How to manually rebuild all dynamic groups

In the following article, (https://support.oneidentity.com/active-roles/kb/239069) you can see a scenario where your dynamic groups may not automatically update without a rebuild being performed. However, if you have many, or all of your dynamic groups that meet this criteria, your dynamic groups may not be so dynamic anymore. The following script can be used to rebuild all dynamic groups as there doesn't appear to be a way to trigger the rebuild directly on a group.

# Builds controls to bypass Dynamic Group Policy to allow clearing of group members
$hash = @{}
$hash.add("EDS_CONTROL_FIX",4)
$hash.add("EDS_CONTROL_CHECK_POLICY_COMPLIANCE",5)
$hash.add("DGPolicyGUID","84C1A76B-2A6B-4f4b-837A-22D2CCAC777A")

# Loop through the dynamic groups and remove all their members
Get-QADGroup -Dynamic $true -Proxy | ForEach-Object{Remove-QADGroupMember $_ -Member (Get-QADGroupMember $_) -Control $hash}

Also note that the above can be used on a single dynamic group by modifying the Get-QADGroup cmdlet to only return the single group.

Parents
  • Poetry.   We've found rebuilds necessary too-often for the few excessively-sized groups (50K plus)  used for GPO filtering disk encryption settings.  

    I assume a scheduled task could check/compare expected group membership to actual, and trigger a rebuild if necessary ... have to give that some thought.

    Thanks Nick

Reply Children
No Data