This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to manually rebuild all dynamic groups

In the following article, (https://support.oneidentity.com/active-roles/kb/239069) you can see a scenario where your dynamic groups may not automatically update without a rebuild being performed. However, if you have many, or all of your dynamic groups that meet this criteria, your dynamic groups may not be so dynamic anymore. The following script can be used to rebuild all dynamic groups as there doesn't appear to be a way to trigger the rebuild directly on a group.

# Builds controls to bypass Dynamic Group Policy to allow clearing of group members
$hash = @{}
$hash.add("EDS_CONTROL_FIX",4)
$hash.add("EDS_CONTROL_CHECK_POLICY_COMPLIANCE",5)
$hash.add("DGPolicyGUID","84C1A76B-2A6B-4f4b-837A-22D2CCAC777A")

# Loop through the dynamic groups and remove all their members
Get-QADGroup -Dynamic $true -Proxy | ForEach-Object{Remove-QADGroupMember $_ -Member (Get-QADGroupMember $_) -Control $hash}

Also note that the above can be used on a single dynamic group by modifying the Get-QADGroup cmdlet to only return the single group.

Parents
  • Poetry.   We've found rebuilds necessary too-often for the few excessively-sized groups (50K plus)  used for GPO filtering disk encryption settings.  

    I assume a scheduled task could check/compare expected group membership to actual, and trigger a rebuild if necessary ... have to give that some thought.

    Thanks Nick

  • Just in case you don't see the updated version, I rewrote it to simply allow the policy to be bypassed for the membership clearing rather than disabling the dynamic group policy completely for the duration. The new version would be less frowned upon.

Reply
  • Just in case you don't see the updated version, I rewrote it to simply allow the policy to be bypassed for the membership clearing rather than disabling the dynamic group policy completely for the duration. The new version would be less frowned upon.

Children
No Data