Groups manage user accounts, computer accounts, and other groups to simplify network administrations. Working with groups makes maintenance easier and less complex as compared to working with users.
In Active Directory, you can create both security groups and distribution lists as static groups. Static groups are best suited when group memberships change occasionally. However, creating static groups with a large number of user accounts is less effective since it is difficult to manually maintain frequent membership changes.
Active Directory Query-Based Groups
Active Directory query-based groups resolve such use cases. These groups are dynamic in nature, which means that group memberships change dynamically based on user-defined queries. You can create both security groups and distribution lists as dynamic groups.
Significance of Active Directory Query-Based Groups
To understand the significance of AD query-based groups, let’s first analyze the significance of Active Directory groups in general.
- In any organization, distribution groups account for 10 – 20% of work.
- Rest 80 to 90% of the work requires security groups that manage permissions and user rights.
Hence, AD groups tend to play a huge role in streamlining any organization’s operations. Organizations deal with employees continuously joining, leaving, and changing roles within the environment. When a user’s role changes, their assigned permissions need to be updated as well.
Importance of Query-Based Security Groups
To be specific, security groups are assigned permissions and users added to groups as members inherit group permissions. For example, you can create a security group called “Managers” with all the managers in the company as members. In this group, the members can submit their monthly data or performance data of their team members. Any team member cannot view or modify the data as they are not part of the group, hence they do not get the access rights of that group.
Since Active Directory allows for static security groups, their memberships must be manually maintained. Managing memberships based on attributes, such as the following, is prone to errors:
- Department
- Role
- Location
For example, you create a group, “Managers” for assigning permissions to certain confidential resources to manager in the company. Some errors that could occur while creating that group are as follows:
- While adding and removing members, you might end up adding a junior associate to the list. Such errors can be costly for the organization.
- Similarly, if ex-employees are not removed from group memberships, they continue to have access to the company’s resources, which is a security breach in itself.
So, managing a large number of static security groups is unproductive and costly for organizations.
Importance of Query-Based Distribution Groups
Microsoft introduced query-based distribution groups in Exchange server 2003. They provide the same functionality as that of standard distribution groups. However, instead of manually adding members to the groups, query-based distribution groups enable users do to so using a query. You can set filters and conditions during group creation to drive its membership.
The query for a distribution group is stored in msExchDynamicDLFilter and msExchQueryFilter in Active Directory. If you have stored an accurate query for membership, you can easily create query-based distribution groups, for example, for all users in a particular department or all Exchange users in a particular location. Query-based distribution groups can relieve the IT teams from manually managing memberships for static groups in Active Directory.
How to Create Query-Based Groups
Query-based groups can prove instrumental in overcoming the limitations of static groups in Active Directory, as they ensure automated updates to group memberships based on user-defined queries.
So, the next question is, how query-based groups can be created in Active Directory.
- Query-based distribution groups cannot be created using ADUC, but they can be created via Exchange.
- Query-based security groups cannot be created using ADUC or via Exchange. However, they can be created using PowerShell.
Following are the ways to create Active Directory query-based distribution groups and security groups respectively.
Create a Query-Based Distribution Group via Exchange
Query-based distribution groups are easy to create.
- Launch Exchange Admin Center and select Recipients in the left pane.
- Navigate to Groups > New > Dynamic distribution group.
- On the New Dynamic Distribution Group wizard, enter a name, alias and description for the group.
- In Organizational Unit, browse and select the OU you want to create the group in.
- Browse and set an owner for the group. This setting is optional.
- In the Members section, specify the type of recipients from the list below. This will define the rules for group membership.
- In Add a Rule, set a criterion for the members. For example, to make a group of users whose department is Technical Communication and state is Nevada, set the Department and State attributes to Technical Communication and Nevada, US respectively.
- Click Save to create the group.
