Can I build a dynamic group based on part of a value contained in 'MemberOf' user attribute ?

I'm assuming you need all the users in one flat group (maybe for a sync to AAD)

A bit of an ugly workaround (because you can't to a "contains" on a DN field), but may work:

Create a Dynamic Group of all the groups with Name Contains "RBS-CU-JMF". Name it something worthwhile like: "RBS-CU-JMF Groups"
Create another Dynamic Group called: "RBS-CU-JMF Users" with an advanced search of: (&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=CN=RBS-CU-JMF Groups,OU=Groups,DC=ACME,DC=com)

Dynamic group "by query" membership rules can reference membership of groups.  So you can just add the groups that you want to look for members of individually.  You can also do query by container so you could create a Managed Unit called "My Criteria groups" and use a query to pull into it all of the members of groups matching a specific name pattern.  There is risk of some duplication here so experimentation is recommended.

Sorry... might not have been clear above.  You would then specify the "My Criteria Groups" Managed Unit in a "by query" membership rule on your dynamic group.

I looked at this again - you can get what you need just by using an "include group members" membership rule on your dynamic group.

When you go to set it up and you are asked to select the group(s) whose members you want, just type the prefix (Example:  ABC) and when you hit "Check Names" all the groups with that prefix will show up.  You can just select the ones you want or take the whole list.  Either way, you won't have to repeatedly go hunting for them individually.

Thank you, it works well!

Hello,

we have a similar case and we came to the same solution as you have suggested @JohnnyQuest. But we need to filter once more to users that are only from specific OU. Thought I could use an Exclude by query filter using DN as attribute and "not contains" but it does not work... This is weird because if I use a MU using the same filters it works... can someone verify this as well?

Thank you in advance!

I'm thinking, can't this be done a lot simpler by just creating an Exclude rule, and in the object picker just use the "Browse" button (upper right corner) to focus on the OU you want to exclude? No need for a specific query as it will just focus on that OU only?

@Michiel thanks for the input. What I what to achieve is the next:
Create a Dynamic Group with users of multiple groups (users can be from different OUs) and specific OU.
I am able to achieve the first part by using an "include group members" membership rule.

For the second part, how do I achieve the second part? I have tried adding an Exclude by Query rule, using DN "Not contains" OU, but it is not working.

This is weird because if I apply same logic in a MU it works as expected.

Hi again,

just an update. Since we could not implement the Dynamic Group, as a workaround we have ended up creating the MU and then running an scheduled script which gets the users from the MU and adds them into a normal Security Group. To keep the membership updated (dynamic) the script first empties the group members and then adds them.

If anyone would have some other suggestion please let me know.

Thanks,

Perhaps consider this option:

1) Create a VA to use to populate your "final" group - maybe edsvaSpecialGroupMember

2) Make your "final" group a dyamic group that looks for the presence of this flag - i.e. edsvaSpecialGroupMember = TRUE

3) Have your scheduled script stamp this attribute on all your MU members