Automatically Add Users to Groups by Department
Adaxes allows you to automatically add users to AD groups when a new user account is created, modify the group membership when a user is modified, disabled, moved, etc. In this tutorial, you will learn how to configure Adaxes to automatically add newly created users to AD groups based on the user's department.
To automatically add new users to groups, you need to create a Business Rule that will be executed after a new user account is created in Active Directory.
Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Business Rule. The Create Business Rule wizard will open.
Enter the name for the new Business Rule, and click Next.
Here you need to specify when the new Business Rule must be executed. As you need to set group membership after a new user account is created, do the following:
- Select User in the Object Type list.
- Select After in the Operation section.
- Select Creating a User in the Operation section and click Next.
Now, you need to create an action that will add newly created users to a group. To do this:
- Click the Add Action link.
- In the dialog that opens, select the Add the User to a group action.
In the Action Parameters section, click Select Group.
Select a group that corresponds to one of the departments.
- Click OK
To add users to the specified group only when they belong to a specific department, you need to add a condition:
Right-click the Add the User to a group action and click the
Add Condition icon.
- In the dialog that opens, select the If <property> <relation> <value> condition type.
In the Condition Parameters section specify Department equals Sales,
and click OK.
- In Adaxes Administration Console, navigate to <Your Adaxes Service> \ Configuration \ Property Patterns \ Builtin and select User Pattern.
- Add a Property Pattern item for the Department property.
- Select the The property is required option.
- Specify the names of departments in the Must be one of the following values only field.
Now, you need to add actions and conditions for other departments. For this purpose, click the Add action to a new set link and repeat steps 4 and 5 for each department.
Alternatively, you can configure a single action suitable for all departments. Thus, you will avoid the need to create multiple actions, and also update the Business Rule each time a new department appears. In this case, instead of picking a specific group, you need to specify a template that defines the relationship between the user's department and the group. For example, using a template, you can add a user to a group named the same as their department.
Specifying a template
To be able to specify a template, on the Select Group dialog, activate the Template tab.
The %department% value reference will be
substituted with the name of the department of the new user. Thus, for example,
a user whose department is Sales will be added to the following group:
The %department% value reference will be
substituted with the name of the department of the new user, and the
%c% value reference will be substituted with a
2-letter country code specified for the user. Thus, for example, if you create a user
whose department is Public Relations, and country is United States,
they will be added to group
The %title% value reference will be substituted with
the job title of the new user, and the %adm-ParentName%
value reference will be substituted with the name of the OU where the user
account is created. Thus, for example, if you create a user whose job title is
Accountant in OU named New York, they will be added to group
When finished, click Next.
Here, at the Activity Scope page you need to specify where in Active Directory a user must be created to trigger this Business Rule. Click Add.
In the Business Rule Activity Scope dialog that opens, you need to specify the Active Directory locations where the Business Rule will be effective. Select one of the following items:
All Objects - select if you want this Business Rule to be executed when a
user is created in any AD domain managed by the Adaxes service.
Specific Domain - select if you want this Business Rule to be executed when
a user is created in the AD domain you specify.
- OU or Container - select if you want this Business Rule to be executed only when a new user is created under the selected OU or container.
Select the item you need and click Add. When finished, click OK.
The specified activity scope items will be displayed in the Assignments list. Click Finish.
You can also add users to groups based on where their account is located in the Active Directory hierarchy. For this purpose, use the If located under <location> condition. For example, if you specify the condition parameters as follows:
If the User object is located under 'Sales (example.com\Departments)',
a user will be added to the group only when created under the specified Organizational Unit.
Now, when the Business Rule is complete, every time a new user is created in AD (no matter in which way - using Administration Console, Web Interface, during data import, via PowerShell scripts, etc.), Adaxes will automatically add this user to the groups you specify.
Update Membership by Schedule, on Creation and Modification
If your group membership policies depend on user account properties or on the location of a user in Active Directory, you may also need to update group membership after a user is updated or moved to a new location.
For this purpose, you need to create a Custom Command that will update group membership, and then execute this Custom Command by Business Rules and Scheduled Tasks.
For details on how to create Custom Commands, see Create a Custom Command.
For details on how to create Scheduled Tasks, see Schedule Tasks for Active Directory Management.