Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Active Directory / Active Directory Dynamic User Groups with PowerShell

October 23, 2019 Active DirectoryPowerShell

Active Directory Dynamic User Groups with PowerShell

When managing user access permissions to various resources in an Active Directory domain, an administrator may have to create dynamic AD user groups. Dynamic groups make it easier for an administrator to grant permissions on file servers, shared folders, workstations, etc. Such a dynamic group should automatically add users to the group or remove them from it depending on the user account properties in the domain.

For example, you want to automatically add users from the specific OU to the security group, or to create a group that includes all user accounts of the specific department (the Department field in the AD user properties), etc.

On-premise Active Directory doesn’t have built-in tools for implementing dynamic security groups. However, you can create a PowerShell script to automatically select users from Active Directory by a certain criterion and add them to an existing AD security group (you can assign members on a temporary basis) or remove the accounts that no longer meet the requirements. When any of the AD user attributes are changed, the script must automatically add or remove a user from the group.

To use dynamic AD groups, you must keep the relevant fields of all domain user accounts up-to-date (for example, when creating new users with the PowerShell script, you must immediately specify the city, the department, the company, etc.).

  1. In Exchange Server there are Dynamic Distribution Lists (groups) that are populated automatically based on some user criteria, like the value in the Company/City field in AD, the OU a user belongs to, the Exchange server, on which a mailbox is located, or any other user attribute in Active Directory. However, dynamic distribution groups may be used to create distribution, but not the security groups;
  2. There are built-in dynamic groups in Azure AD. In this cloud directory you can create different rules of dynamic membership in the security or Office 365 groups.
  3. Partially the Dynamic Access Control (DAC) in Windows Server 2012 or later can be used to replace some features of dynamic security groups.

Suppose, you want to automatically add to the existing security group all users from several OUs having the value ‘Sales’ in the Department field in the properties of the AD user. I have written the following PowerShell script (to run it, you need to install the Active Directory for Windows PowerShell Module; the Get-ADUser cmdlet is used to get the user properties, and Add-ADGroupMember, Get-ADGroupMember and Remove-ADGroupMember are the cmdlets to manage AD group memberships.)

## Your AD domain name
$ADDomain = 'dc=woshub,dc=com'
## Dynamic group name
$ADGroupname = 'EastSales'
## OU list to search users
$ADOUs = @(
"OU=Users,OU=NewYork,$ADDomain",
"OU=Users,OU=Chicago,$ADDomain"
)
$users = @()
# Searching users in the specified OUs
foreach($OU in $ADOUs){
$users += Get-ADUser -SearchBase $OU -Filter {Department -like "Sales"}
}
foreach($user in $users)
{
Add-ADGroupMember -Identity $ADGroupname -Members $user.samaccountname -ErrorAction SilentlyContinue
}
## Make sure that each user in the group meets the selection criteria. If not (moved to another OU, changed the Department field), they must be removed from the group
$members = Get-ADGroupMember -Identity $ADGroupname
foreach($member in $members)
{
if($member.distinguishedname -notlike "*OU=Users,OU=NewYork,$ADDomain*" -and $member.distinguishedname -notlike "*OU=Users,OU=Chicago,$ADDomain*")
{
Remove-ADGroupMember -Identity $ADGroupname -Members $member.samaccountname -Confirm:$false
}
if ((Get-ADUser -identity $member -properties Department|Select-Object Department).department -notlike "Sales" )
{
Remove-ADGroupMember -Identity $ADGroupname -Members $member.samaccountname -Confirm:$false
}
}

PowerShell script: to automate Active Directory Dynamic group memberships
Run the script and make sure that all users from the specified OUs with ‘Sales’ in the Department field have been automatically added to the EastSales group. The users who do not match these criteria are removed from the group.
implementing Dynamic AD Security groups with powershell

You have to run the script manually, but it is better to run it regularly through a separate task in the Task Scheduler under the account that has permissions to manage users and groups in AD. (It is not recommended to run the script under the domain admin account, you should delegate AD group management privileges to a common user/admin accounts or a gMSA account.)

You can use this PowerShell script as a framework of your own rules of creating dynamic user groups in AD.

