-
Title
Dynamic Groups - Common Questions and Scenarios -
Description
Some common questions about Dynamic Groups in Active Roles:
1. After a Dynamic Group has been created, when and how often is its membership evaluated?
2. Are there any issues to be aware of when using Dynamic Groups in mixed-mode environment?
3. What Dynamic Group limitations exist?
4. Can Dynamic Groups be copied, including membership rules? -
Resolution
1. The Administration Service uses Microsoft's directory synchronization (DirSync) control to retrieve changes that occur in Active Directory (AD). (Please see Knowledge Article 19418, for additional information about Active Roles and DirSync.)
This ensures the following:
- The Active Roles Administration Service always has up-to-date information about all directory objects.
- The membership lists of all administrative views (Managed Units) and query-based dynamic groups are correct and up to date.
- Once an object is created, renamed, or moved in Active Directory, the Administration Service appropriately updates all views, groups and security settings.2. From the Active Directory point of view, a Dynamic Group is a normal group. For that reason, limitations within Active Directory regarding group membership limits will apply. The Dynamic Groups policy settings allow you to accommodate this accordingly. Please see the "Dynamic Groups Policy" section of the Administrator Guide for more information regarding specific policy settings available.
3. As stated previously, Dynamic Groups can be limited depending on the Active Directory environment. Depending on your Forest and Domain functional levels, group membership limits may be in effect.
The "Dynamic Group Checker" Builtin Scheduled task verifies configuration of Dynamic Groups to ensure that the membership list of each Dynamic Group is updated in a timely manner. If update does not occur within a certain time period, this task adjusts the "edsaDGOriginatingService" setting that the Dynamic Group Updater task relies upon. The time period is specified on the Parameters tab in the Task Properties dialog box, and can be configured by assigning an appropriate value to the "DG update latency threshold" parameter.
The "Dynamic Group Updater" Builtin Scheduled task rebuilds membership lists of Dynamic Groups in accordance with the current membership rule settings. It processes only those Dynamic Groups that have "edsaDGOriginatingService" set to the Administration Service on which this task is executed. The "edsaDGOriginatingService" setting can be configured on the "Membership Rules" tab in the Dynamic Group Properties dialog box.Dynamic Group membership queries are based on LDAP requirements, and must be generally similar to "Does attribute x equal value y?" It is not possible to ask something similar to "Does attribute x equal attribute z?"
Conclusion:
Dynamic groups are updated by the Active Roles Administration Service during three operations:
- If the dynamic group is edited (eg. membership criteria changed)
- During a DirSync event that has a user update matching the dynamic group criteria. For example: If dynamic group is based off of Description=Sales, then ARS will listen for DirSync updates for all users having the Description=Sales. If it finds this, it will immediately update the dynamic group.
- During nightly dynamic group update scheduled task run
4. When Dynamic Groups are copied in Active Roles, the final group will be a standard Active Directory Security Group. Membership rules are not retained in the target group, however the members of the source group will be members of the target group statically.
For more information please see What attribute contains the information on how a Dynamic Group is built?