Link to home
Start Free TrialLog in
Avatar of dougdog
dougdog

asked on

Dynamic Security Groups In AD

is it possible to create dynamic security groups in AD based on say extensionattribute1?
i need to create a group and have it automatically populated
Avatar of yo_bee
yo_bee
Flag of United States of America image

Unfortunately this is only viable for distribution groups
I haven't done it, but what should work: create a script and have it run on your DC every x minutes using a scheduled task.
The powershell script would read that attribute for all user objects and i present or if set to a defined value, add that user to the group if not already in it.

Will work, but don't ask me for the syntax.
ASKER CERTIFIED SOLUTION
Avatar of Peter Hutchison
Peter Hutchison
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I liked Peter's method, but there is one caveat that needs to be aware of.  Security groups will not apply until you logoff and back on.  

So if you changed a users attributes and they are added to the group via the Powershell and Schedule task the computer that they are on will not know they are part of that group until they logon again.
But that will apply to methods.
As if I hadn't suggested the same right before :-)