Manage shadow groups (OUs) with DynamicGroup
Shadow groups are closely related to organizational units (OUs) in Active Directory. But what exactly can these “shadow groups” do and why do you need them to manage organizational units in AD?
We will show you how to create dynamic OU groups (dynamic shadow groups) and authorize your organizational units using our DynamicGroup for AD tool.
What are shadow groups?
Shadow groups are groups in Active Directory that map the members of an Organizational Unit (OU) in order to make security settings based on the OU structure. It is crucial that these groups always map the same content, i.e. that they are up-to-date. Therefore, only self-maintaining AD groups can be used for this purpose.
Why do you need shadow groups in AD?
OUs themselves cannot be used to set permissions and security policies in Active Directory. However, since there are many use cases where security settings based on OUs make sense, the concept of shadow groups was invented.
Such use cases may include:
- Permissions on resources such as file shares
- Network shares
- Granular password policies
How to create shadow groups with DynamicGroup?
With DynamicGroup you can easily create shadow groups and have the advantage that the groups are automatically updated. If members are added to or removed from an OU, the shadow group is automatically adjusted.
To create a dynamic OU group or shadow group via DynamicGroup, first create a dynamic group via the DynamicGroup console. Now switch to the “Query Settings” tab and activate “Use Filter for OUs”.
Next, switch to the “OU Filter” tab and make the following settings there:
In the blue-marked area you decide whether substructures should be included or only objects that are directly in the filtered OU. In our example, objects from sub-structures are also included in the dynamic group.
The area highlighted in red is where you define the search root, i.e. the OU from which the search will be performed. This OU must be superordinate to the OU to be searched. However, it must also be ensured that no other OUs with the same name exist in the search area. Looking at our example, the search root is the location OU “US”, since our filter should refer to the department OUs and these only occur once per location.
In the green-marked area is the actual filter. In our example, we want only users of a departmental OU to be included in the shadow group. The filter is quite simple: we filter for the attribute “ou” to be equal to the value “Accounting”. Thus, in this OU filter, all OUs below the Search Root that match this filter will be selected.
You can see the result of the OU filter in the preview. Here only the OU “demofa.net/Corp/US/Accounting” is found, so everything is correct.
Finally, switch to the “Member Query” tab. Here you can choose which object types should be included in the shadow group. In our example we only want user objects.
Shadow groups are a useful concept when managing permissions in Active Directory. Using DynamicGroup not only makes it easier to create shadow groups, it also turns them into dynamic shadow groups that are automatically updated. DynamicGroup is the fastest and most performant solution for shadow groups in the enterprise environment, which can also be used by multiple admins.
FirstAttribute is an independent cloud services and software company focused on Identity & Access Management (IAM) for AD and M365/Azure AD. You can learn more about our team at Company.
DynamicGroup has been a popular tool for AD administrators for many years to manage group memberships in AD in a coordinated and secure way. The application is used worldwide by companies in a wide range of industries. Continuous updates ensure that the application remains up to the growing demands in IT and does exactly what it promises.