Active Directory dynamic security groups
Group memberships can be automatically added or removed just by
changing attributes of a user objects with dynamic security groups.
Based on LDAP filters the group membership can also be monitored
FirstWare-DynamicGroup enables you to automate the authorization
management in Active Directory environments with dynamic security
Initial Situation AD group management
The granting of permissions in Active Directory environments is
managed by group membership. Authorization groups are used to set
permissions to file folders, printers or mailboxes.
Many companies define Active Directory groups equal to their
organizational structure (levels of departments, branches and so
on). In this case permissions can be granted to all employees in a
particular department. If a new colleague starts working or changed
the department, it is necessary to let him become a member of the
appropriate departmental AD group. So he gets the same permissions
that all the other members of this department have.
The risk: The longer the employees stay in the company
the more permissions they receive. A coworker should be
removed from the specific departmental group after leaving a
department. So that he finally is a member of the new departmental
group only (not both).
In practice, new user accounts are often created by
copying an existing user account. If the selected source
is a user's account, which already has too many
permissions, all of his privileges are directly
transferred to the new colleague.
With FirstWare-DynamicGroup, the group memberships are managed
and automated based on user properties. As soon as the condition of
a predefined LDAP filter does not meet anymore, the corresponding
user object is removed from the group
Scenarios and Solutions for AD group management
Automated administration of
Usually local domain groups are used to assign permissions to
resources. Global groups instead are used to reflect the
organizational structure of a company in the AD.
Global groups can be members of authorization groups for the
purpose of granting permission. In that way departmental
groups can be easily created as global groups. All employees of a
particular department are then added to this global group.
Use FirstWare-DynamicGroup to create an LDAP filter to assign
employees to a certain department group. The basis for this is the
Department attribute of the user objects is used.
The filter would look like this:
Automated administration of
Many AD administrators maintain location groups that include all
user objects of a certain site or location. These groups can get
site-specific permissions regarding general file shares, printers
or other resources.
To implement a dynamic group at site or location level, the search
root of the dynamic group is set to the location OU of the Active
Additionally, the LDAP filter of the dynamic group is configured
so that all user objects are included in this group:
Management of company related
If within one Active Directory more than one company is managed,
it makes sense to create one dynamic group for each company. This
group can be used for assigning permissions and as a base for mail
distribution lists. As we manage more than one company with Active
Directory, it is possible that several companies use the same
The configuration of the LDAP filter for a department that belongs
to a company might look like this:
Automated resolution of nested
The nesting of groups in Active Directory is an issue that
should not be underestimated. If an administrator wants to check a
certain permission, he is often forced to look at the memberships
of several groups to find out, how a certain user has received the
DynamicGroup allows you to resolute the nested group memberships
automatically. The software checks periodically (service) whether
or not other groups have been included in a DynamicGroup.
If a group is included into a dynamic group, the group
memberships are automatically analyzed and all the users get a
direct membership in the group. The group object (of the included
group) is then removed from this group.
For this purpose, DynamicGroup provides the Flat Group
If you are interested in an automated Active Directory
administration, please feel free to contact us. We are happy to
receive your question or request.