It has long been accepted that Microsoft’s Query Based Distribution Lists are a bad idea. It just doesn’t make sense to run a big query against Active Directory every time you want to email the list. In the same vein, Microsoft doesn’t even offer a Query Based Security Group; can you imagine the chaos every time a GPO based an email signature ran against a query based security group (I can’t even bring myself to capitalize it).
So, how do you do it? How do you dynamically build the membership of a security group if it isn’t available from Microsoft? That is where GroupID comes in. Our Automate module allows you to actually build the distribution or security group membership based on simple rules that you put into our query designer.
So, to make a dynamic or query based security group, you simply write the query, set the schedule for it to run and each time it runs, an actual Active Directory security group is created with real users as members.
You are free to apply any permissions or GPOs to it since it is an actual group. You shouldn’t have to worry about adding and removing members of a security group if you can automate it. Take a look at this chalktalk on dynamic Active Directory security groups and see for yourself how simple it is.