Using Active Directory (AD) security groups and distribution groups is a best practice for simplifying IT administration, enhancing security and enabling effective communication. However, in many organizations, the membership of these groups is defined by an explicit list of specific users, computers and other entities. Use of these static groups is both labor-intensive and error-prone, because when employees join the company or shift roles, devices are added or retired, or other changes happen, all related groups need to be updated manually.
There is a useful alternative that improves security and reduces IT overhead: determining group membership dynamically by running an AD query. Microsoft provides a user-friendly interface for creating distribution groups based on an LDAP query. Unfortunately, there is no corresponding GUI for creating query-based security groups — which comprise the vast majority of AD groups; the only native option is to craft scripts using Windows PowerShell.
This article explains the native methods for creating both types of dynamic groups and then offers a powerful alternative: Smart Groups in Netwrix GroupID.
Distribution Groups
Let’s start with distribution groups, which are more commonly called distribution lists. Distribution lists enable users to send email messages to groups of people more efficiently and accurately. For example, you might create a distribution list for each department and team, as well as one for each office location. These distribution lists appear in the Global Address List (GAL), so business users can simply choose one entry from the GAL to send messages to an entire group of colleagues.
Drawbacks of Static Distribution Groups
Because employees are constantly joining and leaving the organization and changing roles within it, however, trying to keep distribution lists up to date is a hassle for IT teams. In some cases, they might not even have the insight necessary to ensure they are populating the lists correctly.
The consequences of failing to keep distribution lists current can be serious. If users who should be on a list are not included, they will not receive messages that could be important for their own productivity and for essential business processes. Even worse, inaccurate distribution lists are a security and compliance issue, since messages might be sent to individuals who should not see the information that they contain.
Query-Based Distribution Groups
To help, Microsoft introduced query-based distribution groups in Exchange Server 2003. They provide the same functionality as standard distribution groups, but membership is not determined by a static list of users. Instead, membership is dynamically generated by LDAP queries that run whenever someone sends an email to the associated group.
For example, you can create an LDAP query that define the membership of a group as all users who are currently in a specific department in your organization. If a particular user moves to another department, as soon as their AD user object is updated, they will no longer receive emails sent to the distribution group — without anyone having to manually modify the membership of the distribution list.
You can find the query associated with a distribution group in msExchDynamicDLFilter and msExchQueryFilter in Active Directory.
How to Create a Query-Based Distribution Group using Microsoft Exchange
Query-based distribution groups are easy to create:
- Launch the Exchange Admin Center and select Recipients in the left pane.
- Navigate to Groups > New > Dynamic distribution group.
- In the New Dynamic Distribution Group wizard, specify the following properties of the new list:
- A name, alias and description for the group
- The organizational unit (OU) you want to create the group in
- The owner of the group (optional but recommended)
- The type of recipients, such as resource mailboxes or users who have Exchange mailboxes
- The criteria for a user’s membership in the distribution list, such as their department and geographical location
- Click Save to create the group.
Limitations of Query-Based Distribution Groups Created via Exchange
Query-based distribution groups created via Exchange are more accurate and easier to maintain than static distribution lists, but they have some important characteristics to keep in mind:
- The attributes for determining membership in a distribution list are limited to a few common user attributes — container, state or province, company, and department — along with a few custom attributes.
- Since the membership of a distribution list is determined when an email is sent to that list, business users cannot see view the members of a distribution list in their Outlook client, and therefore cannot be sure exactly who will receive a message they send to the list.
- The query is evaluated each time an email is sent to a query-based distribution list. Therefore, making extensive use of these groups puts a significant burden on the Exchange server and the global catalog.
Security Groups
While distribution groups are certainly valuable and need to be kept current to ensure security and productivity, AD security groups are even more important. Administrators rely on AD security groups to quickly and accurately provision users with the access permissions they need based on their roles in the organization. For example, you can create a security group named “Sales” and grant it access rights to the specific information, applications and other resources needed by members of the Sales department. Every user who is a member of a group automatically gets all the access rights assigned to that group.
