Creating a Dynamic Group in Active Directory with users from a OU

Solution 1:

There is no such thing as a Dynamic Security Group in Active Directory, only Dynamic Distribution groups.

To accomplish this, I think the most viable option would be to have a Powershell script determining who are in the given OU and updating the security group accordingly, maybe like this:

Import-Module ActiveDirectory
$groupname = PseudoDynamicGroup
$users = Get-ADUser -Filter * -SearchBase "ou=desiredUsers,dc=domain,dc=tld"
foreach($user in $users)
  Add-ADGroupMember -Identity $groupname -Member $user.samaccountname -ErrorAction SilentlyContinue
$members = Get-ADGroupMember -Identity $groupname
foreach($member in $members)
  if($member.distinguishedname -notlike "*ou=desiredUsers,dc=domain,dc=tld*")
    Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname

Solution 2:

I'm answering my own question. With the PowerShell ideas of Mathias I've found this on the internet:


  • Sync user or computer objects from one or more OUs to a single group.
  • Ability to filter objects included in the shadow group using the PowerShell Active Directory Filter.
  • Ability to choose shadow group type (Security/Distribution).

The author's blog contains additional information about the design and motives for the tool.

Solution 3:

This can be done with Adaxes. Technically it will dynamically update group membership once users are updated/moved. Here's an example how to automatically maintain group membership based on Department attribute, but it's very easy to modify it to do same thing based on the OU.