DynamicGroup to automate Active Directory group memberships


DynamicGroup is a tool by FirstAttribute useful to automate Active Directory group memberships in a matter of seconds reducing the administration load and saving time.

Active Directory administrators know perfectly that managing the correct AD group memberships can be a very time-consuming task with the risk of losing the track of effective granted permissions. Especially if a user changes different departments, all memberships have to be reviewed and adjusted for the new function. Sometimes permissions are left unchanged opening a potential issue in terms of security.

Often administrators do copies of existing users using them as templates during the creation of new accounts. If memberships are not deleted or updated accordingly, these are assigned to the new account. It's clear that keeping track of granted permissions and group memberships can be hard and out control. DynamicGroup is the tool that helps to solve this issue.



DynamicGroup to automate group memberships in AD

The software provides several features that help the daily administration of Active Directory environment:

  • Groups can be copied as templates
  • With an LDAP filter, group memberships can be created easily
  • Groups can be created by a bulk import process
  • Smart creation of groups based on attributes and OUs
  • Available the preview of a dynamic group to see the potential members
  • Setup include/exclude list to manage group membership
  • Configure the time interval for filling or emptying of the group



To use DynamicGroup tool you must meet the following requirments:

  • Microsoft Windows Server 2008 R2 or higher
  • Windows Vista, 7, 8, 8.1, 10
  • .Net Version 4.5 (or higher)
  • Active Directory (minimum functional level Windows Server 2003)

DynamicGroup should not be installed on a Domain Controller since the software won't run for security reasons.



DynamicGroup is licensed based on the number of managed users (user objects).


How DynamicGroup works

DynamicGroup generates dynamic groups in Active Directory and assigns group memberships automatically. DynamicGroup is based on LDAP filters and allows to assign group memberships to specific groups as well as monitoring these groups automtically.

Group memberships can be automatically added or removed just by changing attributes of a user objects with dynamic security groups. The Department attribute of the user objects is used for this functionality.


Install DynamicGroup

Download the DynamicGroup software and double click the installer file. Click Next to proceed with the installation.


Accept the EULA and click Next.


Leave default destination folder and click Next.


Click Install to install DynamicGroup.


The software is being installed in the system.


When the product has been installed, click Finish to exit the wizard.


Double click the icon to launch the software.


First run of DynamicGroup software starts in Evaluation mode for 30 days (fully functional version) if no license is installed. Click OK.



Initial Configuration

During the first run, the initial configuration wizard is displayed. Specify an account with Domain Administrator permissions used to access your Active Directory and click Next.


To take benefit of provided features, select Extend Schema with new Attributes for use within Dynamic Group configuration option then click Next.


Click Next.


Specify both Console and Service Administrator Group then click Apply.


The DynamicGroup Console is displayed.



Install the license

If you purchased the license, click the ? menu and select Install License.


Click Browse to pick the license file then click Install.


The license has been installed succesfully. Click OK.



Configure DynamicGroup


Install service

The software makes use of services to add or remove users from groups. Select Services > Install Service to proceed with service installation.


Specify the user with administrative permissions to install the service on the target computer and click Next.


Select the Target Server through the Browse icon. Specify also a service account with Local Administrator permissions used to run the service and leave default value for Installation Path. Click Next.


Specify a different Search Root if required and specify the schedule of Dynamic Group members calculation. Click Install when done.


The service has been installed successfully. Click OK.


Select the Service section and specify the Preferred Domain Controller. DynamicGroup will query this DC first to get the information and to write changes. Click Connect service button to start the service.



Configure a Dynamic Group

When you start DynamicGroup, a directory tree similar to what you can see in Active Directory Management console is displayed. In the Saved Query container you will find all the created queries.


To configure a dynamic group, from the console select an existing Active Directory group to access the Dynamic Groups configuration page.



Select Enable in the DynamicGroup section. New configuration pages are displayed if the group is marked as Enabled or Disabled.

Depending on the selected option for the group, you can have different behaviours:

  • Enabled - the group is updated every time the Dynamic Group service runs based on its settings.
  • Disabled - the group is not updated during the member calculation of the service.



Query Settings

The group members calculation of selected group is processed in according to the settings specified in this page. A low number assigned (by default 1 to new groups) to the group will give a higher priority and the service will calculate these groups first compared to lower priority groups.



Member Query

In this page you configure the core functionality of DynamicGroup by creating the query that defines Dynamic Group group memberships.

Specify the way an OU is searched in AD (complete Subtree or one level only) as well as the Query Conditions.



Include / Exclude

Regardless of settings specified in the query, you can select specific objects to be included or excluded as members.



Members / Member of

In the Members tab you can see the current members of the group while the Member of tab displays a list of groups the selected Dynamic Group is a member of.

When the desired settings have been completed, click Save to save the configuration.


Since changes are applied based on the DynamicGroup service schedule, to apply immediately changes made to a Dynamic Group click Update Group.



Test the LDAP query

When the LDAP query has been configured, you can test the result by clicking the Preview button.


The result shows members that will be added to the Dynamic Group. This allows to verify if DynamicGroup works as expected.


When the DynamicGroup service executes the query, members of the group will be updated based on the criteria specified in the corresponding query.


With DynamicGroup tool, the management of group memberships can be automated by changing attributes of a user objects, allowing also to monitor group membership through LDAP filters. This solution allows to have a secure and clean Active Directory environment reducing the load on the IT department.

DynamicGroup is available to download as fully working 30-day trial.


Leave a Reply