Dynamic Group - Recursive membership based on nested manager chain...

Imagine a single manage is over 12 managers who in-turn all have 12 subordinate managers who all have teams of 10+ people - is there an easy native way to create a dynamic group membership query that encompasses ALL those people?

Head-Manager Jill <- Sub-Manager Jack (member of group because his "managedby" is "Head-Manager Jill") <- Engineer Sally (member of group because her "managedby" is "Sub-Manager JACK" who is managed by "Head-Manager Jill")

What I was about to do, if there is no native solution, is to write a daily script that does the recursion and places the "manager's manager'" in some virtual attribute of each subordinate worker - like SecondaryOwner.

then do the queries based on "managedby" or "secondaryowner".

But this is dependent on the scheduled script, and would have to be frequent enough to catch new accounts being pulled under any of the "subordinate managers"

  • I ended up writing a scheduled script to go down the chain of command and then adding all those users to a group:

    $filterLike = "*some-filtering-text-if-needed*"
    $filterNotLike = "*some-other-filtering-text-if-needed*"
    $level1 = get-aduser DivisionManager -properties directreports|
      select -ExpandProperty directreports|
      ?{$_ -like $filterLike -and $_ -notlike $filterNotLike}
    $level2 =@(); $level1|
      %{$level2+=get-aduser $_ -properties directreports|
        select -ExpandProperty directreports|
        ?{$_ -like $filterLike -and $_ -notlike $filterNotLike}}
    $level3 =@(); $level2|
      %{$level3+=get-aduser $_ -properties directreports|
        select -ExpandProperty directreports|
        ?{$_ -like $filterLike -and $_ -notlike $filterNotLike}}
    $level4 =@(); $level3|
      %{$level4+=get-aduser $_ -properties directreports|
        select -ExpandProperty directreports|
        ?{$_ -like $filterLike -and $_ -notlike $filterNotLike}}
    $allmembers = $level1+$level2+$level3+$level4
    Add-ADGroupMember "All Division Staff" -Members $allmembers

    of course you could do some recursive looping until no users are returned (ensuring you don't miss anyone beyond whatever number of levels you do in this approach) - but maybe what I did is more readable and self-explanatory ¯\_(ツ)_/¯