Home

Active Directory Dynamic Security Group creation

%3CLINGO-SUB%20id%3D%22lingo-sub-744719%22%20slang%3D%22en-US%22%3ERe%3A%20Active%20Directory%20Dynamic%20Security%20Group%20creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-744719%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F263930%22%20target%3D%22_blank%22%3E%40Vinoth_Azure%3C%2FA%3E%26nbsp%3BThere%20are%20no%20Dynamic%20Security%20Groups%20in%20Active%20Directory.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20order%20to%20accomplish%20this%2C%20I%20think%20the%20most%20viable%20option%20would%20be%20a%20Powershell%20script%20determining%20who%20are%20in%20the%20given%20OU%2FGroup%20and%20updating%20the%20security%20group%20accordingly%2C%20maybe%20something%20like%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EImport-Module%20ActiveDirectory%3CBR%20%2F%3E%24groupname%20%3D%20PseudoDynamicGroup%3CBR%20%2F%3E%24users%20%3D%20Get-ADUser%20-Filter%20*%20-SearchBase%20%22ou%3DdesiredUsers%2Cdc%3Ddomain%2Cdc%3Dtld%22%3C%2FP%3E%3CP%3E%24users%20%3D%20Get-ADGroupMember%20-Identity%20%22GroupName%22%3CBR%20%2F%3Eforeach(%24user%20in%20%24users)%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%26nbsp%3BAdd-ADGroupMember%20-Identity%20%24groupname%20-Member%20%24user.samaccountname%20-ErrorAction%26nbsp%3B%20%26nbsp%3BSilentlyContinue%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%26nbsp%3B%24members%20%3D%20Get-ADGroupMember%20-Identity%20%24groupname%3CBR%20%2F%3E%26nbsp%3Bforeach(%24member%20in%20%24members)%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%26nbsp%3Bif(%24member.distinguishedname%20-notlike%20%22*ou%3DdesiredUsers%2Cdc%3Ddomain%2Cdc%3Dtld*%22)%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%26nbsp%3BRemove-ADGroupMember%20-Identity%20%24groupname%20-Member%20%24member.samaccountname%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EViktor%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-377525%22%20slang%3D%22en-US%22%3EActive%20Directory%20Dynamic%20Security%20Group%20creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-377525%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20to%20create%20a%20dynamic%20security%20group%20in%20on-premises%20active%20directory%20to%20use%20it%20across%20on-premises%20sharepoint%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-377525%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDynamic%20Group%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOn-Premises%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20group%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-757779%22%20slang%3D%22en-US%22%3ERe%3A%20Active%20Directory%20Dynamic%20Security%20Group%20creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-757779%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F26736%22%20target%3D%22_blank%22%3E%40Viktor%20Hedberg%3C%2FA%3E%26nbsp%3B%20%26amp%3B%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F263930%22%20target%3D%22_blank%22%3E%40Vinoth_Azure%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou're%20incorrect.%20There%20are%20Dynamic%20Security%20groups%20in%20AD.%20You%20can%20achieve%20this%20through%20LDIFDE.%20To%20note%2C%20Dynamic%20Groups%20have%20an%20expiration%20date%20done%20by%20minutes%20and%20after%20the%20time%20expires%20it%20will%20delete%20itself%3B%20also%20users%20must%20be%20manually%20added%20not%20dynamically.%20To%20achieve%20the%20dynamic%20security%20groups%20it%20would%20be%20best%20to%20do%20a%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFunction%20DynamicGroup(%24Group%2C%20%24User)%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%26nbsp%3Bif(!(Get-ADGroupMember%20-Identity%20%24group%20%7C%20%3F%7B%24_.name%20-eq%20%24User%7D))%3CBR%20%2F%3E%26nbsp%3B%20%7B%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20Add-ADGroupMember%20-Identity%20%24group%20-Members%20%24User%20-Server%20%24DomainController%3CBR%20%2F%3E%26nbsp%3B%20%7D%3CBR%20%2F%3E%26nbsp%3Belse%3CBR%20%2F%3E%26nbsp%3B%7B%3CBR%20%2F%3E%26nbsp%3B%20Write-Output%20%22The%20user%3A%20%24User%20is%20already%20in%20the%20%24group%22%3CBR%20%2F%3E%26nbsp%3B%7D%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Vinoth_Azure
Contributor

How to create a dynamic security group in on-premises active directory to use it across on-premises sharepoint? 

 

2 Replies
Highlighted

@Vinoth_Azure There are no Dynamic Security Groups in Active Directory.

 

In order to accomplish this, I think the most viable option would be a Powershell script determining who are in the given OU/Group and updating the security group accordingly, maybe something like this:

 

Import-Module ActiveDirectory
$groupname = PseudoDynamicGroup
$users = Get-ADUser -Filter * -SearchBase "ou=desiredUsers,dc=domain,dc=tld"

$users = Get-ADGroupMember -Identity "GroupName"
foreach($user in $users)


{
 Add-ADGroupMember -Identity $groupname -Member $user.samaccountname -ErrorAction   SilentlyContinue
}
 $members = Get-ADGroupMember -Identity $groupname
 foreach($member in $members)
{
 if($member.distinguishedname -notlike "*ou=desiredUsers,dc=domain,dc=tld*")
{
 Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}
}

 

Kind regards,

 

Viktor

@Viktor Hedberg  & @Vinoth_Azure

 

You're incorrect. There are Dynamic Security groups in AD. You can achieve this through LDIFDE. To note, Dynamic Groups have an expiration date done by minutes and after the time expires it will delete itself; also users must be manually added not dynamically. To achieve the dynamic security groups it would be best to do a

 

Function DynamicGroup($Group, $User)
{
 if(!(Get-ADGroupMember -Identity $group | ?{$_.name -eq $User}))
  {
   Add-ADGroupMember -Identity $group -Members $User -Server $DomainController
  }
 else
 {
  Write-Output "The user: $User is already in the $group"
 }
}

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies