Active Directory allows groups (herein called basic groups) to include members statically—select objects and add them to groups. Active Roles provides a flexible, rules-based mechanism for populating groups. Once set up, the process automatically adds and removes members from groups.
Active Roles provides rules-based groups called dynamic groups. Membership rules determine whether an object is a member of a dynamic group. A membership rule may take a form of search query, object static inclusion and exclusion rule, and group member inclusion and exclusion rule. As the environment changes, the memberships of objects in dynamic groups automatically change to adapt to the new environment.
Active Roles dynamic groups reduce the cost of maintaining lists and groups, while increasing the accuracy and reliability of this maintenance. Furthermore, it automatically keeps distribution lists and security groups up to date, eliminating the need to add and remove members manually.
- Rules-based mechanism that automatically adds and removes objects from groups whenever object attributes change in Active Directory.
- Flexible membership criteria that enable both query-based and static population of groups.
When you convert a basic group to a dynamic group, the group loses all members that were added to the group when it was a basic group. This is because members of a dynamic group can be defined only by membership rules.
When you convert a dynamic group to a basic group, the group retains all its members included due to the membership rules, and loses the membership rules only.
When a member of a dynamic group, such as a user or another group, is deprovisioned, the dynamic group is automatically updated to remove that member. Hence, deprovisioning a user or group removes that user or group from all dynamic groups. This behavior is by design.