The filter would look like this:
Automated administration of location groups
Many AD administrators maintain location groups that include all user objects of a certain site or location. These groups can get site-specific permissions regarding general file shares, printers or other resources.
To implement a dynamic group at site or location level, the search root of the dynamic group is set to the location OU of the Active Directory:
Additionally, the LDAP filter of the dynamic group is configured so that all user objects are included in this group:
Management of company related group membership
If within one Active Directory more than one company is managed, it makes sense to create one dynamic group for each company. This group can be used for assigning permissions and as a base for mail distribution lists. As we manage more than one company with Active Directory, it is possible that several companies use the same department name.
The configuration of the LDAP filter for a department that belongs to a company might look like this:
Delegation of dynamic group management
DynamicGroup 2020 introduced the possibility to delegate the maintenance of dynamic security groups.
The delegation is based on OUs. Local IT staff with OU admin permissions get a reduced view in the DynamicGroup Console. They only see OUs they are in charge of they can only access the groups and dynamic groups in these OUs. It is not necessary to allow access rights to manage user objects or computer objects.
Example: Reduced view for the delegation of dynamic groups in Active Directory:
Automated resolution of nested groups
The nesting of groups in Active Directory is an issue that should not be underestimated. If an administrator wants to check a certain permission, he is often forced to look at the memberships of several groups to find out, how a certain user has received the permission.
DynamicGroup allows you to resolute the nested group memberships automatically. The software checks periodically (service) whether or not other groups have been included in a DynamicGroup.
If a group is included into a dynamic group, the group memberships are automatically analyzed and all the users get a direct membership in the group. The group object (of the included group) is then removed from this group.
For this purpose, DynamicGroup provides the Flat Group Option: