Active Directory Dynamic User Groups with PowerShell

When managing user access permissions to various resources in an Active Directory domain, an administrator may have to create dynamic AD user groups. Dynamic groups make it easier for an administrator to grant permissions on file servers, shared folders, workstations, etc. Such a dynamic group should automatically add users to the group or remove them from it depending on the user account properties in the domain.

For example, you want to automatically add users from the specific OU to the security group, or to create a group that includes all user accounts of the specific department (the Department field in the AD user properties), etc.

On-premise Active Directory doesn’t have built-in tools for implementing dynamic security groups. However, you can create a PowerShell script to automatically select users from Active Directory by a certain criterion and add them to an existing AD security group (you can assign members on a temporary basis) or remove the accounts that no longer meet the requirements. When any of the AD user attributes are changed, the script must automatically add or remove a user from the group.

To use dynamic AD groups, you must keep the relevant fields of all domain user accounts up-to-date (for example, when creating new users with the PowerShell script, you must immediately specify the city, the department, the company, etc.).

Suppose, you want to automatically add to the existing security group all users from several OUs having the value ‘Sales’ in the Department field in the properties of the AD user. I have written the following PowerShell script (to run it, you need to install the Active Directory for Windows PowerShell Module; the Get-ADUser cmdlet is used to get the user properties, and Add-ADGroupMember, Get-ADGroupMember and Remove-ADGroupMember are the cmdlets to manage AD group memberships.)

## Your AD domain name
$ADDomain = 'dc=woshub,dc=com'
## Dynamic group name
$ADGroupname = 'EastSales'
## OU list to search users
$ADOUs = @(
"OU=Users,OU=NewYork,$ADDomain",
"OU=Users,OU=Chicago,$ADDomain"
)
$users = @()
# Searching users in the specified OUs
foreach($OU in $ADOUs){
$users += Get-ADUser -SearchBase $OU -Filter {Department -like "Sales"}
}
foreach($user in $users)
{
Add-ADGroupMember -Identity $ADGroupname -Members $user.samaccountname -ErrorAction SilentlyContinue
}
## Make sure that each user in the group meets the selection criteria. If not (moved to another OU, changed the Department field), they must be removed from the group
$members = Get-ADGroupMember -Identity $ADGroupname
foreach($member in $members)
{
if($member.distinguishedname -notlike "*OU=Users,OU=NewYork,$ADDomain*" -and $member.distinguishedname -notlike "*OU=Users,OU=Chicago,$ADDomain*")
{
Remove-ADGroupMember -Identity $ADGroupname -Members $member.samaccountname -Confirm:$false
}
if ((Get-ADUser -identity $member -properties Department|Select-Object Department).department -notlike "Sales" )
{
Remove-ADGroupMember -Identity $ADGroupname -Members $member.samaccountname -Confirm:$false
}
}

Run the script and make sure that all users from the specified OUs with ‘Sales’ in the Department field have been automatically added to the EastSales group. The users who do not match these criteria are removed from the group.

You have to run the script manually, but it is better to run it regularly through a separate task in the Task Scheduler under the account that has permissions to manage users and groups in AD. (It is not recommended to run the script under the domain admin account, you should delegate AD group management privileges to a common user/admin accounts or a gMSA account.)

You can use this PowerShell script as a framework of your own rules of creating dynamic user groups in AD.