How to Copy Logic of a Dynamic Group

Question

Hi All, 
 
 Does anyone know of a way to copy the logic from one dynamic group to another or even reuse the same logic with a slight change for an existing group? 
 
 Example - 
 
 We have 3 user types but the Dynamic Groups only give options to use "and" or "or", I can't get them to both be included so we have to have 3 identical rules but for each of the user types. 
 User types = Regular, Contractor, Vendor 
 Location = Can't be location1 and can't be location2 and can't be location3. 
 Desired result = All regular, contractors and vendors whose location is not one of those 3.

I would have to create a rule that says UserType is exactly Regular and location is not location1 and location2 and location3. 
 I would then have to do the same for usertype Contractor and Vendor as well. 
 Is there a way to either use "And" and "or" in the same rule (Usertype is Regular or Contractor or Vendor) and location is not location1 and location is not location2 and location is not location3. 
 If there is no way to do the above, can I simply build it out for "Regular" and then copy the logic some how and just update it to "Contractor" and "Vendor". 
 I have some groups with dozens of "locations" that I would need to recreate multiple times for each user type. 
 
 Thanks 
 
 Josh

Stu.Pollock · Answer

Hi Josh 
 
 One option is to change the query you're using in your dynamic group "include by query" membership rule.

In my lab I have 20 user objects, as below: 
 
 In my example 
 Location = City (ldap name "l") 
 User Type = employee type (ldap name "employeeType" 
 
 I created a Dynamic group called "DG-Test", where: 
 Find = Custom Search 
 In= OU structure containing my test accounts 
 LDAP Query: 
 (&(samAccountType=805306368)(&(!(l=location1))(!(l=location2))(!(l=location3)))(|(employeeType=Regular)(employeeType=Contractor)(employeeType=Vendor))) 
 
 LDAP Query breaks down as follows: 
 (& 
 (samAccountType=805306368) 
 (& 
 (!(l=location1)) 
 (!(l=location2)) 
 (!(l=location3)) 
 ) 
 (| 
 (employeeType=Regular) 
 (employeeType=Contractor) 
 (employeeType=Vendor) 
 ) 
 ) 
 Results are:

The query in essence has 3 sections 
 
 The object type we're looking for (samAccountType=805306368) 
 The locations to exclude (!(l=location1)) 
 The user types we want to include (employeeType=Regular) 
 
 So we want to only include: 
 User Account ( 805306368 SAM_NORMAL_USER_ACCOUNT ) 
 AND 
 City is NOT location1 
 AND 
 City is NOT location2 
 AND 
 City is NOT location3 
 AND 
 User Type is Regular 
 OR 
 User Type is Contractor 
 OR 
 User Type is Vendor 
 
 The problem we (myself include) usual make when writing an LDAP Query (other than the usual mismatch of brackets) is confusing when AND should be used vs OR, especially when you're looking at something that is not true. As in speech we're saying "any user, where they are not in London, New York or Paris, and the are of type Regular, Contractor or vendor" 
 If we implement the query as we speak it, we get the below... as the location "OR" block (|(!(l=location1))(!(l=location2))(!(l=location3))) means that all our users are in scope 
 
 For example, if we were to plug user "test 1" properties into that query we'd get 
 NOT Location 1 = FALSE 
 NOT Location 2 = TRUE 
 NOT Location 2 = TRUE 
 As an OR logical operator, we have at least one true, therefore its all true... and its included (when it shouldn't be) 
 As an AND logical operator, we need all to be true, therefore "test 1" would not be included 
 Where are for users "test 4" and "test 5" both would be included as their locations are not any we're interested it. 
 
 Hope this helps.