Dynamic OU Groups – Assign Permissions to OUs

Assigning permissions to Organizational Units (OUs) simplifies administration tasks. This is especially relevant after migrations.
The following article exemplifies how you can create and use self-updating OU groups in Active Directory.

Dynamic Groups in AD

Dynamic groups automate the assignment of group memberships based on criteria which you define. This way you can automate the granting of permissions. However, Microsoft’s standard tools for setting up dynamic groups in AD are very limited. For this reason FirstAttribute, the creative minds behind Active-Directory-FAQ, developed the tool FirstWare DynamicGroup.

Below you will see in more detail how you can effectively use the complex OU structure in your AD in a simplified yet powerful way. Create dynamic groups fast, secure and effective with FirstWare DynamicGroup.

Advantages of Dynamic Groups

Overall, dynamic groups have three main purposes:

1. Time saving
   Standard procedures such as group administration are time consuming. The automated transfer of permissions with FirstWare DynamicGroups reduces the work load and makes room for other daily tasks.
2. Security
   The automated adding and deleting of user permissions prevents over-permissioning. Permissions will be deleted – and not forgotten – if users change departments or leave the company.
3. Reduction of errors
   Dynamic groups prevent the incorrect assignment or accidental deletion of permissions.

Read more about the basics and multiple ways of using dynamic groups in the article Automated Group Memberships in Active Directory.

Managing OU Groups

While you can assign permissions directly to OUs in Novell’s eDirectory, this option is not available in Microsoft’s Active Directory. Companies that use Active Directory need to create OU Groups – which are ideally self-updating – to assign permissions.

Assigning self-updating permissions to OUs in Active Directory can be achieved with FirstWare DynamicGroups.

Dynamic OU Group for one OU

In the first example we are creating a dynamic group for one single OU. All members of this new group and all user objects in the OU are identical. Any changes to the OU are updated regularly to the OU group by a pre-defined service interval (hourly, daily etc).

By using a dynamic group you can assign permissions easily and fast to all objects of the OU. A big advantage is that you don’t have to manually edit each single object. Follow these steps to create a dynamic group (also referred to as OU Group) for one single OU:

Create a New Group

Create a ‘New Group’ and enter the group name ‘OU-US-BOS-Users’ which stands for

‘OU Group for all users from Boston’.

Change Group into a Dynamic Group

The tab ‘General’ provides the option to convert a group into a ‘Dynamic Group’. Click on ‘Enable’ and new tabs will become available. These additional tabs offer extra functionalities – such as adjusting ‘Query Settings’ – which will be explained in our second example.

In our present case we can proceed to the tab ‘Member Query’.

Select users and view search results

Select ‘Users’ as the new group should only contain user objects. As a next step find all users that should become members of the new OU Group. Click in the field ‘In (Search Root)’ to find the users in your Active Directory. In our case all users are located in the OUs ‘Corp – US – BOS – Users’. In this simplified example the search root and target OU are identical. Click on ‘Preview’ to view the search results.

Confirm your selection with ‘Apply’ to finally create your new OU Group. To view all members of this group click on the tab ‘Update group’.

You have now created a dynamic OU group. It only contains those users that you included yourself – all users that are based in Boston.

Integrate multiple OUs in a Dynamic Group

In our second example we are looking at a scenario where you want to integrate multiple OUs in one group. We are setting up an OU group for all users who are located on the Eastern side of the USA. There are three cities in our directory that belong to this geographical region: Boston, Cleveland and New York. Each location represents an individual OU with user objects which we want to combine in a dynamic group.

Create a Dynamic Group from Multiple OUs

Set up a new group ‘OG-US-East-User’ for users from OU Boston, OU Cleveland and OU New York. Follow the same steps as in ‘Create a new group’ for one OU (2.1 Create a new group). Activate the dynamic group by clicking on ‘Enable’.

OU Filter

Next you need to define the ‘Dynamic Group Settings’ to receive the accurate query results.

Acitivate OU Filter

Go to ‘Query Settings’ and choose ‘Use OU Filter’. This selection brings up an additional tab called ‘OU Filter’. Open the new tab.

Create an OU Filter

You have two options to define the scope of your search:

1. Choose ‘Subtree’ to include sub-OUs into your search.
2. Choose ‘One Level’ to restrict the search filter to a certain level.

As a next step you define the search root as ‘Corp’. All three target OUs that we want to combine in our dynamic group are within this main folder. You could also use the OU ‘US’ or the domain as your source as long as the target OUs are located underneath.

Set Query Conditions

The next task is to define the conditions for the query. This determines which OUs are being chosen for the new group, and which are not. There are several ways of applying query conditions. In our example only three OUs are of interest. In the field ‘Query Conditions’ you define the following three filters:

You want to combine all users of the three OUs to become a member of the new group ‘OG-US-East-User’. This can be achieved by using three filters that are linked with an OR-operator.

Click on ‘Condition’ to set up the filters. The unique path of an OU can be found in the attribute ‘distinguishedName’. To find the ‘distinguishedName’ open the Users and Computers Console. Go to ‘Corp – US – BOS – Users’ and copy the value of ‘distinguishedName’ and add it to the query condition.

Click on ‘Apply’ and repeat this procedure for the remaining OUs.
These conditions are converted to LDAP-filters.

In summary:
You defined OU ‘Corp’ as your search root.
Within this search root you defined three ‘OU Filters’.
All OUs within ‘Corp’ which meet the query conditions are added to the new group.

Click on ‘Preview’ to see all OUs that were selected by the filter.

Run Member Query to Create Dynamic OU Group

Now we can proceed with the main task to create a new dynamic group. In the tab ‘Member Query’ you find several options to run the query. We are only interested in user objects and by clicking on ‘Users’ you define that the group should only include users.

The ‘Preview’ now shows all 22 employees who are located in Boston, Cleveland and New York. If you want to save the group you receive the message that there are two LDAP filters in place. Click ‘No’ to activate both filters.

Finally select ‘Update Group’ and you will see all 22 users as members of your new dynamic group.

We are happy to hear your feedback and reply to your questions regarding DynamicGroup – please feel free to contact us.

Go to Software and Download page:
FirstWare-DynamicGroup