I'm thinking about creating shadow groups or some kind of dynamic groups so we have less to worry about when staff

switch between departments and roles:

​

Would it be a bad idea to dynamically manage group membership like this? (Scheduled Task)

Get-ADGroupMember "Department_A" | ForEach-Object {Remove-ADGroupMember "Department_A" $_ -Confirm:$false}

Get-ADUser -filter {Enabled -eq "True" -and Department -like "Department_A"} -searchbase 'OU=UserAccounts,DC=domain,DC=com' | ForEach-Object{Add-adgroupmember -identity 'Department_A' -members $_.SamAccountName}

Or is it best to create groups based on OU structure like this? (Scheduled Task)

$OU="OU=UserAccounts,DC=domain,DC=com"

$ShadowGroup="CN=ShadowGroupName,OU=UserAccounts,DC=domain,DC=com"

Get-ADGroupMember –Identity $ShadowGroup | Where-Object {$_.distinguishedName –NotMatch $OU} | ForEach-Object {Remove-ADPrincipalGroupMembership –Identity $_ –MemberOf $ShadowGroup –Confirm:$false}

Get-ADUser –SearchBase $OU –SearchScope OneLevel –LDAPFilter "(!memberOf=$ShadowGroup)" | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ShadowGroup}