7 comments
1
Facebook Twitter Google + Pinterest
previous post
How to Use AD Photo as User Profile Picture in Windows 10?
next post
Anonymous File and Printer Sharing Without Password in Windows 10 / Server 2016

Related Reading

Create Organizational Units (OU) Structure in Active Directory...

May 17, 2022

Windows Security Won’t Open or Shows a Blank...

May 17, 2022

How to Manually Install Windows Updates from CAB...

May 16, 2022

Deploying Software (MSI Packages) Using Group Policy

May 12, 2022

Enable or Disable MFA for Users in Azure/Microsoft...

April 27, 2022

7 comments

Limey December 5, 2019 - 7:11 pm

You have a slight typo in Lines 20 and 28 and 32 “-Member” instead of “-Members”, at least that’s what it took for me to get it to work.
Thanks, this is fantastic. I just manually created a group last week and this took 10 minutes to do the same task.

Reply
admin January 15, 2020 - 9:40 am

Indeed, there was a mistake. Thanks!

Reply
Michael Guthrie May 19, 2020 - 6:53 pm

I just wanted to say thanks! I just used this to create and populate groups for computers instead of users. Worked like a charm. I am assuming that the typo mentioned by LIMEY is actually fixed in your post as it did not trip me up whatsoever. MANY THANKS!

Reply
NickS March 10, 2022 - 4:35 pm

This script works great thank you.
How can add more than 1 attribute?
I tried -like “***” or “***” but it doesn’t like it.
Can you give me a pointer please?

Reply
admin March 11, 2022 - 7:19 am

Use the following syntax:
(Attribute1 -like “***”) -or (attribute2 -like “***”) -or (attribute3 -like “***”)

Reply
NickS May 9, 2022 - 11:29 am

Hi
The issue I have is that I want to create a group that consists of a location and a department.
The script keeps failing on parameter names

1st part of the script:
)
$users = @()
# Searching users in the specified OUs
foreach($OU in $ADOUs){
$users += Get-ADUser -SearchBase $OU -Filter {Department -like “Finance”} -and {l -like “London”}
}

2nd part of the script:
Remove-ADGroupMember -Identity $ADGroupname -Members $member.samaccountname -Confirm:$false
}
if ((Get-ADUser -identity $member -properties Department|Select-Object Department).department -notlike “Finance” ) -and ((Get-ADUser -identity $member -properties l|Select-Object l).l -notlike “London” )
{
Remove-ADGroupMember -Identity $ADGroupname -Members $member.samaccountname -Confirm:$false
}
}

Any help would be greatly appreciated, Thank you

Reply
NickS May 9, 2022 - 1:23 pm

Also, many thanks for taking the time before. I have only just seen this. Thank you

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows 7
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • PowerShell
  • VMWare
  • Hyper-V
  • MS Office

Recent Posts

  • Create Organizational Units (OU) Structure in Active Directory with PowerShell

    May 17, 2022
  • Windows Security Won’t Open or Shows a Blank Screen on Windows 10/ 11

    May 17, 2022
  • How to Manually Install Windows Updates from CAB and MSU Files?

    May 16, 2022
  • RDS and RemoteApp Performance Issues on Windows Server 2019/2016

    May 16, 2022
  • Deploying Software (MSI Packages) Using Group Policy

    May 12, 2022
  • Updating VMware ESXi Host from the Command Line

    May 11, 2022
  • Enable or Disable MFA for Users in Azure/Microsoft 365

    April 27, 2022
  • Fix: You’ll Need a New App to Open This Windows Defender Link

    April 27, 2022
  • How to Reset an Active Directory User Password with PowerShell and ADUC?

    April 27, 2022
  • How to Completely Uninstall Previous Versions of Office with Removal Scripts?

    April 26, 2022

Follow us

woshub.com

ad

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Configure Google Chrome Using Group Policy ADMX Templates?
  • Allow RDP Access to Domain Controller for Non-admin Users
  • How to Find the Source of Account Lockouts in Active Directory domain?
  • Get-ADComputer: Find Computer Details in Active Directory with PowerShell
  • Managing User Photos in Active Directory Using ThumbnailPhoto Attribute
  • Deploy PowerShell Active Directory Module without Installing RSAT
  • Changing Desktop Background Wallpaper in Windows through GPO
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top