Query based security groups

Discussion in 'Active Directory' started by Eric Baines, Apr 28, 2006.

  Eric Baines

    Eric Baines Guest

    I know you can produce query based distribution lists based on an LDAP query
    of AD.

    I want to be able to produce a security group that is based on data held in
    AD - and the distribution list mechanism doesn't seem to help. So for
    instance, I have a security group that says anyone with the word 'Manager' in
    their job title has full access to the internet - I have their job title in
    AD. At the moment, any update of the security group is manual - I'd just like
    to automate it. Does anyone have any idea if I can do this?

    I'm quite happy with a process with automatic and periodic updates. So for
    instance, having a script that runs every night, to use LDAP queries to
    update a security group so it is up to date. I just don't know if it can be
    done and if so how it can be done.

    Any ideas or pointers gratefully received.


    Eric Baines, Apr 28, 2006
  2. No you can't produce Native security groups that are query based.

    If the application supports AzMan then you can use that to produce query based

    Other than that, you get to use a tool like MIIS or other syncing tool to manage
    the group membership OR write a script that occasionally runs that collects the
    list of users you want to add, then updates the group membership. Scripting help
    can be found in the TechNet Script Center or in books such as the one in the
    signature below or The Active Directory Cookbook.


    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition

    ---O'Reilly Active Directory Third Edition now available---

    Joe Richards [MVP], Apr 28, 2006
  Eric Baines

    Eric Baines Guest

    Wow - thanks for such rapid replies - they have certainly given me some more
    options to try.

    Thanks again

    Eric Baines, Apr 28, 2006
