ADMT 3.2 Intraforest Computer Migration Group Membership

Similar Messages

• Computer's group membership

  I am trying to find a way to list the groups a computer knows it is a member of. Normally a computer only picks up a group membership change after a reboot. You can purge the kerb tickets and it will sometimes pick up the new membership.
  I have a requirement to determine if a group membership has propigated to >300 servers for GPO filtering, but the only way I can find to validate this is by running a gpresult and checking the computer group memberships.
  I started by trying to run a gpresult remotely but that does not always return the computer group membership. Is there a wmi call that can pull this or can a kerb ticket be dissasembled to get the memberships?

  jrv,
  I understand how Active Directory and the various methods of GPO provisioning work.
  The systems in question (>300 production servers) have been added to a provisioning group. This group is used to filter application of a GPO. I need to validate the systems have picked up the new group membership before moving forward with a multi-step
  implementation.
  When a gpresult is run the output displays the groups the system is a member of in order to determine GPO application. I am trying to get this data from remote systems programatically, hence why I posted in this forum since I am specifically asking if anyone
  knows of a WMI (or other) call that would return the computer group memberships.
  As I re-organize a GPO structure in dire need of cleanup I am going to have to do this validation multiple times over a large number of servers. Being able to automate this process would help quite a bit.
  "For computer accounts this requires a reboot." - See this article: 
  http://setspn.blogspot.com/2010/10/updating-servers-security-group.html

• Process Computer Migration (more than 1 ADMT)

  Hi all,
  We're going to do computer migrations from one to another domain. We're thinking to do migration per department (OU). Since the computer locations are vary, i am wondering if it is ok to setup more than one PC for ADMT.
  Let say we set up 3 or more ADMT, and we migrate a bunch of PCs from 3 different departments at the same time, in order to accelerate PC migration process. Is it ok/recommended to do that? I mean, will there be any conflicts or object sync issue in the migration
  process?
  Thanks.

  Sorry for the late update,
  I've tried parallel computer migrations on my environment, on more than 1 ADMT.
  The thing was, i migrated all the users and group in one of ADMT tool.
  If that the case, i can not use translate option while migrating computers with user's profiles that were not migrated with the same tool. The tool will saying that there is no previous migrated object. But somehow, in my case, the user profiles in those
  computer were still change to NEWDOMAIN\user.
  Hope the information is useful.

• Klist Purge is not working when trying to update a computer security group

  I cannot get Klist purge to work on any of our computers. After running the command "klist
  -lh 0 -li 0x3e7 purge"  I have tried internally and externally using VPN.  The computer does not see new security group settings.
   Windows 7 Clients.

  Try klist -li 0x3e7 purge and then "gpupdate /force" to update the security group membership.

• SQL syntax for querying Active Directory group membership

  Post Author: cantrejj
  CA Forum: Data Connectivity and SQL
  I've established a connection to Active Directory through Crystal Reports XI. Now I need to write an SQL select statement to return all computer accounts and their group memberships. My statement returns all the computer accounts in the target OU, but when I add the memberOf field to my report everything goes blank. What am I doing wrong? I've included below my query statement and would welcome any suggestions...******************************************Select CN, memberOfFrom 'LDAP://OU=Managed Accounts, OU=Central Valley Service Area, DC= root, DC=sutterhealth, DC=org'where ObjectClass='computer'********************************************

  No ERRORs, no PANICs:
  # grep -i error /var/log/samba/log.smbd
  # grep -i panic /var/log/samba/log.smbd
  # grep -i error /var/log/samba/log.smbd.old
  # grep -i panic /var/log/samba/log.smbd.old
  #

