Upcoming Events:
Free Global Active Directory Seminar (Barcelona) -> May 16th
Free Global Active Directory Seminar (Lisbon) -> May 17th
Free Global Active Directory Seminar (Madrid) -> May 18th

Dynamic group membership based on user properties

When a group fails to contain the correct members, access to resources or to a network application could fail. So, ensuring that group membership is correct can go a long way in reducing calls about failures to access resources. One way to ensure that the correct users are located in group is to leverage user properties to place users into the correct groups.

Let’s look at the following example. Say you have an HR application that all HR employees need to be able to access on a daily basis. Users who are members of the HR_App1 group are given this access. You also have a specific task within the HR application which only HR managers should have the ability to access. Users who have membership in the HR_App1_Managers are given this access.

For each of these group memberships, you can rely on the user account properties to give you control over which users should belong to each group.

To configure these group memberships automatically, you can follow a few easy steps in ADManager Plus. First, you need to setup an Automation Policy to add users to the HR_App1 group, which you can see in Figure 1.


Figure 1. Automation Policy to add users to the HR_App1 group.

Now, you need to specify which users will be added to the group. To do this, you setup an automation. The automation will point to the correct Automation Policy from above, as well as which report you want to leverage to select the users. Since we only want the HR employees, we are going to pick the Enabled Users report (to select all user accounts in AD that are active) and then filter based on department, which is HR. You can see what this automation looks like in Figure 2 and what the filter looks like in Figure 3.


Figure 2. Automation to point to the correct Automation Policy and to select which user accounts will be selected.


Figure 3. Report filter to select only the users from HR.

Finally, you select the schedule time at which you want to run the automation.

For our other group, you will setup another Automation Policy and automation; however, for this group membership, you will also specify the user title, which in this case will be HR manager, as shown in Figure 4.


Figure 4. By using the AND option, you can narrow the HR employees to only HR managers.

By leveraging the user account properties, you can be very specific about which users are added to the correct groups. In addition to department and title, you can also use this for OU membership and other properties.

The following two tabs change content below.

Derek Melber

Derek Melber is the Technical Evangelist for the ADSolutions team at ManageEngine. As a Directory Services MVP, he is highly highly sought after the world over for his knowledge, insight, and keen understanding of the Windows product line, especially Active Directory. Derek has helped Active Directory administrators, auditors, and security professionals around the world understand the finer points of Active Directory, Group Policy, Group Policy Preferences and Security. He writes for, speaks to, and educates thousands of IT professionals around the world, every year through his blogs, books, seminars, webinars, etc.

Leave a reply