-
Title
How to: Enable Dynamic Group cross-domain membership -
Description
There is a requirement to add members from an external domain in a specific ARS Dynamic Group. -
Resolution
1.- Users that belong to domains managed by Active Roles can appear as members of a Dynamic Group:
2.- In order for an AD group to show members from external domains, the Group scope must be "Domain Local":
3.- For ARS Dynamic Groups to include members from external domains, option "Enable cross-domain membership" available in the ARS policy named “Built-in Policy - Dynamic Groups” must be enabled:
See example below:
1.- Add a query per each domain you want the specified ARS Dynamic Group to show members from.For instance, add “Custom Search – Include by Query” for members of the local “onisupport.info” domain members with “homephone=Employee” to appear listed:
Now add another “Custom Search – Include by Query” for members of the external “onisp.com” from department “BSMSSSS” to appear listed:
Two members appear listed, one from the local domain onisupport.info and another from the external domain onisp.com:
Note: the following message will pop up if a combined query is used at the Active Directory level:
