You can perform the following dynamic group tasks with DRA:
Create a dynamic group
Modify a dynamic group
Clone a dynamic group
Delete a dynamic group
8.1.1 Creating a Dynamic Group
You can create a dynamic group in the managed domain or managed subtree. You can also modify properties, such as group members, for the new dynamic group.
NOTE:
Your company may have a naming convention enforced through policy that determines the name you can assign to the new dynamic group.
By default, DRA places the new dynamic group in the Users OU of the managed domain.
To create a dynamic group:
In the left pane, expand All My Managed Objects.
Select the location where you want to create this dynamic group.
For example, if you want to create this group in a specific OU of the managed domain, expand the domain and then select the appropriate OU.
On the Tasks menu, click New>Dynamic Group.
On each tab, specify the appropriate settings and properties for the new group, and then click Next.
If you want to create a filter, see Section 8.1.2, Creating a Filter.
If you want to add members to the group’s static member list, see Section 8.1.3, Managing the Static Member List.
If you want to add members to the group’s excluded member list, see Section 8.1.4, Managing the Excluded Member List.
Review the summary, and then click Finish.
8.1.2 Creating a Filter
The dynamic group uses the filter to add or remove users from its membership list each time the group is refreshed.
To create a filter:
From the dynamic group’s Properties page, click Dynamic member filter.
Click Add filter and use the Query Builder to configure the filter.
Click Finish.
8.1.3 Managing the Static Member List
Users placed on a dynamic group’s static member list become permanent member of the group until you manually remove them.
When you remove members from a dynamic group, DRA does not delete the objects. When you add members to a dynamic group, you must have the power to modify the objects you want to add.
To add a user:
From the dynamic group’s Properties page, click Dynamic member filter.
On the Static Member List section, click Add member and use the Object Selector to locate the member you want to add.
Click Finish.
To remove a user:
From the dynamic group’s Properties page, click Dynamic member filter.
Select the member from the Static Member List section and click Remove.
Click Finish.
8.1.4 Managing the Excluded Member List
Users placed on a dynamic group’s excluded member list will not be allowed to join the group until you manually remove them from this list.
To add a user:
From the dynamic group’s Properties page, click Dynamic member filter.
On the Excluded Member List section, click Add member and use the Object Selector to locate the member you want to add.
Click Finish.
To remove a user:
From the dynamic group’s Properties page, click Dynamic member filter.
Select the member from the Excluded Member List section and click Remove.
Click Finish.
8.1.5 Refreshing the Member List
To update the dynamic group’s member list:
In the left pane, expand All My Managed Objects.
To specify the dynamic group you want to refresh, complete the following steps:
If you know the dynamic group location, select the domain and OU that contains this group.
In the search pane, specify the dynamic group attributes, and then click Find Now.
In the list pane, right-click the appropriate dynamic group and select Update Members.
NOTE:Dynamic group icons have two facing arrows at the bottom.
8.1.6 Cloning a Dynamic Group
You can clone both local and global dynamic groups in managed domains. Cloning dynamic groups creates new dynamic groups of the same type and attributes as the original dynamic group.
By cloning a dynamic group, you can quickly create dynamic groups based on other dynamic groups with similar properties. When you clone a dynamic group, DRA populates the Clone Dynamic Group Wizard with values from the selected dynamic group. You can also modify properties for the new dynamic group.
NOTE:
Your company may have a naming convention enforced through policy that determines the name you can assign to the new dynamic group.
By default, DRA places the new dynamic group in the Users OU of the managed domain.
To clone a dynamic group:
In the left pane, expand All My Managed Objects.
To specify the dynamic group you want to clone, complete the following steps:
If you know the dynamic group location, select the domain and OU that contains this group.
In the search pane, specify the dynamic group attributes, and then click Find Now.
In the list pane, right-click the appropriate dynamic group and select Clone.
NOTE:Dynamic group icons have two facing arrows at the bottom.
On each tab, specify the appropriate settings and properties for the new group, and then click Next.
If you want to create a filter, see Section 8.1.2, Creating a Filter.
If you want to change the group’s static member list, see Section 8.1.3, Managing the Static Member List.
If you want to change the group’s excluded member list, see Section 8.1.4, Managing the Excluded Member List.
Review the summary, and then click Finish.
8.1.7 Moving a Dynamic Group to Another Container
You can move a dynamic group to another container, such as an OU, in the managed domain or managed subtree.
To move a dynamic group to another container:
In the left pane, expand All My Managed Objects.
To specify the dynamic group you want to move to another container, complete the following steps:
If you know the dynamic group location, select the domain and OU that contains this group.
In the search pane, specify the dynamic group attributes, and then click Find Now.
In the list pane, right-click the appropriate group and select Move.
NOTE:
Dynamic group icons have two facing arrows at the bottom.
You can select and delete more than one dynamic group.
Select the appropriate container.
Click OK.
8.1.8 Deleting a Dynamic Group
You can delete local and global dynamic groups in the managed domain or managed subtree. If the Recycle Bin is disabled for that domain, deleting a dynamic group permanently removes it from the Active Directory. If the Recycle Bin is enabled for that domain, deleting a dynamic group moves it to the Recycle Bin and disables the dynamic group’s properties.
For more information on the Recycle Bin, see Section 21.0, Managing the Recycle Bin.
WARNING:When you create a dynamic group, Microsoft Windows assigns a Security Identifier (SID) to that dynamic group. The SID is not generated from the dynamic group name. Microsoft Windows uses SIDs to record privileges in access control lists (ACLs) for each resource. If you delete a dynamic group, you cannot return access capabilities for that dynamic group by creating a new dynamic group with the same name.
To delete a dynamic group:
In the left pane, expand All My Managed Objects.
To specify the dynamic group you want to delete, complete the following steps:
If you know the dynamic group location, select the domain and OU that contains this group.
In the search pane, specify the dynamic group attributes, and then click Find Now.
In the list pane, right-click the appropriate dynamic group and select Delete.
NOTE:
Dynamic group icons have two facing arrows at the bottom.
You can select and delete more than one dynamic group.
Click Yes.
8.1.9 Renaming a Dynamic Group
You can rename dynamic groups in the managed domain or managed subtree.
To rename a dynamic group:
In the left pane, expand All My Managed Objects.
To specify the dynamic group you want to delete, complete the following steps:
If you know the dynamic group location, select the domain and OU that contains this group.
In the search pane, specify the dynamic group attributes, and then click Find Now.
In the list pane, right-click the appropriate dynamic group and select Properties.
NOTE:Dynamic group icons have two facing arrows at the bottom.
Change the appropriate naming properties.
Click OK.
8.1.10 Managing Dynamic Group Properties
You can manage properties for local and global dynamic groups. The powers you have determine which properties you can modify for a group in the managed domain or managed subtree.
To manage dynamic group properties:
In the left pane, expand All My Managed Objects.
To specify the dynamic group you want to manage, complete the following steps:
If you know the dynamic group location, select the domain and OU that contains this group.
In the search pane, specify the dynamic group attributes, and then click Find Now.
In the list pane, right-click the appropriate group and select Properties.
NOTE:Dynamic group icons have two facing arrows at the bottom.
On the appropriate tab, change the properties and settings you want to modify.
To save your changes before you modify other properties, click Apply.
Click OK.
8.1.11 Adding Dynamic Groups to Other Dynamic Groups
You can nest dynamic groups by adding a dynamic group to another managed dynamic group. When a dynamic group is nested in another dynamic group, the child dynamic group can inherit permissions from the parent dynamic group.
NOTE:If adding a dynamic group to another dynamic group increases your powers for the source dynamic group, DRA will not permit you to add the dynamic group.
To add a dynamic group to another dynamic group:
In the left pane, expand All My Managed Objects.