• Group Memberships not Flowing into Metaverse

  Hello,
  I'm trying to figure out why the group member attributes in the CS are not flowing into the MV.  Here's what I have:
  An HR system running on SQL Server
  A staging database that extract data from the HR system
  The staging database has a table representing person object
  The stating database has a table representing person multi-valued attributes (i.e location, job code, etc)
  The staging database has a table representing group objects
  The staging database has a table representing group memberships (mult-valued)
  A SQLMA connected to the person and person multi tables
  A SQLMA connected to the group and group membership tables
  All group memberships are based on job codes and locations.  There are no approval process in place.  If they have this job code, they get certain groups.  That's all calculated in the staging database and the memberships are in the group membership
  table
  This system does connect to AD (and a few other things), but I'm not concerned with that, right now.
  I've read 100 articles on this, most of them over 5 years old, and tried the ones that made sense.  The flow from the database into the CS works well.  No issues there.
  But, a search of the metaverse for the group shows an empty member attribute.  The sync process is not throwing any errors.  At least they're not showing up in the sync service app or the event logs.
  Where allowed, I'm using rules extensions for everything.  I can't use a rules extension to set the member attribute because it's an rdn.
  I'm going to move forward with this by extending the metaverse schema and adding a multi-valued string attribute named "memberOf" to the person object.  Then, I'll modify my existing MA to use that attribute instead of the member attribute. 
  I'm not sure what kind of issues I'm going to run into when exporting that to AD.  I'll cross that bridge when I come to it.  I don't anticipate that being an issue as the dns for all these objects will be calculated by the ADMA based on locations,
  group functions and person types (bascially, I don't care about the MV rdn).
  Anyway, I'm looking for some real world insight on this.  This whole effort is to migrate off an existing IDM system that works very, very well but quite expensive to license.
  Thanks,
  Greg Wilkerson

  Hey Cameron,
  I have total control of all the DB tables FIM is accessing.  I build them up as part of IDM process.
  I've read this article, along the many others that address the "manager" scenario.  This really doesn't apply in this case as the user and group objects are loaded in separate MAs.  Getting reference values to flow with both object live in the
  same CS shouldn't be an issue. 
  I also saw a solution where the group and user objects were in the same table and differentiated by the "object_type" value (user, group).  That solution solved the issue of the groups and user being in the same CS.  As I grow tired of my daily
  FIM beatdown, that solution is growing more attractive.  That's a major DB redesign, and seems quite inefficient.
  The multi-value table for group memberships already exists in the DB.  For FIM purposes, I transferred that data into the user object multi-value table.  See screen shot.  I can certainly configure the group MA to access that multi-value table
  and load the group members as references.  But, because the group MA CS will not contain the user objects, I don't see how the references will be set.  If the reference value isn't set in the CS, it's not going to flow into the MV (at least I haven't
  figured out a way to set the an reference value for an object in the MV - my problem all along.
  This whole "setting a reference value" encompasses much more than just group memberships in my implementation.  Telephone resources and physical access (key cards, etc) are provisioned through the existing eDirectory system.  These objects exist
  in our current IDM system and are associated with users based on rules.  So, the reference value process is something I need to figure out, if I'm going to use this product.
  Maybe I could use a stripped down ECMA2 as a "staging" CS, export the users and groups into this CS and assign the reference values, then import the groups back into the MV, memberships intact.  I'm not sure that would get me where I want to go, and
  it seems like a lot of extra "stuff" to solve what should be a simple problem.  Hmmmmmm.  Or, connect the ECMA2 directly to my group membership multi-value table in the DB.  Hmmmmmm.  I'd still have to export the groups and users into that
  CS, but the import might be much more straight forward.  Hmmmmmm.
  The structure of my GroupMembership table (both columns are anchors or directly translatable to anchors):
  EmployeeGroups
      GroupName varchar(50) not null,
      EmployeeID nvarchar(50) not null,
      ID int identity(1,1) not null

• PowerShell: AD Group Membership

  Is it possible to generate group membership for all groups in AD, b member of that group?
  Thanks
  *alex

