Active Directory Dynamic User Groups with PowerShell

When managing user access rights to different resources in an Active Directory domain, an administrator may need to create dynamic AD user groups. With dynamic groups, the administrator can more easily assign permissions to file servers, shared folders, workstations, etc. Such a dynamic group should automatically add or remove users from the group based on the properties of the user account in the domain.

You want z. For example, you can automatically add the users of a particular OR to a security group, or you can create a group that contains all the user accounts of a particular department (the department field in the AD user properties), and so on.

The on-site Active Directory has no built-in tools for setting up dynamic security groups. However, you can create a PowerShell script to automatically select users in Active Directory based on specific criteria and add them to an existing AD security group or delete accounts that no longer meet the requirements. If you change one of the attributes of the AD user, the script should automatically add or remove the user from the group.

To use dynamic AD groups, you must maintain the relevant fields in all user accounts in the domain.

  1. The Exchange Server has dynamic distribution list groups that are automatically populated based on certain user-defined criteria, such as a value in the Company/City field in AD, the OU the user belongs to, the Exchange Server where the mailbox is located, or any other custom attribute in Active Directory. Dynamic distribution groups can, however, be used to create a distribution, but not for security groups;
  2. Azure AD has built-in dynamic groups. In this cloud directory you can create different dynamic membership rules for security groups or Office 365.
  3. Partial Dynamic Access Control (DAC) in Windows Server 2012 or later can be used to override certain dynamic security group functions.

Suppose you want to automatically add to an existing security group all users with multiple OK’s that have the value Sales in the AD User Properties Department field. I have written the following PowerShell script (to run it you need to install the Active Directory for the Windows PowerShell module; the Get-ADUser command is used to retrieve user properties, the Add-ADGroupMember, Get-ADGroupMember and Remove-ADGroupMember commands are used to manage the AD group membership).

## Domain name AD
$ADDomain = ‘dc=contoso,dc=com’
## Dynamic group name
$ADGroupname = ‘EastSales’
## OR list for user search
$ADOUs = @(
$users = @()
# Search for users in certain OU’s
foreach($OU in $ADOU){
$users += Get-ADUser -SearchBase $OU -Filter {department -like sales}
foreach($user in $users)
Add-ADGroupMember -Identity $ADGroup name -Member $user.Samaccountname -ErrorAction SilentlyContinue
## Make sure each user in the group meets the selection criteria. If this is not the case (move to another OR, change the department field), they must be removed from group
$member = Get-ADGroupMember -Identity $ADGroupname
foreach($member in $member)
if($member.distinguishedname -notlike *OU=Users,OU=NewYork,$ADDomain* – and $member.distinguishedname -notlike *OU=Users,OU=Chicago,$ADDomain*)
Delete-ADGroupMember -Identity $ADGroupname -Member.samaccountname -Confirm:$false
if ((Get-ADUser – Identity $member -propriities Department|Select-Object Department).Department -Non-Like Sales)
Delete-ADGroupMember -Identity $ADGroupname -Member $member.samaccountname -Confirm:$false


Run the script and make sure that all OU users specified in the Sales field are automatically added to the EastSales group. Users who do not meet these criteria will be removed from the group.

The script must be run manually, but you must run it periodically by a separate task in the Task Scheduler under an account that has permission to manage users and groups in AD. (It is not recommended to run the script under a domain administrator account. You must delegate AD group administration rights to regular user/administrator accounts or to a gMSA account).

You can use this PowerShell script as a framework for your own rules to create dynamic user groups in AD.

Related Tags:

ad group automation,azureadmsgroup,ldifde,refresh dynamic group azure,dynamic security group active directory 2012,ad dynamic ou,automate ad group membership,assign group to ou,add computer to group based on ou,link security group to ou,adaxes dynamic groups,office 365 dynamic group update,azure dynamic group based on license,change group from assigned to dynamic,devicephysicalids,azure ad group membership type greyed out,dynamic distribution group,dynamic security,active directory shadow group,automatically add users to security group,office 365 dynamic distribution group,new-azureadmsgroup,azure ad dynamic group exclude group,dynamic membership rule memberof,how to create dynamic active directory group,azure group membership type greyed out,get azureadgroup -filter dirsyncenabled,azure ad group attributes,getazuread group member,powershell get azuread group members,azure ad group type security vs office 365,active directory dynamic security groups powershell,how to create a dynamic distribution group in active directory,add users to an active directory group based on user attributes,dynamic security group based on ou,powershell create dynamic group,active directory automatically add users to group,create a new group with the membership type dynamic user,azure ad dynamic groups