Create a Query-Based Security Group via PowerShell
Active Directory query-based security groups can be created via a PowerShell script. The following sample script identifies the attribute’s values set and updates the security group memberships accordingly.
Import-Module ActiveDirectory
$groupname = PseudoDynamicGroup
$users = Get-ADUser -Filter * -SearchBase "ou=desiredUsers,dc=domain,dc=tld"
foreach($user in $users)
{
Add-ADGroupMember -Identity $groupname -Member $user.samaccountname -ErrorAction SilentlyContinue
}
$members = Get-ADGroupMember -Identity $groupname
foreach($member in $members)
{
if($member.distinguishedname -notlike "*ou=desiredUsers,dc=domain,dc=tld*")
{
Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}
}
This script runs and collects the group membership on the basis of specified OU, and then adds and removes members in the static group, making it query-based.
However, this process is hectic and complicated. In case of updates, the groups must be maintained manually, which brings us back to square one.
Create Query-Based Security Groups via GroupID
GroupID Automate and Self-Service allow organizations to build distribution list and security group memberships based on rules that you specify in the Query Designer. Such query-based groups are termed as Smart Groups in GroupID.
To create a query-based security group using GroupID, you need to:
- Define a query for the group in the Query Designer
- Set a schedule to run the query
Each time the query runs, it fetches objects from the directory to update group membership. Managing memberships with queries significantly reduces administrative costs.
The difference between a Microsoft Exchange query-based group and a GroupID Smart Group is that the Smart Group memberships can be scheduled for auto update or manually updated, unlike Exchange’s query-based groups, where membership is updated when someone sends an email to that group.
Create Membership Update Queries using the Query Designer
The Query Designer in Automate provides a visual interface to design queries as an alternative to writing commands. It has the following tabs:
- General
- Storage
- Identity Store
- Advanced
- Include/Exclude
- Smart Script
General Tab
The General tab allows you to select the type of objects that can be included in the group’s membership.
Storage Tab
This tab lets you filter the mailboxes on any Exchange server or mailbox database.
Identity Store Tab
This is the main tab in the Query Designer. It allows you to set a criterion using the Active Directory schema. For example, you can use the location, company, department, or employee ID attribute to fetch objects to include in the group’s membership. You can also apply logical conditions like AND, OR to further filter the results.
Advanced Tab
This tab lets you add external data sources like Oracle, ODBC, Microsoft SQL Server, or text files to work with Active Directory in order to determine the group’s membership.
Include/Exclude Tab
This tab enables you to add or remove objects from the group’s membership regardless of the query.
Smart Script Tab
You can write a script based on your own custom logic using the VB Script support.
Limitations of Query-Based Distribution Groups Created via Exchange
Query-based distribution groups create via Exchange have indeed given few advantages, but these groups come with their own set of limitations as well.
- Only a few common attributes (e.g., recipient container, state or province, company, and department) along with couple of custom attributes can be used to create a query.
- The end users who are a part of query-based distribution group cannot view the members if they expand it in Outlook.
- When an email is sent to a query-based group, only then Exchange server expands the distribution list, updates the membership based on the query, and sends the email to the group. This process puts the burden on the Exchange server and the global catalog because hundreds of emails can daily be sent to query-based groups in the organizations.
- Exchange 2007 allows you to mail-enable universal groups only. Hence, a global or domain local distribution group will not be available when you try to mail-enable it in EMC. This means almost 60-70% of the scope is eliminated when you are mail-enabling a distribution group.
- In multi domain environments, query-based distribution groups can only have universal groups as members. This is because only universal group membership can be replicated to global catalog servers.
- Most importantly, distribution groups do not manage access like security groups do, and organizations need more security groups to manage the security of their network resources.
Summing Up
Keeping in mind the limitations of query-based groups in Exchange, organizations have but little choice to rely on third-party applications for group management. GroupID offers a highly efficient solution in the form of Smart Groups, that enables you to define queries for both security groups and distribution lists for membership update.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.