membersOf Dynamic group based on other dynamic groups

New Contributor



Please advice, I've been reading the entire documentation related to memberOf-based Dynamic groups, however, I would like to have a confirmation of the feasibility of the following scenarios before we commit to Dynamic groups on AD.


Let's imagine the following scenario:


Group Name


Dynamic Group A

Attribute blah -eq bli

Dynamic Group B

Attribute bleh -eq blo

Static Group C

Manual Assignment


Are the following dynamic group rules supported?

Group Name


Dynamic Group D

memberOf –any A,B

Dynamic Group E

memberOf –all A,B

Dynamic Group G

memberOf –any A,C

Dynamic Group H

memberOf –any A,B,C





4 Replies
This scenario is specifically called out in the documentation:

You can't use one memberOf dynamic group to define the membership of another memberOf dynamic groups. For example, Dynamic Group A, with members of group B and C in it, can't be a member of Dynamic Group D).
best response confirmed by PlafoCL (New Contributor)



If you shift the focus to what you're trying to achieve rather than how you've proposed on doing so, there are some options you can explore.


Below is a dummy example related to your Dynamic Group E scenario.


This examples does indeed produce the union (of user objects though, not groups) of two other dynamic groups through using the memberOf attribute on the user object rather than memebrOf on the group objects.


The initial output is from the dynamic group (i.e. analogous to your Dynamic Group E) that holds the union of two other dynamic groups. This also show the rule which has the "and" join highlighted for clarity.


The second round of output is purely confirmation that the two groups being compared are indeed dynamic.


The final output is simply a count of how many members the first group contains as a result of the rule processing.




Using this slightly different approach, you probably can satisfy the four deliverables you've outlined.




Yes, I read that, but I just wanted to make sure that there are no differences between dynamic groups made using memberOf attribute vs the rest (of attributes).

So looks like the rule apply to all dynamic groups, not depending on the attribute used to create them.

Thanks Lain! , I am going to test it straight away!