Active Directory management & automation

Group AD Objects Based on Logged In User

Virtual collections of Active Directory objects, called Business Units, allow grouping objects based on a certain principle. You can create static Business Units, the membership in which does not depend on who is logged in to Adaxes. For example, if you create a Business Unit that includes users whose department is Sales, members of such a Business Unit will be the same no matter who is logged in.

In addition to that, you can create Business Units, the membership in which will change dynamically depending on the logged in user. For example, a Business Unit can include users whose department is the same as the department of the logged in user. In this case, when a user whose department is Sales logs in, the Business Unit will include users from the Sales Department, but when a user from the IT department logs in, the Business Unit will include people from the IT Department.

With the help of dynamic Business Units you can provide each user with collections of the AD objects that they need to view and/or manage. Also, dynamic Business Units can be used to distribute permissions. For example, if you want users to perform certain operations on employees from their own department, you can assign a Security Role over a Business Unit whose members are from the same department as the logged in user.

Dynamic Business Units can only be used for displaying AD objects and when assigning permissions. They cannot be a part of Activity Scopes of Business Rules, Scheduled Tasks, Password Self-Service Policies and Office 365 Tenants.

Membership in a Business Unit is based upon Membership Rules. To build dynamic Business Units, instead of defining specific AD objects, you need to specify templates describing how the unit members are related to the logged in user. To include properties of the logged in user in templates, use value references (e.g. %department%). The value references will be substituted with values of the corresponding properties of the logged in user.

In this tutorial, you will learn how create a Business Unit whose membership depends on the logged in user.

Launch Adaxes Administration Console, expand your Adaxes service, right-click Business Units, point to New and click Business Unit. The Create Business Unit wizard will open.


Enter a name for the new Business Unit and click Next.
On the Membership Rules page, you need to specify the criteria to include AD objects to the new Business Unit. Click the Add button located under the Membership rules list.

Here, in the Add Membership Rule dialog, you need to define templates for including members related to the logged in user. To add objects to your Business Unit, first, you need to select a rule type based on which objects will be included, and then specify a template that will include the objects.

Specific Objects

Using the Specific Objects rule type, you can include individual AD objects to the new Business Unit. For such a rule, you need to specify the Distinguished Name (DN) of an AD object you want to include. To change the object depending on the logged in user, the DN must contain value references.

Example 1: Manager of the logged in user

  • Click Add. This will bring up the Select Objects dialog.
  • Activate the Template tab.

  • In the Template field, specify %manager%. When building a list of the Business Unit members, this value reference will be substituted with the Distinguished Name (DN) of the manager of the logged in user.

  • Click OK.

Example 2: Organizational Unit whose name includes the department name of the logged in user

  • Click Add. This will bring up the Select Objects dialog.
  • Activate the Template tab.

  • In the Template field, specify a template for an Organizational Unit DN. In the template, use the %department% value reference instead of an actual department name. When building a list of the Business Unit members, it will be substituted with the name of the department of the logged in user. For example, if you specify the following template OU=%department%,DC=example,DC=com, and a user whose department is Sales logs in, the Business Unit will include the OU with DN OU=Sales,DC=example,DC=com.

  • Click OK.
Group Members

Using the Group Members rule type, you can include objects based on membership in a certain group. For such a rule, you need to specify the Distinguished Name (DN) of a group whose members you want to include. To change the group depending on the logged in user, the DN must contain value references.

Example 1: Group whose name includes the job title of the logged in user

  • Click Select Group. This will bring up the Select Group dialog.
  • Activate the Template tab.

  • In the Template field, specify a template for a group DN. In the template, use the %title% value reference instead of an actual job title. When building a list of the Business Unit members, it will be substituted with the value of the Job Title property of the logged in user. For example, if you specify the following template CN=%title%,CN=Users,DC=example,DC=com, and a user whose job title is Sales Manager logs in, the Business Unit will include members of a group with DN CN=Sales Manager,CN=Users,DC=example,DC=com.

  • Click OK.
  • If you want to include only direct members of the group, select Direct members only.

Example 2: Group located in the same OU with logged in user

  • Click Select Group. This will bring up the Select Group dialog.
  • Activate the Template tab.

  • In the Template field, specify a template for the Distinguished Name of the necessary group, for example, CN=Managers,%adm-ParentDN%. When building a list of the Business Unit members, the %adm-ParentDN% value reference will be replaced with the DN of the Organizational Unit where the logged in user is located.

