3.4 Managing Dynamic Groups

A dynamic group is one whose membership changes based on a defined set of criteria. Until now dynamic groups were only possible in the Exchange environment, but now they can also be created in the Active Directory setting.

The graphic below describes a typical use for an Active Directory dynamic group. There are three dynamic groups in the graphic. Each group has a set of criteria that determines who can be added to the group and who can not. Each group controls access to a specific set of files, folders, and applications.

HINT:You can create a static member list that contains permanent members of the dynamic group; you can also create an excluded member list that denies those users membership in the dynamic group.

User2 has recently joined the IT department. When the IT department’s dynamic group is updated, she will be added to the group. When the Sales department’s dynamic group is updated, User2 will be removed from its members list.

HINT:You can refresh a dynamic group’s member list by right-clicking it and selecting Update Members.

User3, who has left the IT department for the HR department, will be removed from the IT department dynamic group and added to the HR department dynamic group.

Create a dynamic group

You can create a dynamic group in the managed domain or managed subtree. You can also modify properties, such as group members, for the new dynamic group.

NOTE:

  • Your company may have a naming convention enforced through policy that determines the name you can assign to the new dynamic group.

  • By default, DRA places the new dynamic group in the Users OU of the managed domain.

Create a filter

The dynamic group uses the filter to add or remove users from its membership list each time the group is refreshed.

Manage the static member list

Users placed on a dynamic group’s static member list become permanent member of the group until you manually remove them.

When you remove members from a dynamic group, DRA does not delete the objects. When you add members to a dynamic group, you must have the power to modify the objects you want to add.

Manage the excluded member list

Users placed on a dynamic group’s excluded member list will not be allowed to join the group until you manually remove them from this list.

Refresh the member list

You can refresh the members in a dynamic group by an Update Members action.

Clone a dynamic group

You can clone both local and global dynamic groups in managed domains. Cloning dynamic groups creates new dynamic groups of the same type and attributes as the original dynamic group.

By cloning a dynamic group, you can quickly create dynamic groups based on other dynamic groups with similar properties. When you clone a dynamic group, DRA populates the Clone Dynamic Group Wizard with values from the selected dynamic group. You can also modify properties for the new dynamic group.

Move a dynamic group to another container

You can move a dynamic group to another container, such as an OU, in the managed domain or managed subtree.

Delete a dynamic group

You can delete local and global dynamic groups in the managed domain or managed subtree. If the Recycle Bin is disabled for that domain, deleting a dynamic group permanently removes it from the Active Directory. If the Recycle Bin is enabled for that domain, deleting a dynamic group moves it to the Recycle Bin and disables the dynamic group’s properties.

For more information on the Recycle Bin, see Managing the Recycle Bin.

WARNING:When you create a dynamic group, Microsoft Windows assigns a Security Identifier (SID) to that dynamic group. The SID is not generated from the dynamic group name. Microsoft Windows uses SIDs to record privileges in access control lists (ACLs) for each resource. If you delete a dynamic group, you cannot return access capabilities for that dynamic group by creating a new dynamic group with the same name.

Modify dynamic group properties

You can modify properties for local and global dynamic groups. The powers you have determine which properties you can modify for a group in the managed domain or managed subtree.

Add dynamic groups to other dynamic groups

You can nest dynamic groups by adding a dynamic group to another managed dynamic group. When a dynamic group is nested in another dynamic group, the child dynamic group can inherit permissions from the parent dynamic group.

NOTE:If adding a dynamic group to another dynamic group increases your powers for the source dynamic group, DRA will not permit you to add the dynamic group.

Configure group membership security permissions

You can set Active Directory security permissions for dynamic group memberships. These permissions specify who can view (read) and modify (write) dynamic group memberships using Microsoft Outlook. These settings let you more effectively secure distribution lists and security dynamic groups in your environment. You cannot modify inherited security permissions.

NOTE:When you manage dynamic group membership security, disabled permissions may indicate inherited permissions.

Configure dynamic group ownership

You can grant the dynamic group ownership permission to a user account, group, or contact. Granting dynamic group ownership allows the specified user account, group, or contact to modify the membership of this dynamic group.

Expose dynamic group memberships in distribution lists

You can expose dynamic group memberships in distribution lists for groups in the managed domain or managed subtree.

Hide dynamic group memberships from distribution lists

You can hide dynamic group memberships in distribution lists for groups in the managed domain or managed subtree.

NOTE:The Hide Group Membership option is disabled for Microsoft Exchange 2007 distribution lists.