Recently I faced a request from a client wanting a Dynamic Security Group in Active Directory which automatically update its members.. However we do have the concept of dynamic objects in Active Directory (I promise to speak on that on another article), but this one was completely different. The client wanted to have a security group which automatically removes the disabled users from it. So I started a lovely conversation with my lovely friend PowerShell.

Basically what you have to do is to write a multi function PowerSell script. We will need more than a couple of Pipes in this script. In order to understand the code, let's translate it to human language:

Find Group1 in AD | Find Disabled members in the Member List | Remove them

Now if you want to have a fully automated one, you need to schedule this script to run hourly in your domain controller. Here is the script:

Get-ADGroupMemberGroupTest|%{Get-ADUser-Identity $_.distinguishedName

-PropertiesEnabled,samaccountname |?{$_.Enabled-eq $false}|?

{Remove-ADGroupMember-IdentityGroupTest-Members

$_.samaccountname -Confirm:$false}}

Have fun automating..