When managing access permissions to different resources in an Active Directory domain, an administrator may need to create dynamic security user groups. The idea of a dynamic group is that its membership is automatically formed based on the user’s properties. For example, a group with all users from a specific location (city, OU); users from a certain department or with a specific job title, etc. Users should be automatically added to or removed from such a dynamic membership group based on the current values of their attributes.
In this article, we will look at how to implement dynamic groups in AD using a PowerShell script. Such a PowerShell script should run on a schedule, select users from AD based on a certain criterion, add them to a target AD group, and remove users from the group that no longer meet the criteria.
The following PowerShell script automatically adds all users from the specified OUs that have Sales specified in the (Department) field in AD to the target security group.
# Your AD domain name
$ADDomain = 'dc=woshub,dc=com'
# Dynamic group name
$ADGroupname = 'EastSales'
# OU list to search users
$ADOUs = @(
"OU=Users,OU=NewYork,$ADDomain",
"OU=Users,OU=Chicago,$ADDomain"
)
# Department name
$DepartName="Sales"
$users = @()
# Search for users from the target department in the specified OUs
foreach($OU in $ADOUs){
$users += Get-ADUser -SearchBase $OU -Filter {Department -like $DepartName}
}
# Add users to the target security group
foreach($user in $users){
Add-ADGroupMember -Identity $ADGroupname $user.samaccountname -ErrorAction SilentlyContinue
}
# Check that all group members meet the criteria.
# If not (user has been moved to another OU, the Department field has been changed), they must be removed from the group.
$members = Get-ADGroupMember -Identity $ADGroupname
foreach($member in $members) {
$UserOU=($member.distinguishedname -split ',', 2)[1]
if ($ADOUs -notcontains $UserOU){Remove-ADGroupMember -Identity $ADGroupname -Member $member.samaccountname -Confirm:$false}
if ((Get-ADUser -identity $member -properties Department|Select-Object Department).department -notlike $DepartName ){Remove-ADGroupMember -Identity $ADGroupname -Member $member.samaccountname -Confirm:$false}
}
Get-ADGroup $ADGroupname | Set-ADGroup -Clear member
Get-ADUser– get user informationAdd-ADGroupMember,Get-ADGroupMember, andRemove-ADGroupMember— manage AD group membership
To implement dynamic groups that contain computer objects, use the Get-ADComputer cmdlet.
Run the script and make sure that all users from the specified OUs with ‘Sales’ in the Department field have been automatically added to the EastSales group. Any user who doesn’t match these criteria will be removed from the group. 
Create a scheduled task that runs the specified PowerShell script on the domain controller to update the dynamic group membership regularly (for example, twice a day).
Specify the task parameters:
Program/script: powershell.exe
Add arguments (optional): -ExecutionPolicy Bypass -NonInteractive -WindowStyle Hidden -File "C:\PS\update_dynamic_group_eastsales.ps1"
This PowerShell script can be used as the basis for creating your own dynamic security group rules in AD.
11 comments
You have a slight typo in Lines 20 and 28 and 32 “-Member” instead of “-Members”, at least that’s what it took for me to get it to work.
Thanks, this is fantastic. I just manually created a group last week and this took 10 minutes to do the same task.
Indeed, there was a mistake. Thanks!
I just wanted to say thanks! I just used this to create and populate groups for computers instead of users. Worked like a charm. I am assuming that the typo mentioned by LIMEY is actually fixed in your post as it did not trip me up whatsoever. MANY THANKS!
Could you please share your script for the dynamic computer group?
Thanks
For example, you need to create a dynamic AD group based on OU. Just replace Get-AdUser to Get-ADComputer in the source script.
## Your AD domain name
$ADDomain = ‘dc=woshub,dc=com’
## Dynamic group name
$ADGroupname = ‘EastSalesComps’
## OU list to search computers
$ADOUs = @(
“OU=computers,OU=NewYork,$ADDomain”,
“OU=computers,OU=Chicago,$ADDomain”
)
$computers = @()
# Searching computers in the specified OUs
foreach($OU in $ADOUs){
$computers += Get-ADComputer -SearchBase $OU -Filter *
}
foreach($computer in $computers)
{
Add-ADGroupMember -Identity $ADGroupname -Members $computer.samaccountname -ErrorAction SilentlyContinue
}
## Make sure that each computer in the group meets the selection criteria. If not (moved to another OU), they must be removed from the group
$members = Get-ADGroupMember -Identity $ADGroupname
foreach($member in $members)
{
if($member.distinguishedname -notlike “*OU=computers,OU=NewYork,$ADDomain*” -and $member.distinguishedname -notlike “*OU=computers,OU=Chicago,$ADDomain*”)
{
Remove-ADGroupMember -Identity $ADGroupname -Members $member.samaccountname -Confirm:$false
}
}
This script works great thank you.
How can add more than 1 attribute?
I tried -like “***” or “***” but it doesn’t like it.
Can you give me a pointer please?
Use the following syntax:
(Attribute1 -like “***”) -or (attribute2 -like “***”) -or (attribute3 -like “***”)Hi
The issue I have is that I want to create a group that consists of a location and a department.
The script keeps failing on parameter names
1st part of the script:
)
$users = @()
# Searching users in the specified OUs
foreach($OU in $ADOUs){
$users += Get-ADUser -SearchBase $OU -Filter {Department -like “Finance”} -and {l -like “London”}
}
2nd part of the script:
Remove-ADGroupMember -Identity $ADGroupname -Members $member.samaccountname -Confirm:$false
}
if ((Get-ADUser -identity $member -properties Department|Select-Object Department).department -notlike “Finance” ) -and ((Get-ADUser -identity $member -properties l|Select-Object l).l -notlike “London” )
{
Remove-ADGroupMember -Identity $ADGroupname -Members $member.samaccountname -Confirm:$false
}
}
Any help would be greatly appreciated, Thank you
Also, many thanks for taking the time before. I have only just seen this. Thank you
This was extremely helpful! While testing, I noticed that Get-ADUser -SearchBase is recursive to child OUs, which is what I needed, but RemoveADGroupMember is not recursive, so it doesn’t remove users that were in child OUs. This may be a little brute force, but I decided to clear the group membership near the start of the script so each time it runs, it removes all users and generates a fresh membership rather than remove users that are no longer applicable.
$ADGroupname = ‘EastSales’
Get-ADGroup $ADGroupname | Set-ADGroup -Clear member
I also grabbed a piece from a Microsoft example so Disabled users are not added to the group. I modified this line:
$users += Get-ADUser -LDAPFilter ‘(!userAccountControl:1.2.840.113556.1.4.803:=2)’ -SearchBase $OU -Filter {Department -like “Sales”}
Love the script but I want to get hold of users via the Office field. I have tried physicalDeliveryOfficeName but it does not work, any ideas?