• State Suggested Answer
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 1098 views
  • Users 0 members are here
Options
Related

How to Copy Logic of a Dynamic Group

josh aeria
over 3 years ago

Hi All,

Does anyone know of a way to copy the logic from one dynamic group to another or even reuse the same logic with a slight change for an existing group?

Example - 

We have 3 user types but the Dynamic Groups only give options to use "and" or "or", I can't get them to both be included so we have to have 3 identical rules but for each of the user types.

User types = Regular, Contractor, Vendor

Location = Can't be location1 and can't be location2 and can't be location3.

Desired result = All regular, contractors and vendors whose location is not one of those 3.

I would have to create a rule that says UserType is exactly Regular and location is not location1 and location2 and location3. 

I would then have to do the same for usertype Contractor and Vendor as well.

Is there a way to either use "And" and "or" in the same rule (Usertype is Regular or Contractor or Vendor) and location is not location1 and location is not location2 and location is not location3.

If there is no way to do the above, can I simply build it out for "Regular" and then copy the logic some how and just update it to "Contractor" and "Vendor".

I have some groups with dozens of "locations" that I would need to recreate multiple times for each user type.

Thanks

Josh

  • 0 over 3 years ago

    Hi Josh

    One option is to change the query you're using in your dynamic group "include by query" membership rule.

    In my lab I have 20 user objects, as below:

    In my example

     Location = City (ldap name "l")

    User Type = employee type (ldap name "employeeType"

    I created a Dynamic group called "DG-Test", where:

    Find = Custom Search

    In= OU structure containing my test accounts

    LDAP Query:

    (&(samAccountType=805306368)(&(!(l=location1))(!(l=location2))(!(l=location3)))(|(employeeType=Regular)(employeeType=Contractor)(employeeType=Vendor)))

    LDAP Query breaks down as follows:

    (&

    (samAccountType=805306368)

    (&

    (!(l=location1))

    (!(l=location2))

    (!(l=location3))

    )

    (|

    (employeeType=Regular)

    (employeeType=Contractor)

    (employeeType=Vendor)

    )

    )

    Results are:

    The query in essence has 3 sections

    1. The object type we're looking for (samAccountType=805306368)
    2. The locations to exclude (!(l=location1))
    3. The user types we want to include (employeeType=Regular)

    So we want to only include:

    User Account (805306368 SAM_NORMAL_USER_ACCOUNT)

    AND

    City is NOT location1

    AND

    City is NOT location2

    AND 

    City is NOT location3

    AND

    User Type is Regular

    OR

    User Type is Contractor

    OR

    User Type is Vendor

    The problem we (myself include) usual make when writing an LDAP Query (other than the usual mismatch of brackets) is confusing when AND should be used vs OR, especially when you're looking at something that is not true. As in speech we're saying "any user, where they are not in London, New York or Paris, and the are of type Regular, Contractor or vendor"

    If we implement the query as we speak it, we get the below... as the location "OR" block (|(!(l=location1))(!(l=location2))(!(l=location3))) means that all our users are in scope

    For example, if we were to plug user "test 1" properties into that query we'd get

    NOT Location 1 = FALSE

    NOT Location 2 = TRUE

    NOT Location 2 = TRUE

    As an OR logical operator, we have at least one true, therefore its all true... and its included (when it shouldn't be)

    As an AND logical operator, we need all to be true, therefore "test 1" would not be included

    Where are for users "test 4" and "test 5" both would be included as their locations are not any we're interested it.

    Hope this helps.