  One good thing about using DirectoryServices.DirectorySearcher in PowerShell is that the syntax is so similar to similar VBScript programs using ADODB. The first program in VBScript would be as follows:
  Option Explicit
  Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
  Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strName, strDN
  Dim strLine, arrMembers, strMember
  ' Setup ADO objects.
  Set adoCommand = CreateObject("ADODB.Command")
  Set adoConnection = CreateObject("ADODB.Connection")
  adoConnection.Provider = "ADsDSOObject"
  adoConnection.Open "Active Directory Provider"
  Set adoCommand.ActiveConnection = adoConnection
  ' Search entire Active Directory domain.
  Set objRootDSE = GetObject("LDAP://RootDSE")
  strDNSDomain = objRootDSE.Get("defaultNamingContext")
  strBase = "<LDAP://" & strDNSDomain & ">"
  ' Filter on group objects.
  strFilter = "(objectCategory=group)"
  ' Comma delimited list of attribute values to retrieve.
  strAttributes = "distinguishedName,sAMAccountName,member"
  ' Construct the LDAP syntax query.
  strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
  adoCommand.CommandText = strQuery
  adoCommand.Properties("Page Size") = 200
  adoCommand.Properties("Timeout") = 30
  adoCommand.Properties("Cache Results") = False
  ' Run the query.
  Set adoRecordset = adoCommand.Execute
  ' Enumerate the resulting recordset.
  Do Until adoRecordset.EOF
      ' Retrieve values and display.
      strDN = adoRecordset.Fields("distinguishedName").Value
      strName = adoRecordset.Fields("sAMAccountName").Value
      strLine = """" & strDN & """,""" & strName & """"
      arrMembers = adoRecordset.Fields("member").Value
      If Not IsNull(arrMembers) Then
          For Each strMember In arrMembers
              strLine = strLine & ",""" & strMember & """"
          Next
      End If
      Wscript.Echo strLine
      ' Move to the next record in the recordset.
      adoRecordset.MoveNext
  Loop
  ' Clean up.
  adoRecordset.Close
  adoConnection.Close
  The second program, where sAMAccountName's are substituted for member DN's, would be as follows:
  Option Explicit
  Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
  Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strName, strDN
  Dim strLine, arrMembers, strMember, objMemberList
  ' Setup ADO objects.
  Set adoCommand = CreateObject("ADODB.Command")
  Set adoConnection = CreateObject("ADODB.Connection")
  adoConnection.Provider = "ADsDSOObject"
  adoConnection.Open "Active Directory Provider"
  Set adoCommand.ActiveConnection = adoConnection
  ' Search entire Active Directory domain.
  Set objRootDSE = GetObject("LDAP://RootDSE")
  strDNSDomain = objRootDSE.Get("defaultNamingContext")
  strBase = "<LDAP://" & strDNSDomain & ">"
  ' Retrieve all users, groups, and computers.
  strFilter = "(|(objectCategory=user)(objectCategory=group)(objectCategory=computer))"
  ' Comma delimited list of attribute values to retrieve.
  strAttributes = "distinguishedName,sAMAccountName"
  ' Dictionary object (hash table).
  Set objMemberList = CreateObject("Scripting.Dictionary")
  objMemberList.CompareMode = vbTextCompare
  ' Construct the LDAP syntax query.
  strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
  adoCommand.CommandText = strQuery
  adoCommand.Properties("Page Size") = 200
  adoCommand.Properties("Timeout") = 30
  adoCommand.Properties("Cache Results") = False
  ' Run the query.
  Set adoRecordset = adoCommand.Execute
  ' Enumerate the recordset.
  Do Until adoRecordset.EOF
      ' Retrieve values and display.
      strDN = adoRecordset.Fields("distinguishedName").Value
      strName = adoRecordset.Fields("sAMAccountName").Value
      ' Skip contacts.
      If (strName <> "") Then
          objMemberList.Add strDN, strName
      End If
      ' Move to the next record in the recordset.
      adoRecordset.MoveNext
  Loop
  ' Recordset must be closed before it can be opened again.
  adoRecordset.Close
  ' Filter on all group objects.
  strFilter = "(objectCategory=group)"
  ' Comma delimited list of attribute values to retrieve.
  strAttributes = "distinguishedName,sAMAccountName,member"
  ' Construct the LDAP syntax query.
  strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
  adoCommand.CommandText = strQuery
  ' Run the query.
  Set adoRecordset = adoCommand.Execute
  ' Enumerate the resulting recordset.
  Do Until adoRecordset.EOF
      ' Retrieve values and display.
      strDN = adoRecordset.Fields("distinguishedName").Value
      strName = adoRecordset.Fields("sAMAccountName").Value
      strLine = """" & strDN & """,""" & strName & """"
      arrMembers = adoRecordset.Fields("member").Value
      If Not IsNull(arrMembers) Then
          For Each strMember In arrMembers
              If (objMemberList.Exists(strMember) = True) Then
                  ' Substitute the sAMAccountname from dictionary object.
                  strLine = strLine & ",""" & objMemberList(strMember) & """"
              Else
                  ' Use the Distinguished Name.
                  strLine = strLine & ",""" & strMember & """"
              End If
          Next
      End If
      Wscript.Echo strLine
      ' Move to the next record in the recordset.
      adoRecordset.MoveNext
  Loop
  ' Clean up.
  adoRecordset.Close
  adoConnection.Close
  Richard Mueller - MVP Directory Services

