• State Suggested Answer
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 64 subscribers
  • Views 1780 views
  • Users 0 members are here
Options
Related

Is it possible to convert an exiting security group to a dynamic group using powershell?

ScotJay
11 months ago

Hey.

We have a number of normal security group in our AD (most of them empty) that we'd like to convert to dynamic groups with membership rules. Is it possible to convert them using the PowerShell? Also, if possible, what it the exiting group already contained members, can they be rolled over in in to the dynamic group?

Many thanks,

SJ

Parents
  • 0 11 months ago

    Here's some sample code to convert a group to dynamic and create a membership rule:

    $GroupObj = [ADSI]"EDMS://CN=Test_Dynamic_1,OU=Group,DC=companyb,DC=local"

    # Set the dynamic group flag

    $GroupObj.Properties["edsaIsDynamicGroup"].Value = $true

    $GroupObj.CommitChanges()

    # Begin creating a membership rule set - note that you have to be bound to group via Active Roles 

    $RuleCollection = $GroupObj.MembershipRuleCollection

    # Begin creating a membership rule

    $NewRule = New-Object -comobject "EDSIManagedUnitCondition"
    $NewRule.Base="EDMS://DC=CompanyB,DC=local"

    # Use the MMC to help you figure out the syntax for the LDAP filter - the filter is stored in AccountNameHistory

    $NewRule.Filter="(&(&(|(&(objectCategory=person)(objectSid=*)(!(sAMAccountType:1.2.840.113556.1.4.804:=3)))(&(objectCategory=person)(!(objectSid=*)))(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14)))(!(userAccountControl:1.2.840.113556.1.4.804:=2048)))(&(department=Engineering)(objectClass=user)))"
    $NewRule.Type=1 # Include by Query

    $RuleCollection.Add($NewRule)

    $GroupObj.setinfo()

  • 0 11 months ago in reply to JohnnyQuest

    Hey  ,

    Thanks for the expanded response. I've been trying to work with Rule.Type=3 (include explicitly rule), to add members that were present before the group is converted to dynamic. I'm having problems with adding multiple members though.

    For example,

    I grab the existing group members with...

    $grpMembers = (Get-QADGroup $groupName).members

    Then I loop through the members, to try an add them to the base...


    Foreach ($grp in $grpMembers)
    {
          $grpAdd = $grp.replace("CN=","EDMS://CN=")
          $rule1.Base = (($grpAdd).ToString())
          $objRuleCollection.Add($rule1)

    }

    But this only leaves the last DN in the loop in $rule1.base.

    I also tried adding DNs to $rule1.base as a comma separated list of DNs, prefixed by "EDMS://", but this threw an error when attempting to $objGroup.SetInfo().

    Is it possible to have multiple conditions (DNs included explicitly) contained in the same ruleset? Or, will I have to dynamically define a rule for every group member I want to add explicitly? If so, what it the maximum number of rules I can apply?

    As always, your support is greatly appreciated!

    SJ

  • 0 11 months ago in reply to ScotJay

    I've created "(Addtional)" groups for this:
    - Dynamic Group: Group X
    - Normal Group: Group X (Additional)

    Group X then has all the rules I want to populate it with and then an additional rule to include members from "Group X (Additional)".  This way it's very easy to delegate out one-off's to someone else.

Reply
  • 0 11 months ago in reply to ScotJay

    I've created "(Addtional)" groups for this:
    - Dynamic Group: Group X
    - Normal Group: Group X (Additional)

    Group X then has all the rules I want to populate it with and then an additional rule to include members from "Group X (Additional)".  This way it's very easy to delegate out one-off's to someone else.

Children
No Data