Dynamic group modification

Given the large number you have, it would probably be best to script the management of your rules.

The SDK folder under your Active Roles admin service has a help file (.CHM) and some sample scripts for adding membership rules - the sample script is actually for Managed Units but their membership rules work the same way as those of dynamic groups..

See below the code of a script that I built for updating Dynamic Group Membership rules

(The SDK help file will explain the rule "Types" mentioned below.)

# The input file includes a column of the distinguished names (DN) of the groups to be managed, the contents of extensionattribute7 and 12, a virtual attribute.edsvaMyGroupVA and a column called # StaticGroupDN that contains the DN of a group that is to be added explicitly to a membership rule

$GroupsToProcess = Import-Csv "F:\Temp\John\Data\DynamicQueries\LPSTest.csv"

Foreach ($GroupsToProcessItem in $GroupsToProcess)
{

$GroupDN = $GroupsToProcessItem.DN

# In this case, extensionattribute7 and 12 of each group as well as another virtual attribute are being used for membership criteria

$BusinessGroup = $GroupsToProcessItem.EA7

$Location = $GroupsToProcessItem.EA12

$PracticeGroup = $GroupsToProcessItem.edsvaMyGroupVA
# Managed List
$StaticGroupDN = $null
$StaticGroupDN = $GroupsToProcessItem.StaticGroupDN

# Core code goes here
$GroupObj = [ADSI]"EDMS://$GroupDN"
$RuleCollection = $GroupObj.MembershipRuleCollection
$CurrentRuleCount = $RuleCollection.Count
# Wipe out current Rules
While ($CurrentRuleCount -gt 0)
{

$RuleToRemoveIndex = $CurrentRuleCount - 1

$RuleCollection.RemoveAt($RuleToRemoveIndex)

$CurrentRuleCount = $RuleCollection.Count

}
# $RuleCollection.setinfo()
# Add new rules
$GroupObj.setinfo()
$GroupObj.Properties["edsaIsDynamicGroup"].Value = $true

$GroupObj.CommitChanges()

$NewRule = New-Object -comobject "EDSIManagedUnitCondition"

# Generate a GUID to identify the rule internally

$NewRule.BaseGuid = $(New-guid | Out-String)

# Change the domain below to your domain

$NewRule.Base="EDMS://DC=Mydomain,DC=local" # This is the root of the domain where the groups reside

# Build up the LDAP filter for the membership rule

# This LDAP query / rule includes a reference to a user being a member of another group (identified by a GUID)

$Filterstr="(&(objectcategory=person)(objectclass=user)(extensionAttribute7=$BusinessGroup)(!extensionAttribute15=TEA)(extensionAttribute12=$Location)(edsvaUserPracticeGroups=$PracticeGroup)(!UserAccountControl:1.2.840.113556.1.4.803:=2)(memberof=<GUID=ae1334b14c32df449b864bba9ee7d909>))"
$Filterstr
Read-Host -Prompt "Press Enter to Continue"
$NewRule.Filter=$Filterstr
$NewRule.Type=1 # Include by Query

$RuleCollection.Add($NewRule)
# Check if we have a static group we want to add a rule for
If ($StaticGroupDN)
{
$NewRule2 = New-Object -ComObject "EDSIManagedUnitCondition"
$NewRule2.BaseGuid = $(New-guid | Out-String)
$NewRule2.Base ="EDMS://$StaticGroupDN"
$NewRule2.Filter = ""
$NewRule2.Type=5
$RuleCollection.Add($NewRule2)
}
$GroupObj.setinfo()
$GroupObj.CommitChanges()
$GroupObj.close()

} # End of group iteration loop

Thanks that put me in the right direction.

Thanks that put me in the right direction.