• Dynamic Group Membership - All SQL Computers in a Domain

  I am trying to create groups containing all SQL servers in each domain. I am using the Wizard in the console. However I appear to be having winter blues as I can't work out how to do it. Everything I try results in an empty group.
  Can someone please explain what I need to do to?

  Roger
  Thanks for the input. The code looks logical and I applied it and imported a revised MP. However I am not getting any membership in the group. There is another group membership in the same MP and that populates correctly, so I haven't a clue where I'm going
  wrong. As you can see below my rule is the same as yours, except with a different domain name.
  <Expression>
               <And>
                            <Expression>
                                         <RegExExpression>
  <ValueExpression>
  <Property>$MPElement[Name="MicrosoftWindowsLibrary7585010!Microsoft.Windows.Computer"]/NetbiosDomainName$</Property>
  </ValueExpression>
  <Operator>ContainsSubstring</Operator>
  <Pattern>DOMAINNAME</Pattern>
                                         </RegExExpression>
                            </Expression>
                            <Expression>
                                         <Contained>
  <MonitoringClass>$MPElement[Name="MicrosoftSQLServerLibrary6410!Microsoft.SQLServer.ComputerGroup"]$</MonitoringClass>
                                         </Contained>
                            </Expression>
               </And>
  </Expression>
  Eric

• Com.apple.alf.plist file keeps changing group membership

  Hey All, I've read several discussions about this issue.  The com.apple.alf.plist file keeps changing group membership from admin to wheel.  Disk Utility repair changes the group membership to admin but it will change back to wheel during normal use of the computer, it seems that accessing systempreferences.app and security preferences will change the group to wheel. 
  I don't really want to get into a discussion about the wheel account, unless necessary, but since this is a very important system settings file I'd like it to work correctly.  I have noticed several issues with the firewall not responding as expected such as turning off by itself, and app settings changing or disappearing from the security preference pane.  So, I have deleted the plist file and restarted as recommended on other discussions but the issue always returns during normal use.  I think it might be the application owning the plist file causing the issue, but I am not sure which one owns the plist file.  I assume it would be systempreference.app since I think it is a firewall plist file. The permissions for systempreferences.app is strange also; 
  - everyone - custom
  - system    - read/write
  - wheel      - read/write
  - everyone  -read
  This may be the culprit but I tried to make a minor change, so as not to mess up the operating system, and disk utility repair permissions just puts it back the way it was.   Any ideas about this would be very appreciated.
  Note:  I have done a complete system reinstall and the issue still returns.

  OK, Since I haven't gotten any responses about this it must be a complicated issue.  Just as a quick check could some of you good people out there look at the "Get Info" window for the systempreferences.app and see if your permissions look like mine?  I'm still having trouble with the firewall settings not acting as expected such as apps and processes that I have approved/denid connection access not showing up in the firewall pane of system preferences and having to reapprove each startup.  Thank you in advance for any help on this.

• Policies assigned to groups - membership changes not working

  I have a single ZESM IR8 server setup.
  All security throughout my environment, ZESM and otherwise, is based on group membership.
  If I change a user from one group to another group this change does not reflect in their policy assignment.
  Scenario: GroupA = standard user policy, GroupB = power user policy.
  UserA was first in Group A and therefore got the standard user policy.
  UserA now requires the power user policy.
  Remove UserA from GroupA and add UserA to GroupB (in iManager).
  UserA does NOT get the "power user" policy that is assigned to GroupB
  Am aware that I can assign the policy at a user level but this is NOT an option in my environment. All security assignments MUST happen at a group level.

