Active Directory Dynamic Security Group creation

%3CLINGO-SUB%20id%3D%22lingo-sub-744719%22%20slang%3D%22en-US%22%3ERe%3A%20Active%20Directory%20Dynamic%20Security%20Group%20creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-744719%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F263930%22%20target%3D%22_blank%22%3E%40Vinoth_Azure%3C%2FA%3E%26nbsp%3BThere%20are%20no%20Dynamic%20Security%20Groups%20in%20Active%20Directory.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20order%20to%20accomplish%20this%2C%20I%20think%20the%20most%20viable%20option%20would%20be%20a%20Powershell%20script%20determining%20who%20are%20in%20the%20given%20OU%2FGroup%20and%20updating%20the%20security%20group%20accordingly%2C%20maybe%20something%20like%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EImport-Module%20ActiveDirectory%3CBR%20%2F%3E%24groupname%20%3D%20PseudoDynamicGroup%3CBR%20%2F%3E%24users%20%3D%20Get-ADUser%20-Filter%20*%20-SearchBase%20%22ou%3DdesiredUsers%2Cdc%3Ddomain%2Cdc%3Dtld%22%3C%2FP%3E%3CP%3E%24users%20%3D%20Get-ADGroupMember%20-Identity%20%22GroupName%22%3CBR%20%2F%3Eforeach(%24user%20in%20%24users)%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%26nbsp%3BAdd-ADGroupMember%20-Identity%20%24groupname%20-Member%20%24user.samaccountname%20-ErrorAction%26nbsp%3B%20%26nbsp%3BSilentlyContinue%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%26nbsp%3B%24members%20%3D%20Get-ADGroupMember%20-Identity%20%24groupname%3CBR%20%2F%3E%26nbsp%3Bforeach(%24member%20in%20%24members)%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%26nbsp%3Bif(%24member.distinguishedname%20-notlike%20%22*ou%3DdesiredUsers%2Cdc%3Ddomain%2Cdc%3Dtld*%22)%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%26nbsp%3BRemove-ADGroupMember%20-Identity%20%24groupname%20-Member%20%24member.samaccountname%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EViktor%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-377525%22%20slang%3D%22en-US%22%3EActive%20Directory%20Dynamic%20Security%20Group%20creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-377525%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20to%20create%20a%20dynamic%20security%20group%20in%20on-premises%20active%20directory%20to%20use%20it%20across%20on-premises%20sharepoint%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-377525%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDynamic%20Group%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOn-Premises%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20group%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-757779%22%20slang%3D%22en-US%22%3ERe%3A%20Active%20Directory%20Dynamic%20Security%20Group%20creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-757779%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F26736%22%20target%3D%22_blank%22%3E%40Viktor%20Hedberg%3C%2FA%3E%26nbsp%3B%20%26amp%3B%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F263930%22%20target%3D%22_blank%22%3E%40Vinoth_Azure%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou're%20incorrect.%20There%20are%20Dynamic%20Security%20groups%20in%20AD.%20You%20can%20achieve%20this%20through%20LDIFDE.%20To%20note%2C%20Dynamic%20Groups%20have%20an%20expiration%20date%20done%20by%20minutes%20and%20after%20the%20time%20expires%20it%20will%20delete%20itself%3B%20also%20users%20must%20be%20manually%20added%20not%20dynamically.%20To%20achieve%20the%20dynamic%20security%20groups%20it%20would%20be%20best%20to%20do%20a%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFunction%20DynamicGroup(%24Group%2C%20%24User)%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%26nbsp%3Bif(!(Get-ADGroupMember%20-Identity%20%24group%20%7C%20%3F%7B%24_.name%20-eq%20%24User%7D))%3CBR%20%2F%3E%26nbsp%3B%20%7B%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20Add-ADGroupMember%20-Identity%20%24group%20-Members%20%24User%20-Server%20%24DomainController%3CBR%20%2F%3E%26nbsp%3B%20%7D%3CBR%20%2F%3E%26nbsp%3Belse%3CBR%20%2F%3E%26nbsp%3B%7B%3CBR%20%2F%3E%26nbsp%3B%20Write-Output%20%22The%20user%3A%20%24User%20is%20already%20in%20the%20%24group%22%3CBR%20%2F%3E%26nbsp%3B%7D%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

How to create a dynamic security group in on-premises active directory to use it across on-premises sharepoint? 

 

2 Replies

@Vinoth_Azure There are no Dynamic Security Groups in Active Directory.

 

In order to accomplish this, I think the most viable option would be a Powershell script determining who are in the given OU/Group and updating the security group accordingly, maybe something like this:

 

Import-Module ActiveDirectory
$groupname = PseudoDynamicGroup
$users = Get-ADUser -Filter * -SearchBase "ou=desiredUsers,dc=domain,dc=tld"

$users = Get-ADGroupMember -Identity "GroupName"
foreach($user in $users)


{
 Add-ADGroupMember -Identity $groupname -Member $user.samaccountname -ErrorAction   SilentlyContinue
}
 $members = Get-ADGroupMember -Identity $groupname
 foreach($member in $members)
{
 if($member.distinguishedname -notlike "*ou=desiredUsers,dc=domain,dc=tld*")
{
 Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}
}

 

Kind regards,

 

Viktor

Highlighted

@Viktor Hedberg  & @Vinoth_Azure

 

You're incorrect. There are Dynamic Security groups in AD. You can achieve this through LDIFDE. To note, Dynamic Groups have an expiration date done by minutes and after the time expires it will delete itself; also users must be manually added not dynamically. To achieve the dynamic security groups it would be best to do a

 

Function DynamicGroup($Group, $User)
{
 if(!(Get-ADGroupMember -Identity $group | ?{$_.name -eq $User}))
  {
   Add-ADGroupMember -Identity $group -Members $User -Server $DomainController
  }
 else
 {
  Write-Output "The user: $User is already in the $group"
 }
}