Automatically Add Users to Groups by Department
Adaxes allows you to automatically add users to AD groups when a new user account is created, modify the group membership when a user is modified, disabled, moved, etc. In this tutorial you will learn how to configure Adaxes to automatically add newly created users to AD groups based on the user's department.
To automatically add new users to groups, you need to create a Business Rule that will be executed after a new user account is created in Active Directory.
Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Business Rule . The Create Business Rule wizard will open.
Enter the name for the new Business Rule, and click Next.
Here you need to specify when the new Business Rule must be executed. As we want to set group membership after a new user account is created, do the following:
- Select User in the Object Type list.
- Select After in the Operation section.
- Select Creating a User in the Operation section and click Next.
At the next step, you need to specify what the Business Rule will do when a new user is created. To add the Add User to Group action to the Business Rule, do the following:
- Click the Add Action link.
- In the dialog that opens, select the Add the User to a group action.
- In the Action Parameters section click Select Group and select the group where you want to add newly created users. Click OK.
Automatically Change Group Membership Using Scripts.
To add users to the specified group, if these users are members of a specific department only, you need to add a condition for the Add User to Group action:
- Select the action/condition set (click the created action to highlight the set), and click the Add Condition icon.
- In the dialog that opens, select the If <property><relation><value> condition type.
- In the Condition Parameters section specify Department equals Sales, and click OK.
- Create a Property Pattern for User objects.
- Add a Property Pattern item for the Department property.
- Select the The property is required option.
- Specify the names of departments in the Must be one of the following values only field.
If in your Active Directory members of specific departments are located under specific
Organizational Units, you can configure the Business Rule to execute the Add User
to Group action only when users are created under a certain Organizational Unit.
For this purpose, click the
Add action to a new set link and repeat steps 4 and 5.
When adding a condition, select the If located under <location> condition type and specify the OU that contains members of your department. When finished, click Next.
Here, at the Activity Scope page you need to specify where in Active Directory a user must be created to trigger this Business Rule. Click Add.
In the Business Rule Activity Scope dialog that opens, you need to specify the Active Directory locations where the Business Rule will be effective. Select one of the following items:
All Objects - select if you want this Business Rule to be executed when a
user is created in any AD domain managed by the Adaxes service.
Specific Domain - select if you want this Business Rule to be executed when
a user is created in the AD domain you specify.
- OU or Container - select if you want this Business Rule to be executed only when a new user is created under the selected OU or container.
Select the item you need and click Add. When finished, click OK.
The specified activity scope items will be displayed in the Assignments list. Click Finish.
Now, when the Business Rule is complete, every time a new user is created in AD (no matter in which way - using Administration Console, Web Interface, during data import, via PowerShell scripts, etc.), Adaxes will automatically add this user to the groups you specify.
Update Membership by Schedule, on Creation and Modification
If your group membership policies depend on user account properties or on the location of a user in Active Directory, you may also need to update group membership after a user is updated or moved to a new location.
For this purpose, you need to create a Custom Command that will update group membership, and then execute this Custom Command by Business Rules and Scheduled Tasks.
For details on how to create Custom Commands, see Create a Custom Command.