Active DirectoryPowershell

Active Directory Dynamic User Groups with PowerShell

By March 4, 2020No Comments

When managing user access permissions to various resources in an Active Directory domain, an administrator may have to create dynamic AD user groups. Dynamic groups make it easier for an administrator to grant permissions on file servers, shared folders, workstations, etc. Such a dynamic group should automatically add users to the group or remove them from it depending on the user account properties in the domain.

For example, you want to automatically add users from the specific OU to the security group, or to create a group that includes all user accounts of the specific department (the Department field in the AD user properties), etc.

On-premise Active Directory doesn’t have built-in tools for implementing dynamic security groups. However, you can create a PowerShell script to automatically select users from Active Directory by a certain criteria and add them to an existing AD security group or remove the accounts that no longer meet the requirements. When any of the AD user attributes are changed, the script must automatically add or remove a user from the group.

To use dynamic AD groups, you must keep the relevant fields of all domain user accounts up-to-date.

  1. In Exchange Server there are Dynamic Distribution List groups that are populated automatically based on some user criteria, like the value in the Company/City field in AD, the OU a user belongs to, the Exchange server, on which a mailbox is located, or any other user attribute in Active Directory. However, dynamic distribution groups may be used to create distribution, but not the security groups;
  2. There are built-in dynamic groups in Azure AD. In this cloud directory you can create different rules of dynamic membership in the security or Office 365 groups.
  3. Partially the Dynamic Access Control (DAC) in Windows Server 2012 or later can be used to replace some features of dynamic security groups.

Suppose, you want to automatically add to the existing security group all users from several OUs having the value ‘Sales’ in the Department field in the properties of the AD user. I have written the following PowerShell script (to run it, you need to install the Active Directory for Windows PowerShell Module; the Get-ADUser cmdlet is used to get the user properties, and Add-ADGroupMemberGet-ADGroupMember and Remove-ADGroupMember are the cmdlets to manage AD group memberships.)

## Your AD domain name
$ADDomain = 'dc=contoso,dc=com'
## Dynamic group name
$ADGroupname = 'EastSales'
## OU list to search users
$ADOUs = @(
$users = @()
# Searching users in the specified OUs
foreach($OU in $ADOUs){
$users += Get-ADUser -SearchBase $OU -Filter {Department -like "Sales"}
foreach($user in $users)
Add-ADGroupMember -Identity $ADGroupname -Members $user.samaccountname -ErrorAction SilentlyContinue
## Make sure that each user in the group meets the selection criteria. If not (moved to another OU, changed the Department field), they must be removed from the group
$members = Get-ADGroupMember -Identity $ADGroupname
foreach($member in $members)
if($member.distinguishedname -notlike "*OU=Users,OU=NewYork,$ADDomain*" -and $member.distinguishedname -notlike "*OU=Users,OU=Chicago,$ADDomain*")
Remove-ADGroupMember -Identity $ADGroupname -Members $member.samaccountname -Confirm:$false
if ((Get-ADUser -identity $member -properties Department|Select-Object Department).department -notlike "Sales" )
Remove-ADGroupMember -Identity $ADGroupname -Members $member.samaccountname -Confirm:$false

PowerShell script: to automate Active Directory Dynamic group memberships
implementing Dynamic AD Security groups with powershell

Run the script and make sure that all users from the specified OUs with ‘Sales’ in the Department field have been automatically added to the EastSales group. The users who do not match these criteria are removed from the group.

You have to run the script manually, but it is better to run it regularly through a separate task in the Task Scheduler under the account that has permissions to manage users and groups in AD. (It is not recommended to run the script under the domain admin account, you should delegate AD group management privileges to a common user/admin accounts or a gMSA account.)

You can use this PowerShell script as a framework of your own rules of creating dynamic user groups in AD.

Leave a Reply