Skip to main content

Create Membership Rules for Dynamic Groups (CornellAD Group Management)

This article applies to: Group Management


There are many ways to use dynamic groups. Here we'll describe how to set up dynamic groups for a few common situations.

The procedures below assume you are working with a brand new dynamic group. If you are returning to an existing dynamic group, double-click on the group, then select the Membership Rules tab. Then follow the procedures listed below. Some details will be slightly different (for example, you will see an OK button instead of a Finish button), but the concepts are the same.

Create a dynamic group made up objects that are members of both GroupA and GroupB

For our example, the dynamic group (named PRE-mammals) will include only the objects that are members of the group PRE-warmblooded and the group PRE-livebirth.

Remember that you must use the ARS console, not the web interface.

  1. If you have just converted a group into a dynamic group, the New Membership Rule Wizard is already open.

    If the Wizard is not open, navigate to your group, right-click on it and select Add Membership Rule. If you do not see this choice, it means you have not yet converted this group into a dynamic group, so you need to follow the procedure above.
  2. On the New Membership Rule Wizard dialog box, select Include by Query, then click Next.
  3. On the Selected Objects dialog box,click Add. A Create Membership Rule dialog box will open.
  4. Click the Advanced tab.
  5. Select the AND radio button.
  6. Click Field.
  7. On the Select Object Type and Property dialog box, under Object property, select Member Of, then click OK.
  8. Back on the Create Membership Rule dialog box, from the Condition drop-down, select Is (exactly).
  9. Click the ellipsis (three dots) button next to the Value field.
  10. On the Select Object dialog box, type the beginning of (or all of) the name of the group in the text field near the bottom, including the prefix for your OU, and press Enter. (In the example given above, this would be the "PRE-warmblooded" group.)
  11. From the list displayed on the Select Matching Items dialog box, select the name of the group and click OK.
    (If only one item matched what you entered, you won't see this dialog box; you'll go straight to the next step.)
  12. Back on the Create Membership Rule dialog box, click Add. (NOT Add Rule)
  13. Repeat steps 5-12 to add the other group. (In the example given above, this would be the "Livebirth" group.)
    You can have as many conditions within a rule as you like by repeating steps 5-12. Be sure to finish each repetition by clicking Add.
  14. Click Add Rule. The Create Membership Rule dialog box will close, returning you to the New Membership Rule Wizard.
  15. Click Finish.

Create a dynamic group made up objects that are members of either GroupA or GroupB (or members of both)

  1. If you have just converted a group into a dynamic group, the New Membership Rule Wizard is already open.
  2. On the New Membership Rule Wizard dialog box, select Include Group Members, then click Next.
  3. Click Add.
  4. In the lower text field, type a group name (or the beginning of one), then click Check Names. If only one group is found that matches, it will be shown in the lower field. If more than one matching group is found, a list will be displayed. Select the desired group, then click OK.
    You can enter multiple group names, separated by semi-colons. Click OK when you're finished adding groups. (Or you can create a second rule using Include Group Members and list the second group separately. Either method give identical results.)
  5. Click Finish.

Create a dynamic group made up objects that are members of GroupA but not of GroupB

  1. If you have just converted a group into a dynamic group, the New Membership Rule Wizard is already open.
  2. On the Membership Rule Type (or New Membership Rule Wizard) dialog box, select Include Group Members, then click Next.
  3. Click Add.
  4. In the lower text field, type the name of GroupA (or the beginning of it), then click Check Names. If only one group is found that matches, it will be shown in the lower field. If more than one matching group is found, a list will be displayed. Select the desired group, then click OK.
  5. Click OK, then Finish.
  6. Double-click on the group, then click the Membership Rules tab.
  7. On the Properties dialog box, click Add.
  8. On the Membership Rule Type dialog box, select Exclude Group Members, then click OK.
  9. In the lower text field, type the name of GroupB (or the beginning of it), then click Check Names. If only one group is found that matches, it will be shown in the lower field. If more than one matching group is found, a list will be displayed. Select the desired group, then click OK.
  10. Click OK to close the Select Objects dialog box.
  11. Click OK to close the Properties dialog box.

The other rule types are Include Explicitly and Exclude Explicitly. These are the "snapshot" rules. If you specify a group name in one of these rules, the current membership of the group is selected and applied to your dynamic group. If changes occur to the group you specify, those changes will NOT affect your dynamic group.

Again, we recognize that this is a complicated procedure. Feel free to contact CIT's Identity Management group for assistance.

About this Article

Last updated: 

Friday, July 10, 2020 - 3:07pm

Audience: 

IT Professionals

Was this page helpful?

Your feedback helps improve the site.

Comments?