-
Title
Dynamic Groups - Common Questions and Scenarios -
Description
Some common questions about Dynamic Groups in Active Roles:- After a Dynamic Group has been created, when and how often is its membership evaluated?
- What Dynamic Group limitations exist?
- Can Dynamic Groups be copied, including membership rules?
-
Resolution
1. After a Dynamic Group has been created, when and how often is its membership evaluated?
The Dynamic Group is processed immediately and as the Administration Service uses Microsoft's directory synchronization (DirSync) control to retrieve changes that occur in Active Directory (AD), it is constantly evaluated and updated accordingly.
This ensures the following:- The Active Roles Administration Service always has up-to-date information about all directory objects.
- The membership lists of all administrative views (Managed Units) and query-based dynamic groups are correct and up to date.
- Once an object is created, renamed, or moved in Active Directory, the Administration Service appropriately updates all views, groups and security settings.
2. What Dynamic Group limitations exist?
From the Active Directory point of view, a Dynamic Group is a normal group. For that reason, limitations within Active Directory regarding group membership limits will apply. The Dynamic Groups policy settings allow you to accommodate this accordingly. Refer to the Dynamic Groups Policy section of the Administrator Guide for more information regarding specific policy settings available.
Dynamic Groups can be limited depending on the Active Directory environment. Depending on your Forest and Domain functional levels, group membership limits may be in effect.
3. Can Dynamic Groups be copied, including membership rules?
The creation and modification of membership rules is only supported using the Active Roles MMC/console. The Active Roles Web Interface does not support creating, modifying, or viewing of Dynamic Group membership rules.
The Dynamic Group Checker Builtin Scheduled task verifies the configuration of Dynamic Groups to ensure that the membership list of each Dynamic Group is updated in a timely manner. If an update does not occur within a certain time period, this task adjusts the edsaDGOriginatingService setting that the Dynamic Group Updater task relies upon. The time period is specified on the Parameters tab in the Task Properties dialog box, and can be configured by assigning an appropriate value to the DG update latency threshold parameter.
The Dynamic Group Updater Builtin Scheduled task rebuilds membership lists of Dynamic Groups in accordance with the current membership rule settings. It processes only those Dynamic Groups that have edsaDGOriginatingService set to the Administration Service on which this task is executed. The edsaDGOriginatingService setting can be configured on the Membership Rules tab in the Dynamic Group Properties dialog box.Dynamic Group membership queries are based on LDAP requirements, and must be generally similar to "Does attribute x equal value y?" It is not possible to query something similar to "Does attribute x equal attribute z?"
While it is possible to create a Dynamic Group that is nested (contains one or more Dynamic Groups), this scenario is not recommended and will likely cause significant performance issues within Active Roles. In particular, including the following custom LDAP query will cause a significant amount of overhead on the target Active Directory Domain Controllers:
(edsaIsDynamicGroup=true)
CONCLUSION
Dynamic groups are updated by the Active Roles Administration Service during three operations:- If the dynamic group is edited (eg. membership criteria changed).
- During a DirSync event that has a user update matching the dynamic group criteria. For example: If dynamic group is based on Description=Sales, then ARS will listen for DirSync updates for all users having the Description=Sales. If it finds this, it will immediately update the dynamic group.
- During nightly dynamic group update scheduled task run. This updates only the DGs whose membership has been changed that day, else it will not rebuild DGs.
- When Dynamic Groups are copied in Active Roles, the final group will be a standard Active Directory Security Group. Membership rules are not retained in the target group, however the members of the source group will be members of the target group statically.
For more information please see What attribute contains the information on how a Dynamic Group is built?