Drawbacks of Static Security Groups
Just as with static distribution groups, IT teams face a constant struggle to ensure that exactly the right users are the members of each static security group. In fact, as employees shift roles within an organization over time, it’s common for them to retain membership in groups that are no longer relevant to their duties. For example, if someone moves from the Sales department to Marketing, they often retain permissions to Sales databases and other resources that they should no longer be able to access because no one removed them from the Sales-related groups. In addition, overburdened admins can make mistakes, such as adding a junior employee to a group like “Managers,” thereby giving them inappropriate access to sensitive information.
This overprovisioning is a serious problem for both security and regulatory compliance. On the flip side, IT teams sometimes fail to grant users membership in all the security groups that they should belong to, which can disrupt important business processes and burden the helpdesk.
Updating the Membership of Security Groups using Microsoft PowerShell
Administrators can use Windows PowerShell to create and populate a security group according to a query. They can also use a script to update the membership of a security group, instead of adding and removing members manually. For example, the following script ensures that the security group PseudoDynamicGroup is populated only with the users in a specified OU (desiredUsers):
Import-Module ActiveDirectory
#Define the variable ‘groupname’ and load it with the members of the group ‘PseudoDynamicGroup’.
$groupname = PseudoDynamicGroup
#Define the variable ‘users’ and populate it with all the users in specified OU.
$users = Get-ADUser -Filter * -SearchBase "ou=desiredUsers,dc=domain,dc=tld"
#Iterate through the users in the ‘users’ variable. Add each of them to the group ‘PseudoDynamicGroup’ if they are not already a member.
foreach($user in $users)
{
Add-ADGroupMember -Identity $groupname -Member $user.samaccountname -ErrorAction SilentlyContinue
}
#Define the variable ‘members’ and populate it with the current membership of the security group ‘PseudoDynamicGroup’.
$members = Get-ADGroupMember -Identity $groupname
#Iterate through the users in the ‘members’ variable. If any user is not in the specified OU, remove them from ‘PseudoDynamicGroup’.
foreach($member in $members)
{
if($member.distinguishedname -notlike "*ou=desiredUsers,dc=domain,dc=tld*")
{
Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}
}
Limitations of Query-Based Security Groups Created via PowerShell
Obviously, painstakingly creating a PowerShell script like this for every AD security group is an enormous undertaking that requires specialized skills. In addition, the scripts need to be maintained, and new ones need to be written as new projects or teams are created. Many organizations simply do not have the IT resources to devote to this challenging and critical work, which leads them to look for a robust third-party solution like Netwrix GroupID.
Query-Based Groups with Netwrix GroupID
With Netwrix GroupID, you can easily create both distribution lists and security groups whose membership is dynamically determined using Active Directory queries. These query-based groups are called Smart Groups.
To create a Smart Group, you simply need to define an AD query for the group and set the schedule for running it. Each time the query runs, it fetches objects from the directory to update group membership. The query can be run manually or automatically on a defined scheduled. As a result, unlike dynamic distribution lists created via Exchange, Netwrix GroupID distribution groups do not put undue stress on the Exchange server by running a query each time an email is sent to the group.
Creating Queries
With the Query Designer in Netwrix GroupID, you get an intuitive visual interface for creating queries; there is no need to write PowerShell commands. It has the following tabs:
- General — Select the type of objects that can be members of the group.
- Storage — Choose the mailboxes on any Exchange server or mailbox database.
- Identity Store — Specify criteria for group membership. For example, you can use the location, company, department or employee ID attributes, and also apply logical conditions like AND and OR to further filter the results.
- Advanced — Use external data sources like Oracle, ODBC, Microsoft SQL Server or text files to help determine the group’s membership.
- Include/Exclude — Add or remove objects from the group’s membership regardless of the query result.
- Smart Script —Write a script based on your own custom logic using the VB Script support.
Conclusion
Query-based security groups and distribution lists are invaluable for improving security and business productivity while slashing IT workload. However, with native options, using dynamic distribution lists can overburden your Exchange resources, and creating dynamic security lists requires extensive time and PowerShell expertise. Netwrix GroupID offers a powerful alternative: Smart Groups that make it easy to create and maintain dynamic security groups and distribution lists.
