedname -notlike “*OU=computers,OU=NewYork,$ADDomain*” -and $member.distinguishedname -notlike “*OU=computers,OU=Chicago,$ADDomain*”)
{
Remove-ADGroupMember -Identity $ADGroupname -Members $member.samaccountname -Confirm:$false
}
}
This script works great thank you.
How can add more than 1 attribute?
I tried -like “***” or “***” but it doesn’t like it.
Can you give me a pointer please?
Use the following syntax:
(Attribute1 -like “***”) -or (attribute2 -like “***”) -or (attribute3 -like “***”)
Hi
The issue I have is that I want to create a group that consists of a location and a department.
The script keeps failing on parameter names
1st part of the script:
)
$users = @()
# Searching users in the specified OUs
foreach($OU in $ADOUs){
$users += Get-ADUser -SearchBase $OU -Filter {Department -like “Finance”} -and {l -like “London”}
}
2nd part of the script:
Remove-ADGroupMember -Identity $ADGroupname -Members $member.samaccountname -Confirm:$false
}
if ((Get-ADUser -identity $member -properties Department|Select-Object Department).department -notlike “Finance” ) -and ((Get-ADUser -identity $member -properties l|Select-Object l).l -notlike “London” )
{
Remove-ADGroupMember -Identity $ADGroupname -Members $member.samaccountname -Confirm:$false
}
}
Any help would be greatly appreciated, Thank you
Also, many thanks for taking the time before. I have only just seen this. Thank you
This was extremely helpful! While testing, I noticed that Get-ADUser -SearchBase is recursive to child OUs, which is what I needed, but RemoveADGroupMember is not recursive, so it doesn’t remove users that were in child OUs. This may be a little brute force, but I decided to clear the group membership near the start of the script so each time it runs, it removes all users and generates a fresh membership rather than remove users that are no longer applicable.
$ADGroupname = ‘EastSales’
Get-ADGroup $ADGroupname | Set-ADGroup -Clear member
I also grabbed a piece from a Microsoft example so Disabled users are not added to the group. I modified this line:
$users += Get-ADUser -LDAPFilter ‘(!userAccountControl:1.2.840.113556.1.4.803:=2)’ -SearchBase $OU -Filter {Department -like “Sales”}
Love the script but I want to get hold of users via the Office field. I have tried physicalDeliveryOfficeName but it does not work, any ideas?