To specify the dynamic group you want to add within another dynamic group, complete the following steps:
If you know the dynamic group location, select the domain and OU that contains this dynamic group.
In the search pane, specify the dynamic group attributes, and then click Find Now.
In the list pane, right-click the appropriate group and click Add to Groups.
NOTE:Dynamic group icons have two facing arrows at the bottom.
Find and select the appropriate group. You can select more than one group from different OUs or managed domains.
Click OK.
8.1.12 Setting Group Membership Security Permissions
You can set Active Directory security permissions for dynamic group memberships. These permissions specify who can view (read) and modify (write) dynamic group memberships using Microsoft Outlook. These settings let you more effectively secure distribution lists and security dynamic groups in your environment. You cannot modify inherited security permissions.
NOTE:When you manage dynamic group membership security, disabled permissions may indicate inherited permissions.
To set dynamic group membership security permissions:
In the left pane, expand All My Managed Objects.
To specify the dynamic group whose membership you want to secure, complete the following steps:
If you know the dynamic group location, select the domain and OU that contains this group.
In the search pane, specify the dynamic group attributes, and then click Find Now.
In the list pane, select the appropriate dynamic group.
NOTE:Dynamic group icons have two facing arrows at the bottom.
On the Tasks menu, click Properties.
Click Membership security.
Select the user account or group you want to grant or deny security permissions. To specify a different user account or group, click Add.
Under Permissions, select the appropriate security settings:
To allow the selected user account or group the ability to view this dynamic group membership, click Allow under Read members.
To deny the selected user account or group the ability to view this dynamic group membership, click Deny under Read members.
To allow the selected user account or group the ability to modify this group membership, click Allow under Write members.
To deny the selected user account or group the ability to modify this dynamic group membership, click Deny under Write members.
To remove all security permissions from a user or group, select the appropriate user or group, and then click Remove.
To check if a user or group has security permissions, select the appropriate user or group, and then click Properties.
Click OK.
8.1.13 Setting Dynamic Group Ownership
You can grant the dynamic group ownership permission to a user account, group, or contact. Granting dynamic group ownership allows the specified user account, group, or contact to modify the membership of this dynamic group.
To set group ownership:
In the left pane, expand All My Managed Objects.
To specify the group whose ownership you want to set, complete the following steps:
If you know the group location, select the domain and OU that contains this group.
In the search pane, specify the group attributes, and then click Find Now.
In the list pane, select the appropriate dynamic group.
NOTE:Dynamic group icons have two facing arrows at the bottom.
On the Tasks menu, click Properties.
Click Managed by.
To add a manager, click Add.
Select the Manager can update membership list check box, and then click OK.
8.1.14 Exposing Dynamic Group Memberships in Distribution Lists
You can expose dynamic group memberships in distribution lists for groups in the managed domain or managed subtree.
To expose dynamic group memberships in distribution lists:
In the left pane, expand All My Managed Objects.
To specify the group you want to modify, complete the following steps:
If you know the group location, select the domain and OU that contains this group.
In the search pane, specify the group attributes, and then click Find Now.
In the list pane, right-click the appropriate dynamic group and select Exchange Tasks.
NOTE:Dynamic group icons have two facing arrows at the bottom.
Click Expose Group Membership.
Click Finish, and then click Done.
8.1.15 Hiding Dynamic Group Memberships from Distribution Lists
You can hide dynamic group memberships in distribution lists for groups in the managed domain or managed subtree.
NOTE:Hide Group Membership option is disabled for Microsoft Exchange 2007 distribution lists.
To hide dynamic group memberships in distribution lists:
In the left pane, expand All My Managed Objects.
To specify the group want to modify, complete the following steps:
If you know the group location, select the domain and OU that contains this group.
In the search pane, specify the group attributes, and then click Find Now.
In the list pane, right-click the appropriate dynamic group and select Exchange Tasks.
NOTE:Dynamic group icons have two facing arrows at the bottom.
Click Hide Group Membership.
Click Finish, and then click Done.