Automated Group Memberships in Active Directory
In Microsoft’s Active Directory groups are used to manage permissions and access to shares and apps. But with a big number of users accounts the group management becomes time-consuming for many admins.
Dynamic group memberships would reduce administrative overhead here and prevent over-permissioning. But this is not a standard feature of Active Directory. This is why we developed DynamicGroup.
Index
Why should I automate group memberships?
AD groups are often used to set permissions on shares and folders, give access to applications or to create distribution lists.
A lot this work be automated and processed in the background – without manual input by admins.
Some examples:
- New employee enters the company
- Staff changes department
- A coworker moves to another branch and changes location
- Introduction of new software
- Project staff needs access to a folder, that is only accessable for project members
- further scenarios for dynamic groups
All these cases mean that you have to set certain permissions. And this means, that you have to add or remove users to/from a group. Usually these tasks have to be made manually.
To automate as many of these processes as possible, we at FirstAttribute developped DynamicGroup and improved it with version 2015.
How can DynamicGroup help me?
DynamicGroup supports you to automate and speed up you daily work with user and group management in Active Directory. The software allows you to select and create dynamic security groups. Memberships are based on filters. Users and other groups will be automatically added or removed from these groups.
Benefits of an automated group management:
- Time saving
Relieve AD admins with the automation of routine tasks - Avoid over-permissioning
If a user changes departments he/she will be automatically removed from the old group and added to the new group.
Over-permissiong through nested groups can be avoided with the FlatGroups feature. - Clear permissioning
Limited to selected OU, attributes filter and exception lists provide clear criteria for the memberships. - Better overview
The resolution of nested groups shows you, who the actual members (users) of a group are.
FirstWare-DynamicGroup 2015 main screen
Where do I get the tool?
You can go to our website and download the software. The website also tells you more about the system and network requirements.
The DynamicGroup download comes as a 30-Days-Trial. You can test all features of the software during this period.
Besides the installer for 32bit and 64bit the download includes a documentation with detailed information on how to install and set up the DynamicGroup Console and Services.
What do I need to use it?
You basically need a Domain-Controller with both components of the software installed.
DynamicGroup components:
- a self-explanatory interface, the DynamicGroup Console and
- a Service, the DynamicGroup Implementor
The console can also be installed on different clients in your network, depending on how many administrators are responsible for the management. The service can also exist in multiple instances on different servers in your network. These can be configured differently. The services are in charge for the automated calculation of the group memberships (in the background).
Really easy to set up:
Once you set all the configration, the settings for Consoles and Services are stored centralized in your Active Directory. The settings for the dynamic groups are also stored with the group objects in the AD. This centralization ensures that all admins work with the same data.
How can I automate AD group memberships?
DynamicGroup offers many settings to automatically add members to a group. Each of these is described in detail in the documentation. I want to focus here on the Query Builder and the include and exclude lists. These two functions can be used independently and in combination with each other to assign automated group memberships.
Query-Builder
This core component of DynamicGroup allows you to set filters as you like. A filter is used to automatically add members to a group using LDAP queries. This way you can also check, if users have certain attributes filled correctly (or maybe not at all). The conditions of the filter can be connected with “AND”, “OR” and “NOT”.
You don’t need to write these LDAP queries by yourself. You can also almost drag n drop filters using the Query Builder. This way might be much more convinient. The tree structure gives you a nice overview of the entire query.
In the screenshot above you can see an example query. The written LDAP query in the lower part might be a little bit confusing, but with the tree in the upper part it is easy to read which members want shall belong to the group: All users who are not in the OU “Users” of this domain, who are in the department “IT Administration” and either at the site “Germany” or at the site “France” will be added to this group.
Include and Exclude Lists
These features are almost self-explanatory: using these two lists, you can define whether certain users or groups will always or never become members of the dynamic group. This setting always applies here, regardless of other filters that are set.
This is a static feature, but can be very important if you want to establish fixed rules. You can for example define that all members of the group “Helpdesk” also become members of the dynamic group, the grants access to your ticketing system. The other way would be to explictly exclude groups and users from a group. This is particularly useful in connection with other queries – and here you need the Query Builder.
Ok, but how can to automatically update the group memberships?
How does the service work and how to configure it?
The Dynamic Group implementor Service is responsible for the automation. You can deploy multiple services on different computers in the network and divide the responsibilities for certain domain controllers among them. Each time the service runs it searchs the AD for dynamic groups and adds members according to the filter settings or removes them.
The service itself can be individually configured through the console. You can specify, whether the dynamic groups should be updated at certain times or within a specified time interval. Another point is that you can specify which preferred domain controller the service should connect to.
Each service also brings its own EventLog, so you can understand immediately, what changes have been made to dynamic groups and what errors may have occurred.
All changes to attributes of users who can now have an impact on group memberships (if a filter of a dynamic group has been set).
What other features does DynamicGroup offer?
The software offers many further functions – you can for example create your own Saved Queries, with which you can easily keep track of your dynamic groups. DynamicGroup integrated AD functionality by default because dynamic groups are basically extended “regular” AD groups: You can create regular groups and OUs, delete them, change the group manager or add them as members to other groups.
There are also further options when you are creating dynamic groups. You want to add only members of a specific OU? Just change the search root. You don’t groups to become members of your group? Activate the Flat Groups feature, and all filtered groups are recursively resolved so that there are only users left to add.
FirstWare-DynamicGroup is a product of FirstAttribute.
This software is developped in collaboration with AD admins.
Are you planning to introduce new features to you AD?
Please contact us, if you want to what there is possible.
Leave a Reply
<p>Your email is safe with us.<br/>Information about our <a href="https://activedirectoryfaq.com/contact-us/">data protection policies</a></p>