Real-Time, Policy Driven, AD Group Membership Management

Are you still managing network group memberships manually?

Real-Time Group Updates

Using active directory, GroupSymmetry automatically adds and/or removes users according to existing policies and event-driven changes in network users' identities.

Network Groups Are Always Up-to-Date

Ensure that your organization's group membership is always accurate so that everyone is up to date.

Solve Potential Security and Compliance Risks

You can rely on GroupSymmetry to provide top notch security in your network groups by establishing rules within policies.

Eliminate Manual Group Management

Your IT staff doesn't have time for scripts and manual tasks, let GroupSymmetry manage your network groups.

Automate Your Active Directory Group Lifecycle Management



Groups change.  Employees come and go, departments are re-organized, teams are created and disbanded.  

With updates automated according to policies you define, accurate membership and data security are ensured. 

GoupSymmetry automates the management of groups in Active Directory based on group-specific policies, making manual IT tasks a thing of the past. With scheduled group synchronization and real-time updates, groups are always accurate and information is always secure. 



Get a Free 30-Day Trial

Product Demo Videos

Tired of reading? Check out our videos! 


See these videos and more on our YouTube channel


We have scripts that automate group membership. Why should I consider Groupsymmetry™?

Here are a few reasons:

  • Scripts must be run periodically either on a schedule or manually. GroupSymmetry is a system process that constantly monitors Active Directory and takes action immediately.
  • Scripts tend to be more difficult to understand and modify. The GroupSymmetry browser-based interface provides the means of creating, editing, and previewing GroupSymmetry policies.
  • GroupSymmetry makes use of a persistent work queue to ensure that membership operations are retried as appropriate in the event of a network outage, problems in Active Directory, or other situations that might cause scripts to fail.
We use an identity management system to put people in groups, why would I need to look at Groupsymmetry?

There are a number of reasons:

  • Adding or editing rules in an IDM system can be challenging for a network administator and a hassel for an IDM administrator. GroupSymmetry allows an organization to offload these responsibilities and also ensure that problems are not inadvertently introduced through human error.
  • In many organizations, the identity management system is operating under strict change-control processes. Making changes for a new group or adding exceptions may be delayed or otherwise impracticable given the time constraints that typically accompany group membership need requests. GroupSymmetry is a dedicated system for automating group membership and through a simple Web interface is likened more to an administrative tool for the purposes of change management.
  • When group membership rules are established using an identity management system, there is often no way to retroactively apply the rules to adjust the group membership.
Does GroupSymmetry support nested groups?

By definition, each GroupSymmetry policy applies to a single group and therefore does not inherit down to subgroups of a nested group. This makes the use of GroupSymmetry impractical with nested groups, except for the child groups themselves, whose membership can be managed with the product perfectly well.

What if I change my mind about who should be in a group after Groupsymmetry has been managing that group?

Simply change the GroupSymmetry policy definition for the group and save it. GroupSymmetry will make appropriate adjustments to the membership at that point.

What are Shadow Groups in AD and how does Groupsymmetry work with them?

Shadow Groups are a concept in Active Directory where a group is supposed to “shadow” or mirror an Organizational Unit with respect to that group’s membership. This methodology is used as a means of granting a permission or giving an assignment to everyone in the Organizational Unit. There is no automated methodology of maintaining this membership. This is a major reason why GroupSymmetry exists.

Does Groupsymmetry extend the Active Directory schema during the installation?

No. GroupSymmetry requires no Active Directory schema extension to operate.

How does Groupsymmetry deal with exceptions to the rules about who should be in a group?

Exceptions are defined directly as part of the GroupSymmetry policy using explicit “Include and “Exclude” lists.

What Active Directory attributes can be used in a Groupsymmetry policy?

GroupSymmetry can use any Active Directory user attribute setting as a factor for including or excluding a user in a group. GroupSymmetry also supports additional non-standard user attributes that are added from extending the Active Directory schema in individual customer environments.

What are the limits of the evaluation version of the software?

The GroupSymmetry evaluation license lets you create 10 policies. The software is valid for 30 days starting from the day you download the evaluation license.

Can I base a group policy on “Account Disabled” in Active Directory either solely or partly?

Absolutely. “Account Disabled” is not an actual standalone attribute in Active Directory, but rather part of a bitmask attribute called “userAccountControl” where a single bit indicator is used. GroupSymmetry breaks this commonly used information out into its own synthetic attribute for easy use in defining a GroupSymmetry policy.

How does Senergy work with Groupsymmetry?

Senergy can assign shared storage areas (also known as collaborative storage) to Active Directory groups. When GroupSymmetry adds new members to a group managed through a Senergy collaborative storage policy, Senergy grants access to the shared storage area. Likewise, when GroupSymmetry removes a member from a group, File Senergy removes the user’s access to the shared storage area.

Another common example of interaction between the two products is through an inactive users group. When a user is disabled, Groupsymmetry adds the user to the inactive users group. The associated Senergy inactive users’ policy then moves the users’ personal storage to vault location and removes access rights.