This is a PowerShell script to ensure that all users meeting specified conditions are members of a corresponding dynamic group. It also makes sure users not meeting the conditions are not members of the group. The script can be run periodically to maintain the group membership. A Fine-Grained Password Policy can be applied to the group.

Dynamic groups include all users that meet specified conditions, but no other users. The conditions are specified by Active Directory attribute values of the users. For example, it could be all users in the Accounting department, with the department attribute equal to "Accounting". Another example could be users with the company attribute equal to "Contoso" and the title attribute equal to "Manager". Any conditions that can be expressed as an LDAP syntax filter involving Active Directory attributes of the users can be used. See the link near the bottom of this page for documentation of LDAP syntax filters.

Fine Grained Password Policies (FGPP) can only be applied to users and groups. A dynamic group is the best way to apply a FGPP to all users meeting specified conditions. There is no automatic mechanism in Active Directory to keep a dynamic group membership up to date. A script must be run periodically to update the membership. The script must remove any members of the group that no longer meet the conditions, and add any users that are not in the group but meet the conditions. This PowerShell script is designed to accomplish this task.

Features:

  1. Writes a log file documenting all users removed from or added to the group.
  2. The log file documents all the specified settings, including the filter used to determine which users meet the specified conditions.
  3. Performs all updates to the group on the same specified domain controller to avoid any replication problems.
  4. Can include only enabled users in the group, or include all users meeting the conditions.
  5. Removes an array of users from the group in one bulk operation. Also adds an array of users to the group in one bulk operation.
  6. Only allows at most 4000 users to be removed or added to the group at once. This is to avoid excessive network traffic and long-running transactions. You can run the script repeatedly to process more users.
  7. The script does not consider other classes of objects. For example, the dynamic group can include computer, contact, or group objects.
  8. The script validates the distinguished name of the dynamic group.
  9. The total numbers of users added to and removed from the group is documented in the log file.
  10. You can specify $Update = $False, in which case the script only reports what it would do, without actually updating the dynamic group.

The script exits with an error message under the following conditions.

  1. The specified group distinguished name is invalid.
  2. The specified group is not a group object.
  3. The specified domain controller is not available.
  4. The specified domain controller does not support the Active Directory modules.
  5. The log file is invalid or cannot be written to.

To run the script in your environment for your purpose, you must assign values to the following variables in the configuration section of the script.

Variable Description
$Server The DNS name of a domain controller that supports the PowerShell AD modules.
$LogFile The path and name of a log file. If it does not exist it will be created.
$Update $False means the script only reports what it would do. $True means the script updates the group.
$EnabledOnly $True means the script only considers enabled users. $False means it considers all users.
$Filter An LDAP syntax filter expressing the conditions that must be met for a user to be a member of the dynamic group. Clauses for considering only enabled users, and for membership in the dynamic group, will be added by the script. Only include clauses for your conditions.
$GroupDN The distinguished name of the corresponding dynamic group. The group must exist, but it can be empty.

Some example LDAP syntax filters that could be used in the script follow. None of the filters are case sensitive.

A filter to include all users in the domain with the title attribute equal to "Accountant".

$Filter = "(title=Accountant)"

A filter to include all Engineers in the domain. The "*" character is the wildcard character.
This filter would include titles "Electrical Engineer", "Mechanical Engineer", etc.

$Filter = "(title=*Engineer)"

A filter to include all Engineers, Accountants, and Managers. The "|" character is the Or operator.

$Filter = "(|(title=*Engineer)(title=Accountant)(title=Manager))"

A filter to include users that have company "Contoso" and title "Manager".
The "&" character is the And operator.

$Filter = "(&(company=Contoso)(title=Manager))"

A filter to include all Engineers and Accountants in the Contoso company. This would be users
with company "Contoso" and either a title ending with "Engineer" or with title "Accountant".

$Filter = "(&(company=Contoso)(|(title=*Engineer)(title=Accountant)))"

Documentation of LDAP syntax filters is here: Active Directory: LDAP Syntax Filters

DynamicGroup.txt <<-- Click here to view or download the program