Question:

We have a legacy application that will dynamically build distribution/security groups based on active directory attributes.  For example, if someone has “IT Department” for their department, they will be added to the IT Department group.  We are looking to replace this system, since it is no longer supported.

We use these dynamic lists as security groups to authenticate to Sharepoint, so using the built in Active Directory “Query-Based Distribution Lists” is not an option.  I’m having a difficult time finding a solution to fulfill this need.  All of the solutions I have found are very costly and do way more than what we need.

I am hoping that some of you can provide me with the name of the applications that you use to build dynamic distribution/security groups.  I want to hear from other IT Pro’s, rather than salesmen who think their product is the best.

Solution:

Ahh yeah, I saw that one as well. Every time I’ve done something like that it’s been with a script (generally a horribly complex one at that).

On the groups though, the script is extremely simple.

If you were to grab this:

http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx

And these (which are also free):

http://www.quest.com/activeroles-server/arms.aspx

And if you could get the users you need with an LDAP query then all that’s needed to add and remove members to the group is this:

$Members = Get-QADUser -LdapFilter  “(someAttribute=someValue)” | %{ $_.DN }
Set-QADGroup “GroupName” -ObjectAttributes @{member=$Members}

You could have it load the group name and ldapFilter combinations from a CSV file, or database, etc.

It could be a lot more selective of course, this simply overwrites the group membership without further regard.

It can also be done with only PowerShell if preferred. The Quest commands are just to make life easier, MS are a bit behind on releasing their own AD CmdLets (not due until we get Windows 2008 R2).

Chris