Test the dynamic group
Use the following tests to examine the behavior of the dynamic group you have configured. In the Active Roles console, right-click your dynamic group and click Properties. Examine the Properties dialog box:
- On the General tab, the Notes box contains a text indicating that this group is a dynamic group.
- On the Members tab, you cannot modify the membership list.
- The Membership Rules tab displays a list of membership rules. You can add, modify, and remove rules.
Explicit inclusion
To examine the behavior of membership rules based on explicit inclusion, perform the following steps with the Active Roles console.
To examine explicit inclusion
- Open the Properties dialog box for your dynamic group, and go to the Members tab: the objects you explicitly included in the group are in the membership list.
- Close the Properties dialog box.
- Rename, modify, or move objects you selected for the explicit inclusion.
- Open the Properties dialog box for your dynamic group, and go to the Members tab: the objects remain in the group membership list; for the objects you renamed, the list displays new names.
Explicit inclusion adds objects by object ID that remains unchanged during the entire object lifecycle. Once added through explicit inclusion, an object can only be removed from a dynamic group in one of these ways:
- Delete the membership rule for explicit inclusion of that object.
- Add the membership rule for explicit exclusion of that object.
To add or remove membership rules, you can use the Membership Rules tab in the Properties dialog box for the dynamic group.
Explicit exclusion
To examine the behavior of membership rules based on explicit exclusion, perform the following steps using the Active Roles console. These instructions assume that you have chosen the Administrator account for explicit exclusion from your dynamic group.
To examine explicit exclusion
- Open the Properties dialog box for Domain Admins group and go to the Members tab to check that Administrator is a member of the Domain Admins group. Close the Properties dialog box.
- Open the Properties dialog box for your dynamic group, go to the Membership Rules tab, and add the explicit inclusion rule that makes Administrator a member of your dynamic group.
- Apply your changes by clicking Apply in the Properties dialog box for your dynamic group.
- Go to the Members tab, click the Rebuild button and note that Administrator is not a member of your dynamic group although each of the following rules adds Administrator to the group:
- Explicit inclusion rule (you configured it in Step 2).
- Query-based inclusion rule (Administrator’s name begins with the letter a).
- Group membership inclusion rule (Administrator is a member of the group Domain Admins).
Explicit exclusion removes objects by object ID that remains unchanged during the entire object lifecycle. Once removed through explicit exclusion, an object can only be added to the dynamic group after deleting the Exclude Explicitly membership rule for that object.
Inclusion by query
To examine the behavior of query-based inclusion rules, perform the following steps using the Active Roles console. These instructions assume that your query-based rule is configured so that the group includes all users whose names begin with the letter a.
To examine inclusion by query
- In any OU in your test domain, create a new user account with a full name that begins with the letter a.
- Open the Properties dialog box for your dynamic group, and go to the Members tab: the new user account is in the membership list (unless it is removed from the dynamic group by exclusion rules).
- Rename an existing user account so that its new full name begins with the letter a.
- Go to the Members tab in the Properties dialog box for your dynamic group, and click the Rebuild button: the user account is added to the membership list (unless it is removed from the dynamic group by exclusion rules).
- Rename the user account you managed in Step 4 so that its new full name begins with the letter b.
- Go to the Members tab in the Properties dialog box for your dynamic group, and click the Rebuild button: the user account is removed from the membership list (unless it is added to the dynamic group by explicit inclusion rules).