• DynamicGroup for AD
    • Department Groups
    • OU Groups
    • Delegation
    • Pricing
  • DynamicSync for AAD
  • Demo/Download
    • DynamicGroup for AD
    • DynamicSync for AAD
  • Company
    • News
  • Contact
  • English
    • German
FirstWare DynamicGroupFirstWare DynamicGroup
FirstWare DynamicGroupFirstWare DynamicGroup
Group Automation
in Active Directory and Azure AD
  • DynamicGroup for AD
    • Department Groups
    • OU Groups
    • Delegation
    • Pricing
  • DynamicSync for AAD
  • Demo/Download
    • DynamicGroup for AD
    • DynamicSync for AAD
  • Company
    • News
  • Contact
  • English
    • German

Manage shadow groups (OUs) with DynamicGroup

Aug 21, 2023 (Letztes Update) | Posted by Sophia Tunui | DynamicGoup, General |

 

Shadow groups are closely related to organizational units (OUs) in Active Directory. But what exactly can these “shadow groups” do and why do you need them to manage organizational units in AD?

We will show you how to create dynamic OU groups (dynamic shadow groups) and authorize your organizational units using our DynamicGroup for AD tool. 

Index

  • What are shadow groups?
  • Why do you need shadow groups in AD?
  • How to create shadow groups with DynamicGroup?
  • Summary
  • About FirstAttribute

What are shadow groups?

Shadow groups are groups in Active Directory that map the members of an Organizational Unit (OU) in order to make security settings based on the OU structure. It is crucial that these groups always map the same content, i.e. that they are up-to-date. Therefore, only self-maintaining AD groups can be used for this purpose.

Why do you need shadow groups in AD?

OUs themselves cannot be used to set permissions and security policies in Active Directory. However, since there are many use cases where security settings based on OUs make sense, the concept of shadow groups was invented.

Such use cases may include:

  • Permissions on resources such as file shares
  • Network shares
  • Granular password policies

How to create shadow groups with DynamicGroup?

With DynamicGroup you can easily create shadow groups and have the advantage that the groups are automatically updated. If members are added to or removed from an OU, the shadow group is automatically adjusted.

To create a dynamic OU group or shadow group via DynamicGroup, first create a dynamic group via the DynamicGroup console. Now switch to the “Query Settings” tab and activate “Use Filter for OUs”.

Shadow Groups_Use filters for OUs

Next, switch to the “OU Filter” tab and make the following settings there:

Shadow Groups_Define OU filter using special conditions

In the blue-marked area you decide whether substructures should be included or only objects that are directly in the filtered OU. In our example, objects from sub-structures are also included in the dynamic group.

Shadow Groups_Include sub-structures in filters

The area highlighted in red is where you define the search root, i.e. the OU from which the search will be performed. This OU must be superordinate to the OU to be searched. However, it must also be ensured that no other OUs with the same name exist in the search area. Looking at our example, the search root is the location OU “US”, since our filter should refer to the department OUs and these only occur once per location.

In the green-marked area is the actual filter. In our example, we want only users of a departmental OU to be included in the shadow group. The filter is quite simple: we filter for the attribute “ou” to be equal to the value “Accounting”. Thus, in this OU filter, all OUs below the Search Root that match this filter will be selected.

You can see the result of the OU filter in the preview. Here only the OU “demofa.net/Corp/US/Accounting” is found, so everything is correct.

Finally, switch to the “Member Query” tab. Here you can choose which object types should be included in the shadow group. In our example we only want user objects.

Shadow Group_Select object types

Summary

Shadow groups are a useful concept when managing permissions in Active Directory. Using DynamicGroup not only makes it easier to create shadow groups, it also turns them into dynamic shadow groups that are automatically updated. DynamicGroup is the fastest and most performant solution for shadow groups in the enterprise environment, which can also be used by multiple admins.


About FirstAttribute

FirstAttribute is an independent cloud services and software company focused on Identity & Access Management (IAM) for AD and M365/Azure AD. You can learn more about our team at Company.

DynamicGroup has been a popular tool for AD administrators for many years to manage group memberships in AD in a coordinated and secure way. The application is used worldwide by companies in a wide range of industries. Continuous updates ensure that the application remains up to the growing demands in IT and does exactly what it promises.

Artikel erstellt am: 21.08.2023
Tags: organizational unitsOUsshadow groups
Share

Search

Latest Posts

  • Manage shadow groups (OUs) with DynamicGroup
  • Major Release DynamicGroup 5 – Fast management of large AD groups
  • Synchronize Dynamic Groups in Azure AD – Release of DynamicSync
  • DynamicGroup 2020.1 – Service Update and Group Managed Service Accounts
  • Automated permissions based on properties

Categories

  • DynamicGoup
  • General
  • News
  • Release
  • Updates

Contact Info

  • FirstAttribute AG
  • Am Büchele 18, 86928 Hofstetten, Germany
  • +49 89 215 442 400
  • https://www.firstattribute.com

Topics

  • Dynamic Groups in Active Directory
  • Department Groups
  • OU Groups
  • Legal Information
  • Privacy policy
  • Terms & Conditions

Latest News

  • Manage shadow groups (OUs) with DynamicGroup
  • Major Release DynamicGroup 5 – Fast management of large AD groups
  • Synchronize Dynamic Groups in Azure AD – Release of DynamicSync
  • DynamicGroup 2020.1 – Service Update and Group Managed Service Accounts
  • Automated permissions based on properties

© 2023 · FirstAttribute AG.

  • Dynamic Groups in Active Directory
  • Department Groups
  • OU Groups
  • Legal Information
  • Privacy policy
  • Terms & Conditions
Prev