Because organizations like yours depend on distribution lists and security groups to do their jobs every day, inaccuracies in these lists or groups can have a significant adverse impact. For example, a single employee who’s missing from a distribution group could cause that person to miss the registration deadlines for health insurance. Or a security group with too many people might provide too much access to too many applications and resources.
We all know the reality of group management: no one in IT really wants to do it, so groups are often overlooked and undermanaged, leaving the state of your groups with potential situations like those mentioned above.
Groups are generally managed in one of three ways:
- Negligence: It’s just not done regularly. And even when it is, there is little or no thought put toward the impact on security and email access.
- IT-centric: In this case, a highly skilled person who is trained to tackle more critical tasks might become someone who is way too overpaid to manage groups (doing so in between the other more critical tasks). In the end, these people are also not paying much attention to the impact of their changes.
- User-centric: Instead of IT, users (i.e. managers, LOB owners, etc.) are responsible for managing group memberships. While providing a much more accurate membership, this approach lacks the IT oversight that helps ensure that security is properly maintained.
With the potentially huge amount of information about a user that’s held within Active Directory, it makes sense that you look at a more dynamic way to update groups. Instead of assigning the work of removing and adding users to staff or other departments that may or may not manage memberships properly, it is possible to simply use details like the user’s OU, title, or custom attribute to determine proper group membership.
The challenge is how to modify the groups dynamically and automatically.
Dynamically Managing Groups via PowerShell
One of the great things about PowerShell is that you can execute just about any kind of administrative task with it — and that includes dynamically managing groups. It’s as simple as you think: obtain a list of users based on a filter (existing within an OU, for example) and for each one place them into a group. The reverse is the same: look at a group’s members, and if they don’t meet a certain criteria, remove them.
Here’s a sample set of scripts (found via a simple search on the Internet):
$groupname = PseudoDynamicGroup
$users = Get-ADUser -Filter * -SearchBase “ou=desiredUsers,dc=domain,dc=tld”
foreach($user in $users)
{
Add-ADGroupMember -Identity $groupname -Member $user.samaccountname -ErrorAction SilentlyContinue
}
$members = Get-ADGroupMember -Identity $groupname
foreach($member in $members)
{
if($member.distinguishedname -notlike “*ou=desiredUsers,dc=domain,dc=tld*”)
{
Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}
}
There are also more advanced scripts that execute these tasks with deeper levels of granularity. But no matter which script you use, PowerShell always has the same limitations:
- You need to run these scripts regularly
- There is no error reporting.
- Every group requires its own individual script.
It’s definitely possible to manage your groups dynamically using PowerShell, but doing so requires constant management to be effective.
Using Third-Party Tools
Tools like GroupID from Imanami automate the process by watching the changes to Active Directory and making the appropriate membership changes dynamically. The real value of tools like this is their ability to dynamically create groups using complex queries that would otherwise require a very high level of PowerShell scripting skills to accomplish — and their ability to accomplish those complex tasks in a matter of minutes. Additionally, the most common groups (based on location, for example) can be automatically generated, which helps align distribution and/or security groups to the business’s physical locations.
Doing Groups the Dynamic Way
There are clear benefits to dynamically managing groups. Without needing to be involved in the day-to-day management of these menial or mundane tasks, you can focus on strategic IT initiatives while knowing that the network is secure and that users are receiving their email properly. PowerShell provides some of the basics to get you started down this path, but if your organization is enterprise in nature, or if your dynamic group needs are a bit complex, you may need to consider third-party tools.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.