  What you observed is the expected behavior.
  ZESM doesn't updates group membership in real time once a policy has been published. I've described this behavior on previous posts.
  What the MC does behind the scenes when you click "Publish" on a container or group object is to assign the policy individually to each member/user. For groups, it resolves membership at the time the policy is published then the MC iterates among each member assigning the policy to each of them. That's why you don't see updates once the policy is published.
  Try Updating the published policy to see if that works. From the docs:
  Updating a Published Policy
  Once a policy has been published to the user(s) or computer(s), simple updates can be maintained by editing the components in a policy, and re-publishing. For example, if the ZENworks Endpoint Security Management Administrator needs to change the WEP key for an access point, the adminstrator only needs to edit the key, save the policy, and click Publish. The affected end-users and computers receive the updated policy (and the new key) at their next check-in.
  >>>
  From: laurabuckley<[email protected]>
  To:novell.support.zenworks.endpoint-security-management
  Date: 12/15/2009 7:16 AM
  Subject: Policies assigned to groups - membership changes not working
  I have a single ZESM IR8 server setup.
  All security throughout my environment, ZESM and otherwise, is based on
  group membership.
  If I change a user from one group to another group this change does not
  reflect in their policy assignment.
  Scenario: GroupA = standard user policy, GroupB = power user policy.
  UserA was first in Group A and therefore got the standard user policy.
  UserA now requires the power user policy.
  Remove UserA from GroupA and add UserA to GroupB (in iManager).
  UserA does NOT get the "power user" policy that is assigned to GroupB
  Am aware that I can assign the policy at a user level but this is NOT
  an option in my environment. All security assignments MUST happen at a
  group level.
  laurabuckley
  laurabuckley's Profile: http://forums.novell.com/member.php?userid=122
  View this thread: http://forums.novell.com/showthread.php?t=395870

• ACS 5.3 Group Mapping based on AD group membership

  Hi,
  I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
  What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
  It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
  I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
  Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
  Thank you,
  Sami

  Ok, my case is like this.
  I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
  I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
  In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
  Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
  I have a case with Cisco engineer now and still in the middle to sort things out.
  The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
  Wondering whether there is a fix for this.
  Thanks.

• Weblogic 10.3.0 -  Security Violation when Group Membership Lookup enabled

  Dear Admins,
  We're running a Weblogic 10.3.0 cluster with our own software deployed.
  We're using SQL authentication (JDBC to Oracle DB) to authenticate users.
  Recently we've been tuning our WL cluster to improve performance, and have enabled Group Membership Lookup Hierarchy Caching.
  Sometimes users log into our application and get inssuficient rights (or some other error). This appears to happen at random. Most of the times they can log in without problems.
  We determined it's not something to do with the cluster, although it can happen on one node and the other node will work as normal.
  In the Managed server we see this error (with test user):
  Managed7Server.out00011:java.rmi.AccessException: [EJB:010160]Security Violation: User: 'test' has insufficient permission to access EJB: type=<ejb>, application=leanapps, module=process_general.jar, ejb=LaLifeProcessController,
  method=create, methodInterface=Home, signature={}.
  When we disable Group Membership Lookup Hierarchy Caching, this error never occurs.
  Our settings (Security Realms -> myrealm -> Providers -> SQL Authenticator -> Performance):
  Max Group Hierarchies In Cache: 5000 (we have approx. 2000 groups)
  Group Hierarchy Cache TTL: 3600
  provider specific settings :
  Group Membership Searching: unlimited
  Max Group Membership Search Level: 0
  Also in Myrealm -> Performance we have set :
  Enable WebLogic Principal Validator Cache
  Max WebLogic Principals In Cache: 5000
  If we put the TTL really low (default 60 seconds), the error hardly ever occurs. But we want to have cache that lasts longer then one minute.
  This might be a bug, as we have other clusters running on WL 10.3.5, 12c where we use the same cache settings. This issue does not occur there.
  I'm more then willing to provide more info or config files
  Edited by: user5974192 on 21-nov-2012 5:17

