Active Directory management & automation

Automatically Add Users to Groups by Department

Adaxes allows you to automatically add users to AD groups when a new user account is created, modify the group membership when a user is modified, disabled, moved, etc. In this tutorial, you will learn how to configure Adaxes to automatically add newly created users to AD groups based on the user's department.

To automatically add new users to groups, you need to create a Business Rule that will be executed after a new user account is created in Active Directory.

1Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Business Rule. The Create Business Rule wizard will open.

Launching the Create Business Rule wizard

2Enter the name for the new Business Rule, and click Next.

3Here you need to specify when the new Business Rule must be executed. As you need to set group membership after a new user account is created, do the following:

  • Select User in the Object Type list.
  • Select After in the Operation section.
  • Select Creating a User in the Operation section and click Next.

Selecting the triggering operation for the Business Rule

4 Now, you need to create an action that will add newly created users to a group. To do this:

  • Click the Add Action link.
  • In the dialog that opens, select the Add the User to a group action.
  • In the Action Parameters section, click Select Group.

    Adding Add to Group action

  • Select a group that corresponds to one of the departments.

  • Click OK
On how to change group membership using a PowerShell script, see Automatically Change Group Membership Using Scripts.

5 To add users to the specified group only when they belong to a specific department, you need to add a condition:

  • Right-click the Add the User to a group action and click the Add Condition icon.

  • In the dialog that opens, select the If <property> <relation> <value> condition type.
  • In the Condition Parameters section specify Department equals Sales, and click OK.

    Adding Business Rule condition

To make sure that the department is always specified for newly created users and the department name is spelled correctly, you can use Property Patterns. A Property Pattern called User Pattern is applied to user accounts by default. To update it:
  • In Adaxes Administration Console, navigate to <Your Adaxes Service> \ Configuration \ Property Patterns \ Builtin and select User Pattern.
  • Add a Property Pattern item for the Department property.
  • Select the The property is required option.
  • Specify the names of departments in the Must be one of the following values only field.
For details, see Specify List of Departments to Avoid Repetitive Typing.

6 Now, you need to add actions and conditions for other departments. For this purpose, click the Add action to a new set link and repeat steps 4 and 5 for each department.

Using Templates to Specify Groups

Alternatively, you can configure a single action suitable for all departments. Thus, you will avoid the need to create multiple actions, and also update the Business Rule each time a new department appears. In this case, instead of picking a specific group, you need to specify a template that defines the relationship between the user's department and the group. For example, using a template, you can add a user to a group named the same as their department.

Specifying a template

A template is used to build the Distinguished Name (DN) of a group. To include properties of the new user in the group DN, use value references (e.g. %department% or %title%). When the action is executed, the value references are substituted with property values of the user account. For example, if you specify %department%, this value reference is replaced with the name of the user's department stored in Active Directory.

To be able to specify a template, on the Select Group dialog, activate the Template tab.

Examples

  • CN=Managers,OU=%department%,DC=example,DC=com - The %department% value reference will be substituted with the name of the department of the new user. Thus, for example, a user whose department is Sales will be added to the following group:
    CN=Managers,OU=Sales,DC=example,DC=com.
  • CN=%department%,OU=Groups,DC=%c%,DC=example,DC=com - The %department% value reference will be substituted with the name of the department of the new user, and the %c% value reference will be substituted with a 2-letter country code specified for the user. Thus, for example, if you create a user whose department is Public Relations, and country is United States, they will be added to group
    CN=Public Relations,OU=Groups,DC=us,DC=example,DC=com
  • CN=%title%s,OU=%adm-ParentName%,DC=example,DC=com - The %title% value reference will be substituted with the job title of the new user, and the %adm-ParentName% value reference will be substituted with the name of the OU where the user account is created. Thus, for example, if you create a user whose job title is Accountant in OU named New York, they will be added to group
    CN=Accountants,OU=New York,DC=example,DC=com.

When finished, click Next.

7 Here, at the Activity Scope page you need to specify where in Active Directory a user must be created to trigger this Business Rule. Click Add.

Specifying rule activity scope

8 In the Business Rule Activity Scope dialog that opens, you need to specify the Active Directory locations where the Business Rule will be effective. Select one of the following items:

  • All Objects - select if you want this Business Rule to be executed when a user is created in any AD domain managed by the Adaxes service.

  • Specific Domain - select if you want this Business Rule to be executed when a user is created in the AD domain you specify.

  • OU or Container - select if you want this Business Rule to be executed only when a new user is created under the selected OU or container.

Select the item you need and click Add. When finished, click OK.

9 The specified activity scope items will be displayed in the Assignments list. Click Finish.

Adding to Groups Based on User Account Location

You can also add users to groups based on where their account is located in the Active Directory hierarchy. For this purpose, use the If located under <location> condition. For example, if you specify the condition parameters as follows:

If the User object is located under 'Sales (example.com\Departments)',

a user will be added to the group only when created under the specified Organizational Unit.

Now, when the Business Rule is complete, every time a new user is created in AD (no matter in which way - using Administration Console, Web Interface, during data import, via PowerShell scripts, etc.), Adaxes will automatically add this user to the groups you specify.

Update Membership by Schedule, on Creation and Modification

If your group membership policies depend on user account properties or on the location of a user in Active Directory, you may also need to update group membership after a user is updated or moved to a new location.

For this purpose, you need to create a Custom Command that will update group membership, and then execute this Custom Command by Business Rules and Scheduled Tasks.

Create a Custom Command that will update group membership of user accounts.
For details on how to create Custom Commands, see Create a Custom Command.

Custom Command for Group Membership Management

Disable the Custom Command if you don't want to execute it manually.

Create a Business Rule that will be executed after creation of new users in Active Directory. Add the Execute Custom Command action to this Business Rule that will execute the command created on the step 1.

Active Directory Automation: After User Creation


Create a Business Rule that will be executed after updating users and add the Execute Custom Command action to this Business Rule.

Active Directory Automation: After User Update


Create a Business Rule that will be executed after moving users between Organizational Units. Add the Execute Custom Command action to this Business Rule to execute your Custom Command.

Active Directory Automation: After User Move


Create a Scheduled Task that will periodically execute the Custom Command. This will allow you to update the group membership of the users that are modified or moved outside Adaxes.

Active Directory Automation: Scheduled Task

For details on how to create Scheduled Tasks, see Schedule Tasks for Active Directory Management.
? Waiting

Progress status: Checking...