Site permissions in Active Directory (Automation)

Many companies want to distribute permissions based on sites, subsidiaries or branch offices. But if sites etc. are organised in Organizational Units (OUs), setting permissions with “Users and Computers” becomes difficult. Active Directory does not provide permissions on OUs. So the challenge is to assign site permissions based on the OU structure.

Site permissions assigned with ADUC

To map this user case with the “Active Directory Users and Computers” Console (ADUC), we have to select the desired OU in the console.

In our example, the OU “DE” has substructures. We have to check them step-by-step. Distributing authorisations directly to OUs (here: sites) is not possible with the ADUC. The only option is to select all user objects in each of the sub-OUs and execute the context menu item “Add to a group …”.

The following dialog appear. We have to select an (authorisation) group in which you want to add the users. This bring us to OU groups.

In this way, we can add bit by bit all users to their respective site permissions.

But what if,

• such permissions change site-wide? Or
• users need to be added or removed from a site?

Here, DynamicGroup helps you to automate the changes and relieves you of a lot of maintenance work.

Site permissions with DynamicGroup

With DynamicGroup, you can easily create dynamic groups related to the OU structure. Groups update automatically, keeping any site changes up-to-date.

Advantages of DynamicGroup

• Users who are new to one or more OUs will be added to the site group
• Users who are no longer in the OU are removed from the site group
• Users who have an include exception rule keep their membership
• Users who have an exclude exception rule, will never be a member, even if they are in the OU

In addition, you can easily made standard-wide changes for the entire dynamic group at once.

Create manual or automated groups

There are two ways to use DynamicGroup to map OU structures as groups:

1. We create each dynamic group individually and set the filters.
   Here, subtleties for each group can be distinguished from the beginning.

2. We use the “SmartCreation” Wizard.
   The mass system creates similar groups along the AD-tree.

Manual creation of dynamic OU groups

Here we want to create a dynamic group for all US OUs. For this, we will refer us to the following OU structure:

Create a new dynamic group as you are use to do with the DynamicGroup console. Where this group is saved, or how it is called, is not relevant, but we recommend uniform naming, e.g. with a prefix or the OU path in the name.

Depending on whether you only want to include users in the dynamic group or other objects, you must make restrictions under the “Member Query” tab. In our example, we restricted the members of the dynamic group to user objects.

Under Search Root, all you have to do is to select the US OU.

In this way, we created the dynamic group once, and we no longer need to make any adjustments to users to keep site permissions up-to-date. The dynamic group does it for us.

Note: Due to the additional function “OU Filter“, which was not used in the example for the sake of simplification, you can set additional filters, eg. bundle several specific sub-OUs in a group.

It’s not fast enough? Use the Smart Creation Wizard from DynamicGroup.

Automatic mass creation with Smart Creation Wizards

The Smart Creation Wizard can be used to automatically create dynamic groups for OUs.

For each OU will be a separate group created. Therefore it will work differently as in the previous example, as it is not working with the “OU filter” but only with the respective OU as “Search Root” deposited in the “MemberQuery“.

To use the “Smart Creation”, select the corresponding sub-item in the menu item “DynamicGroup Wizards”. The following dialog will appear:

In the first part of the wizard, you specify the parent OU as the “Start OU for Wizard”, which contains all the site OUs for which a dynamic group has to be created (red marker). In our example, this corresponds to the parent OU from the previous section.

The Wizard Scope, is not the same Scope setting as in the previous paragraph. Specify whether you want to create your own dynamic groups for sub-OUs, or only for first-level OUs.

To get back to our example: Select “Subtree”. We did not only create a dynamic group for the “DE” and “US” OUs but also for all subordinate OUs such as Accounting, IT, Users, …

Query Mode determines whether the dynamic groups are created using the OU structure or another filter. You should set the setting to “Organisational Unit”.

In the second part of the wizard you define general settings for the groups. Here you determine where the created groups have to be stored and which prefix the groups should receive.

Then, define the AD-specific settings “Group Scope” and “Group Type” as well as whether the dynamic groups should be active or inactive.

In the third and final part of the wizard, you can make simple restrictions on the “Member Query”. In our example, we limited the members to user objects.

You can also use the “flat group” setting to decide whether users who are members of groups within the found OU, should also be included in the dynamic group.

Finally, click on “Start”. Dynamic groups for your sites will be from now automatically created.

If you want to use additional filters or the Include/Exclude lists, you can now configure this individually for each dynamic group.

Conclusion

In practice, sites are often mapped to OU structures in Active Directory. You can use this with DynamicGroup to your advantage. Just use the Smart Creation Wizard to easily create dynamic groups per site, or do the creation yourself to do extensive OU filtering. In this way, you will save a lot of maintenance work and make your permissions management easier and safer.

Download a 30 days trial version and further information

Download now