How to Copy Logic of a Dynamic Group

Hi All,

Does anyone know of a way to copy the logic from one dynamic group to another or even reuse the same logic with a slight change for an existing group?

Example - 

We have 3 user types but the Dynamic Groups only give options to use "and" or "or", I can't get them to both be included so we have to have 3 identical rules but for each of the user types.

User types = Regular, Contractor, Vendor

Location = Can't be location1 and can't be location2 and can't be location3.

Desired result = All regular, contractors and vendors whose location is not one of those 3.

I would have to create a rule that says UserType is exactly Regular and location is not location1 and location2 and location3. 

I would then have to do the same for usertype Contractor and Vendor as well.

Is there a way to either use "And" and "or" in the same rule (Usertype is Regular or Contractor or Vendor) and location is not location1 and location is not location2 and location is not location3.

If there is no way to do the above, can I simply build it out for "Regular" and then copy the logic some how and just update it to "Contractor" and "Vendor".

I have some groups with dozens of "locations" that I would need to recreate multiple times for each user type.



  • Hi Josh

    One option is to change the query you're using in your dynamic group "include by query" membership rule.

    In my lab I have 20 user objects, as below:

    In my example

     Location = City (ldap name "l")

    User Type = employee type (ldap name "employeeType"

    I created a Dynamic group called "DG-Test", where:

    Find = Custom Search

    In= OU structure containing my test accounts

    LDAP Query:


    LDAP Query breaks down as follows:














    Results are:

    The query in essence has 3 sections

    1. The object type we're looking for (samAccountType=805306368)
    2. The locations to exclude (!(l=location1))
    3. The user types we want to include (employeeType=Regular)

    So we want to only include:

    User Account (805306368 SAM_NORMAL_USER_ACCOUNT)


    City is NOT location1


    City is NOT location2


    City is NOT location3


    User Type is Regular


    User Type is Contractor


    User Type is Vendor

    The problem we (myself include) usual make when writing an LDAP Query (other than the usual mismatch of brackets) is confusing when AND should be used vs OR, especially when you're looking at something that is not true. As in speech we're saying "any user, where they are not in London, New York or Paris, and the are of type Regular, Contractor or vendor"

    If we implement the query as we speak it, we get the below... as the location "OR" block (|(!(l=location1))(!(l=location2))(!(l=location3))) means that all our users are in scope

    For example, if we were to plug user "test 1" properties into that query we'd get

    NOT Location 1 = FALSE

    NOT Location 2 = TRUE

    NOT Location 2 = TRUE

    As an OR logical operator, we have at least one true, therefore its all true... and its included (when it shouldn't be)

    As an AND logical operator, we need all to be true, therefore "test 1" would not be included

    Where are for users "test 4" and "test 5" both would be included as their locations are not any we're interested it.

    Hope this helps.