  • Click OK.
  • If you want to include only direct members of the group, select Direct members only.

Container Children

Using a rule of type Container Children, you can include objects located in an Organizational Unit or container. When using such a rule, you need to specify the Distinguished Name (DN) of a container where an object must be located to be included in the Business Unit. To change the container depending on the logged in user, the DN must contain value references.

Example 1: Organizational Unit where the logged in user is located

  • Click Select Container. This will bring up the Select Location dialog.
  • Activate the Template tab.

  • In the Template field, specify %adm-ParentDN%. When building a list of the Business Unit members, this value reference will be substituted with the Distinguished Name (DN) of the OU where the logged in user is located.

  • Click OK.
  • If you want to include only direct children of the container, select Direct children only.

Example 2: Organizational Unit named the same as the company of the logged in user

  • Click Select Container. This will bring up the Select Location dialog.
  • Activate the Template tab.

  • In the Template field, specify a template for an Organizational Unit DN. In the template, use the %company% value reference instead of an actual company name. When building a list of the Business Unit members, it will be substituted with the value of the Company property of the logged in user. For example, if you specify the following template OU=%company%,DC=example,DC=com, and a user whose company is Acme logs in, the Business Unit will include objects located under an OU with DN OU=Acme,DC=example,DC=com.

  • Click OK.
  • If you want to include only direct children of the container, select Direct children only.

Query Results

With the help of the Query Results rule type, you can include objects that match certain search criteria. For example, you can include objects whose name starts with a certain prefix or users whose department is set to a certain value. The search criteria is specified via an LDAP search filter.

Additionally, you can choose where to search. For example, you can include objects that match the search criteria and located in a particular Organizational Unit or AD domain.

Both the search criteria and the location where to search can change depending on the logged in user. For this purpose, you need to include value references in the LDAP search filter and/or the Distinguished Name (DN) of the Organizational Unit or domain to search in.

Using templates in the search criteria

To specify an LDAP search filter, click the Edit button associated with the Filter field. This will bring up the Build Query dialog.

Example 1: Users whose department is the same as the department of the logged in user

  • Activate the Simple tab.
  • Since we are going to include users only, select User in the Type drop-down list.

  • In the Department field, specify %department%. When building a list of the Business Unit members, this value reference will be substituted with the value of the Department property of the logged in user.

  • Click OK.

Example 2: Users whose city is the same as the city of the logged in user

  • Activate the Advanced tab.
  • Since we are going to include users only, select User in the Type list.

  • In the box below the Type list, specify City equals %l%. When building a list of the Business Unit members, the %l% value reference will be substituted with the value of the City property of the logged in user.
  • Click Add to List.

  • Click OK.

Example 3: Disabled users managed by the logged in user

  • Activate the LDAP Filter Editor tab.
  • In the LDAP Filter Editor field, specify the following LDAP filter: (&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=2)(manager=%distinguishedName%)). When building a list of the Business Unit members, the %distinguishedName% value reference will be substituted with the value of the Distinguished Name property of the logged in user.

  • Click OK.

Using templates to specify the location to search in

To specify a location where to search in, click the Select button located next to the Look in drop-down list. This will bring up the Select Location dialog.

Example 1: Active Directory domain of the logged in user

  • Activate the Template tab.
  • In the Template field, specify %adm-DomainDN%. When building a list of the Business Unit members, this value reference it will be substituted with the Distinguished Name (DN) of the AD domain where the logged in user is located.

  • Click OK.

Example 2: Organizational Unit where the logged in user is located

  • Activate the Template tab.
  • In the Template field, specify %adm-ParentDN%. When building a list of the Business Unit members, this value reference will be substituted with the Distinguished Name (DN) of the OU where the logged in user is located.

  • Click OK.
You can view a list of AD objects included by a Membership Rule for a particular user.

How

  • In the Add Membership Rule dialog, click Affected Objects.

  • Click the Edit button located in the View As section.

  • Select a user whose account you want to use for viewing objects included by the rule.
  • Click OK. The list below displays a list of objects included by the rule as if the selected user is logged in.

When done, click OK.

If necessary, add other Membership Rules. When finished, click Finish.
? Waiting

Progress status: Checking...