With DynamicGroup you can define OU filters for self-updating AD groups.
Thus, only very specific OUs are searched for users and included in a dynamic group.
A group with a defined OU filter goes beyond simple OU groups and OU-related site groups.
With OU filters, we want to manage permissions through specific sub-OUs.
Organising groups in AD can be easy: DynamicGroup and the OU filters let you quickly create dynamic groups based on specific OUs.
The advantage of dynamic groups is that they are updated automatically.
Whether in a dynamic OU group or directly in an OU group, changes are updated automatically.
Let us clarify the functionality of the OU filter in two examples, based on the following OU structure (picture on the right):
The green arrow shows the sub OUs for which we want to create a dynamic group.
Create a new dynamic group via the DynamicGroup console and also select
“Use Filter for OUs” under “Query Settings” to display the required tab.
The following examples are about adding users from specific OUs to a dynamic group.
For some basic information, see the page/article OU Groups and Site permissions in AD.
Example 1
Include users from specific OUs (IT, Accounting) in a dynamic group.
Example 2
Include users from similar OUs (users) within a location in a dynamic group.
With the Active Directory Users and Computers Console (ADUC) it is not possible to authorize OUs or to create OU groups.
It is only possible to manually go through all sub-OUs and add all users (step by step) to a group.
However, the generated group will not be updated automatically.
Fortunately, there is a much faster method.
This example shows how to include users from specific OUs (IT, Accounting) in a dynamic group.
Under the tab “OU Filter” you need to carry out the following settings:
In the blue-marked area, you can choose whether to include sub structures or only objects that are directly in the filtered OU.
In our example, objects from sub structures are also included in the dynamic group.
In the red-marked area, we determine the Search root, thus the OU from which objects are selected. In this example, this is the site OU.
In the green-marked area is the actual filter. In this simple example, we only filter that the attribute “ou” has the value “IT” or “Accounting“.
This will select all OUs below the search root corresponding to this filter in this OU filter.
You can look at the result of the OU filter in the preview. The OUs “demofa.net/Corp/US/Accounting” and “demofa.net/Corp/US/IT” are found here.
Depending on whether you only want to include users in the dynamic group or other objects, you must also make restrictions under the “Member Query” tab. In our example, we restricted the members of the dynamic group to user objects. In this tab you can no longer select Search Root because the OUs (Search Roots) are used by the OU filter.
Once we have created the dynamic group, we no longer need to make any customizations to users, as the dynamic group will now do it for you.
This example explain how to include users from specific OUs (Users) within a site in a dynamic group.
Under the tab “OU Filter” you must now carry out the following settings:
In the gren-marked area is our OU filter, which filters out all OUs with the name “Users”. To obtain this result, you have to set “ou is equal Users” in the Query Builder. The result of the preview shows that four OUs with the name “Users” were found in the Search root “US”. Here too, the Member Query tab can be set according to its requirements.
Sites or departments are often mapped via OU structures in Active Directory.
You can use this with DynamicGroup to your advantage.
Simply create dynamic groups with OU filtering.
The Smart Creation Wizard is available for the intelligent mass creation of groups.
Attribute-based groups (ex: for locations) are created in the same way as dynamic department groups.
© 2023 · FirstAttribute AG.