Phone  +49 89 215 442 400

Active Directory dynamic security groups

Group memberships can be automatically added or removed just by changing attributes of a user objects with dynamic security groups. Based on LDAP filters the group membership can also be monitored automatically.

FirstWare-DynamicGroup enables you to automate the authorization management in Active Directory environments with dynamic security groups.

Active Directory dynamische Sicherheitsgruppen
DynamicGroup Download DynamicGroup Details


Initial Situation AD group management

The granting of permissions in Active Directory environments is managed by group membership. Authorization groups are used to set permissions to file folders, printers or mailboxes.

Many companies define Active Directory groups equal to their organizational structure (levels of departments, branches and so on). In this case permissions can be granted to all employees in a particular department. If a new colleague starts working or changed the department, it is necessary to let him become a member of the appropriate departmental AD group. So he gets the same permissions that all the other members of this department have.

The risk: The longer the employees stay in the company the more permissions they receive. A coworker should be removed from the specific departmental group after leaving a department. So that he finally is a member of the new departmental group only (not both).

In practice, new user accounts are often created by copying an existing user account. If the selected source is a user's account, which already has too many permissions, all of his privileges are directly transferred to the new colleague.

With FirstWare-DynamicGroup, the group memberships are managed and automated based on user properties. As soon as the condition of a predefined LDAP filter does not meet anymore, the corresponding user object is removed from the group automatically.


Scenarios and Solutions for AD group management

Automated administration of department groups

Usually local domain groups are used to assign permissions to resources. Global groups instead are used to reflect the organizational structure of a company in the AD.

Global groups can be members of authorization groups for the purpose of granting permission.  In that way departmental groups can be easily created as global groups. All employees of a particular department are then added to this global group.

Use FirstWare-DynamicGroup to create an LDAP filter to assign employees to a certain department group. The basis for this is the Department attribute of the user objects is used.

The filter would look like this:


Automated administration of location groups

Many AD administrators maintain location groups that include all user objects of a certain site or location. These groups can get site-specific permissions regarding general file shares, printers or other resources.

To implement a dynamic group at site or location level, the search root of the dynamic group is set to the location OU of the Active Directory:


Additionally, the LDAP filter of the dynamic group is configured so that all user objects are included in this group:


Management of company related group membership

If within one Active Directory more than one company is managed, it makes sense to create one dynamic group for each company. This group can be used for assigning permissions and as a base for mail distribution lists. As we manage more than one company with Active Directory, it is possible that several companies use the same department name.

The configuration of the LDAP filter for a department that belongs to a company might look like this:


Automated resolution of nested groups

The nesting of groups in Active Directory is an issue that should not be underestimated. If an administrator wants to check a certain permission, he is often forced to look at the memberships of several groups to find out, how a certain user has received the permission.

DynamicGroup allows you to resolute the nested group memberships automatically. The software checks periodically (service) whether or not other groups have been included in a DynamicGroup. 

If a group is included into a dynamic group, the group memberships are automatically analyzed and all the users get a direct membership in the group. The group object (of the included group) is then removed from this group.

For this purpose, DynamicGroup provides the Flat Group Option:


Further Information

If you are interested in an automated Active Directory administration, please feel free to contact us. We are happy to receive your question or request.

Product Info Demo -request


  • FirstWare DynamicGroup 2018

    100 groups in 10 seconds

  • FirstWare DynamicGroup 2015.2 Update

    DynamicGroup 2015.2 Update online

  • AD Consolidation Project

    AD Migration with Dell Migration Manager for Active Directory

  • DynamicGroup 2015 Release

    FirstWare-DynamicGroup 2015 released

  • AD Specialists in Frankfurt

    AD Consultants running in Frankfurt

  • Integration of Cloud Services like Office 365

    Integration of Cloud services to the IT infrastructure - Office 365.

  • Active Directory attributes and Outlook signature

    Using Active Directory attributes for the Outlook signature

  • Delegate Active Directory User Management to Human Resources

    Easily delegate AD User Management to HR with FirstWare-Admin

  • Access Based Enumeration Traverse Folder Service

    Building a self-administrating Access Based Enumeration authorization structure

  • Identity Management for Small to Medium-Sized Enterprises (SME)

    Assign Active Directory a central role as Active Directory based Identity Management System.


©2019 FirstAttribute AG - All rights reserved.

Realization Site Point GmbH

Legal notice