Active Directory management & automation

Tutorials

Automatically Add Users to Groups by Department

Adaxes allows you to automatically add users to AD groups when a new user account is created, modify the group membership when a user is modified, disabled, moved, etc. In this tutorial you will learn how to configure Adaxes to automatically add newly created users to AD groups based on the user's department.

To automatically add new users to groups, you need to create a Business Rule that will be executed after a new user account is created in Active Directory.

1Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Business Rule . The Create Business Rule wizard will open.

Launching the Create Business Rule wizard

2Enter the name for the new Business Rule, and click Next.

3Here you need to specify when the new Business Rule must be executed. As we want to set group membership after a new user account is created, do the following:

  • Select User in the Object Type list.
  • Select After in the Operation section.
  • Select Creating a User in the Operation section and click Next.

Selecting the triggering operation for the Business Rule

4 At the next step, you need to specify what the Business Rule will do when a new user is created. To add the Add User to Group action to the Business Rule, do the following:

  • Click the Add Action link.
  • In the dialog that opens, select the Add the User to a group action.
  • In the Action Parameters section click Select Group and select the group where you want to add newly created users. Click OK.

Adding Add to Group action


On how to change group membership using a PowerShell script, see
Automatically Change Group Membership Using Scripts.

5 To add users to the specified group, if these users are members of a specific department only, you need to add a condition for the Add User to Group action:

  • Select the action/condition set (click the created action to highlight the set), and click the Add Condition icon.
  • In the dialog that opens, select the If <property><relation><value> condition type.
  • In the Condition Parameters section specify Department equals Sales, and click OK.

Adding Business Rule condition

To make sure that the department is always specified for newly created users and the department name is spelled correctly, you can use Property Patterns:
  • Create a Property Pattern for User objects.
  • Add a Property Pattern item for the Department property.
  • Select the The property is required option.
  • Specify the names of departments in the Must be one of the following values only field.
For details, see Specify List of Departments to Avoid Repetitive Typing.

6 If in your Active Directory members of specific departments are located under specific Organizational Units, you can configure the Business Rule to execute the Add User to Group action only when users are created under a certain Organizational Unit. For this purpose, click the Add action to a new set link and repeat steps 4 and 5.
When adding a condition, select the If located under <location> condition type and specify the OU that contains members of your department. When finished, click Next.

Adding additional actions and conditions

7 Here, at the Activity Scope page you need to specify where in Active Directory a user must be created to trigger this Business Rule. Click Add.

Specifying rule activity scope

8 In the Business Rule Activity Scope dialog that opens, you need to specify the Active Directory locations where the Business Rule will be effective. Select one of the following items:

  • All Objects - select if you want this Business Rule to be executed when a user is created in any AD domain managed by the Adaxes service.

  • Specific Domain - select if you want this Business Rule to be executed when a user is created in the AD domain you specify.

  • OU or Container - select if you want this Business Rule to be executed only when a new user is created under the selected OU or container.

Select the item you need and click Add. When finished, click OK.

9 The specified activity scope items will be displayed in the Assignments list. Click Finish.

Now, when the Business Rule is complete, every time a new user is created in AD (no matter in which way - using Administration Console, Web Interface, during data import, via PowerShell scripts, etc.), Adaxes will automatically add this user to the groups you specify.

Update Membership by Schedule, on Creation and Modification

If your group membership policies depend on user account properties or on the location of a user in Active Directory, you may also need to update group membership after a user is updated or moved to a new location.

For this purpose, you need to create a Custom Command that will update group membership, and then execute this Custom Command by Business Rules and Scheduled Tasks.

Create a Custom Command that will update group membership of user accounts.
For details on how to create Custom Commands, see Create a Custom Command.

Custom Command for Group Membership Management

Disable the Custom Command if you don't want to execute it manually.

Create a Business Rule that will be executed after creation of new users in Active Directory. Add the Execute Custom Command action to this Business Rule that will execute the command created on the step 1.

Active Directory Automation: After User Creation


Create a Business Rule that will be executed after updating users and add the Execute Custom Command action to this Business Rule.

Active Directory Automation: After User Update


Create a Business Rule that will be executed after moving users between Organizational Units. Add the Execute Custom Command action to this Business Rule to execute your Custom Command.

Active Directory Automation: After User Move


Create a Scheduled Task that will periodically execute the Custom Command. This will allow you to update the group membership of the users that are modified or moved outside Adaxes.

Active Directory Automation: Scheduled Task

For details on how to create Scheduled Tasks, see Schedule Tasks for Active Directory Management.

Delegating Permissions

Hide Active Directory objects from users
Grant rights to create users
Grant rights to modify account options
Allow managers to manage their teams
Grant rights to modify AD group membership
Grant rights to reset passwords and unlock accounts
Grant rights to create and modify Business Units
Deny rights to delete users
Grant rights to execute Custom Commands
Grant rights to modify specific properties of AD objects
Grant rights to move users between OUs

Automating Daily Tasks

Automate user home directory creation
Relocate home directories after disabling users
Automatically add users to groups by department
Add users to a specific group when they are disabled
Automatically change group membership using scripts
Move newly created users to a specific OU
Request approval for user deletion
Run PowerShell script after creating a user
Automate Exchange mailbox creation for new users
Automate Exchange mailbox configuration
Schedule tasks for AD management
Automatically set profile path for Remote Desktop Services
Send e-mail on adding members to specific groups
Send initial password to newly created users via SMS
Delete inactive computers from Active Directory
Automatically deprovision inactive AD users

Simplifying Data Entry

Auto-populate the company name when creating users
Change template for auto-generating users' full name
Specify list of departments to avoid repetitive typing
Disallow specifying telephones without country code
Make Employee ID a required property & specify its format
Set default account options for creating users
Validate/modify user input using a script
Predefine selection of Exchange mailbox stores
Automatically set account expiration date for new users
Generate initial password on user creation
Automatically set users' address based on their office
Provide custom help and tips for AD object properties

Active Directory Management

View & manage AD objects collectively
Create a Custom Command
Rename multiple AD users with one operation
Reset passwords for multiple users
Import user accounts from a CSV file
Schedule import of users from a CSV file
Modify Remote Desktop Services settings in bulk
Update user account options in bulk
Update multiple AD objects using PowerShell
View AD operations performed via Adaxes
Manage Fine-Grained Password Policies
Configure user deprovisioning

Web Interface Customization

Set custom logo and colors
Customize forms for user creation and editing
Customize Sign-In page and logon name options
Prevent users from viewing the Active Directory structure
Allow/deny access to the Web Interface
Disallow certain operations on Active Directory objects
Customize the Home page
Configure Home page actions
Configure the Active Directory pane
Customize Active Directory search
Put a custom message on the Change Password form
Hide specific Active Directory reports
Disable specific Web Interface components
Select the AD object types to be displayed in the UI
Manage Active Directory objects of a custom type
Configure columns in Active Directory object lists
Allow using templates for user creation
Customize Help and Support links
Create additional Web Interface sites

Self-Service

Configure Password Self-Service
Autoenroll users for Self-Password Reset
Allow users to modify specific properties of their accounts