  This is fixed now. Someone had defined a Servlet for the web service in web.xml that was preventing the EJB container to kick in.
  Edited by: user572625 on Aug 25, 2011 11:54 PM

• OIM: What is the purpose of "Update" while editing group memberships

  Hi,
  This is when you lookup a user's Resource Profile and go to "Edit" link. The process form shows up along with a drop down to edit the group memberships. When we select one of the choices such as "Groups" another window pops up where we could add more entires into the child form. In this form there is an "Update" column with a radio button besides a "Remove" column. What is the purpose of this "Update" column? We can add or delete child entries but what does update do? Is there a way to remove this selection altogether?
  Thanks in advance

  Update I can see used for a cases where you have multiple columns on a child table entry and want to change one of them. Strictly speaking, you can update a single column child table rather than delete and insert also. Access policies always do insert and delete actions, but you will want to implement an update task as well if you expect anyone to be editing child tables on resources directly.

• OIM 9.1.0.2 Group Membership Removal for Disabled Users

  Hello
  In OIM 9.1.0.2, when a user is disabled, they are removed from the groups they are a member of within 24 hours. i was wondering if this is a set time and if so, can this be extended to a specified time so membership can be left for a week before it is removed from the user. If you can let me know on this I would appreciate it.
  Thanks
  Nick

  Today, when accounts are disabled, within 24 hours all the group memberships are removed on the OIM side. I would like to change the interval for the cleanup so that when an account is disabled, all the existing group (role) memberships stay assinged to the account then after 30 days of the account being disabled, the group (role) memberships are removed. Not sure if this would be an ORM thing or OIM, but I think it would be OIM since ORM still has the role mappings for users when they are disabled.
  Thanks
  Nick

• How to create LDAP filter-based rule to check Group membership in OAM

  Hi folks,
  I'm having hard time creating an authorization rule to verify ldap group membership. I've followed "Configure User Authorization" article from Oracle website (http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32420/v2authz.htm#BABHBFEJI) and created an Authorization scheme w ldap_attribute_name as User Parameter and ruleExpression as Required Parameter. Then, inside my policy I created an Authorization Rule based on my Authz scheme w Allow Access attrib filter-based Rule which looks like this:
  ldap://ldap_server:port/ou=People,o=Company,c=US??sub?(ldap_attribute_name=ldap_attribute_value)
  This works fine.
  Now, I've added another filter-based rule under the same Authz Rule/Allow Access:
  ldap://ldap_server:port/ou=Groups,o=Company,c=US?uniqueMember?sub?(&(objectClass=groupOfUniqueNames)(cn=ldap_group_name))
  While query looks somewhat correct and works as a command-line argument (slightly modified format), it does not work in OAM (meaning people w out req-d group membership can still login).
  Can someone steer me to the right direction as to what do I need to do:
  1. Change/fix the ldap query
  2. Create new Authz scheme with uniqueMember userParameter; create new Authz rule based on new authz scheme; create new Allow Access filter rule with the ldap query I have
  3. Do smth else
  Any help is greatly appreciated.
  Thank you, Roman

  You can create two authorization rules
  First for user with attribute
  and second for group
  and then in authorization expression you can have AND of these two.
  Regarding your query...
  First ... If your requirement is to give access to all the members of a particular group then you don't require any ldap filters
  All you have to do is in the authorization rule -> Allow access -> Select People (here you have to select group so click on the group tab, its little hard to see but its there in light blue color on dark blue tab) -> select the group you want to give access
  Second.. If your requirement is such that you want to give access to a member of a group which has certain attribute lets say group with status active ( In this case you are not aware of the name of the group because user can be a member of any group but you want to give access only to the group with specific attribute.) then you have to write custom authorization plugin.
  If the option is second let me know i can give you a solution which will work for a single domain without any effort of developing a major plugin.
  Hope this helps,
  Sagar