Active Roles Dynamic Group functionality (4227377)

Functionality

Dynamic Groups allow for the automation of group membership based on rules, which can consist of explicit include/exclude queries and specific objects.

Possible membership rules can be any combination of the following rule sets:

1. Include Explicitly
2. Include by Query
3. Include Group Members
4. Exclude Explicitly
5. Exclude by Query
6. Exclude Group Members

When multiple rules are configured, the order of precedence is as follows:

1. Exclude Explicitly
2. Include Explicitly
3. Exclude by Query
4. Exclude Group Members
5. Include by Query
6. Include Group Members

Dynamic Groups are updated constantly, as Active Roles polls for DirSync requests every 2 seconds and then updates any Dynamic Group that matches a rule - whether it is adding or removing a user from the group, it will do so immediately.

For all versions of Active Roles prior to 7.5.5, 7.6.3, 8.0.1, 8.1.1, Dynamic Groups will not be updated immediately if there are more than 1000 changes per request. For instance, if a bulk update is performed that exceeded 1000 changes to the Dynamic Group, Active Roles will ignore the immediate update and it will then be updated when the Dynamic Group Updater scheduled task runs (default 3:00 AM UTC). Otherwise, you may click Rebuild on the Members tab of the group to force the update.

Starting in Active Roles 7.5.5, 7.6.3, 8.0.1, and 8.1.1, this limitation has been removed. Dynamic Groups will now update immediately, regardless of the number of changes.

In general, the membership list of a Dynamic Group is updated in any of these cases:

1. Membership rule has been modified.
2. Group type has been changed.
3. Membership list exceeds a limit so nested groups have been generated.
4. Membership list has been modified by an external tool, such as Active Directory Users and Computers.
5. Rebuild of the membership list has been initiated manually, from the Members tab in the Dynamic Group Properties dialog box.
6. Given a membership rule based on linked attributes (such as Include Group Members), the forward link attribute (such as Members) has been modified.

Potential Issues

For versions prior to 7.5.3:

When the Dynamic Group Updater scheduled task runs, the conditions are evaluated and then a membership list is created and then processed one by one. During this time, if the Dynamic Group Updater scheduled task detects an error during the update, it halts the update and the group may end up in an incorrect membership state. In this scenario, the Dynamic Group must be manually rebuilt by opening the group and clicking Rebuild.

A rebuild will clear all Dynamic Group members and then re-add them.

NOTE: Starting in 7.5.3, Active Roles performs a Delta operation on all rebuilds, and will no longer clear the entire group membership, unless the rules have been modified to cause this.

If the above issue occurs you may see one of the following errors in the Active Roles Event log:

• 2520 - Failed to remove object
• 2521 - Failed to add object
• 2522 - Failed to update nested group
• 2525 - Failed to remove useless rule
• 2526 - Failed to resolve condition
• 2527 - Failed to load Dynamic Group from domain

If any of the above errors are logged, you will have to perform a manual Rebuild on the group in question.

Recommendations and considerations

Nested Dynamic Groups

Nesting should always be used cautiously in any scenario. Particularly with Dynamic Groups, do the following:

1. Ensure that the service to evaluate and apply rule changes is set the same for the main Dynamic Group and any nested Dynamic Groups contained in the rules (they must all use the same service).
2. Ensure there are no duplicate rules that could contain the same set of objects in multiple rules and nested rules.

General Best Practices

1. Avoid conflicting rules when possible (both Include and Exclude).
2. Any custom LDAP search cannot use wildcards for values that contain a DistinguishedName or a CanonicalName, as these are natively restricted by Microsoft's API. For more information. see this Microsoft resource.
3. Avoid Nesting if possible.
4. Monitor the Active Roles Event log for any errors noted above.
5. If you do not intend to include members from multiple domains, ensure the option Enable cross-domain membership is not enabled. This setting is found on the policy Built-In Policy - Dynamic Groups, found under Configuration | Policies | Administration | Builtin
   Note: This setting can slow down Dynamic Group processing even if you only have a single Managed Domain, as it is designed to have extra checks in place.
6. If you have a large number of Dynamic Groups, it is advisable to spread the distribution of updates across multiple Active Roles services if possible, keeping in mind the notes above in the Nested Dynamic Groups section. Dynamic Group processing can be resource-intensive, depending on the configured rules. For a large number of Dynamic Groups, it is also suggested to set up a dedicated Active Roles job server and specific DC to handle all the Dynamic Group processing. Enhancement ID 234907 has been created to change current Dynamic Group functionality so that the scheduled tasks can be load-balanced across multiple Active Roles Administration Services.
7. By default, only mail-enabled and non-deprovisioned users are included for Distribution Groups. For further information, refer to KB 40873.