Active Directory management & automation

Add Users to a Specific Group When They are Disabled

In this tutorial you will learn how to configure Adaxes to automatically add users to a specific AD group when a user account is disabled. This is useful, for example, if you need to add deprovisioned user accounts to an AD group, for which access to Active Directory resources is denied.

To automatically change the group membership of disabled users, you need to create a Business Rule that will be automatically executed after an Active Directory user account is disabled.

1Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Business Rule. The Create Business Rule wizard will open.

Launching the Create Business Rule wizard

2Enter the name for the new Business Rule, and click Next.

3Here you need to specify when the new Business Rule must be executed. As you need to change group membership after a user account is disabled, do the following:

  • Select User in the Object Type list.
  • Select After in the Operation section.
  • Select Disabling a User account in the Operation section and click Next.

Selecting the triggering operation for the Business Rule

4 Now, you need to create an action that will add disabled user accounts to a group. To do this:

  • Click the Add Action link.
  • In the dialog that opens, select the Add the User to a group action.
  • In the Action Parameters section, click Select Group.

  • Select a group for disabled users.

  • Click OK

5 Optionally, you may want the Business Rule to remove disabled users from specific AD groups or move them to a specific OU. To add a new Business Rule action, right-click the action you added and select Add New Action.

Adding additional actions

Removing Users from All Groups

In addition to removing disabled users from specific groups, you can also remove them from all the groups they are members of. To do so, you need to run a PowerShell script as a part of your Business Rule.

How

  • Select the Run a program or PowerShell script action.
  • Select PowerShell script in the Type field.
  • In the Short description field describe what does your script do.
  • In the Script field, specify the below script.

    # Get groups the user is a direct member of
    $groupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")
    
    # Get ID of the primary group
    $primaryGroupId = $Context.TargetObject.Get("primaryGroupID")
    
    foreach ($groupGuidBytes in $groupGuids)
    {
        # Bind to group
        $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
        $groupGuid = $groupGuid.ToString("B")
        $groupPath = "Adaxes://<GUID=$groupGuid>"
        $group = $Context.BindToObject($groupPath)
    
        # Skip the primary group
        if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
        {
            continue
        }
    
        # Remove user
        $group.Remove($Context.TargetObject.AdsPath)
        $groupName = $group.Get("cn")
        $Context.LogMessage("Removed from group '$groupName'", "Information")
    }

    Optionally, assign a custom description for the action

    You can assign a custom description for the Run a program or PowerShell script action that will replace the default description generated by Adaxes. To do this:
    • Click the Assign Custom Action Description button.
    • Type the description in the Custom action description field.

      Add custom action description.

  • Click OK.
  • Using the arrow buttons at the bottom, make sure that the script is executed before the action that adds users to the group for disabled accounts.

When finished, click Next.

6 Here, at the Activity Scope page you need to specify where in Active directory a user must be located, or to what groups or Business Units it must belong to be affected by the Business Rule. Click Add.

Specifying rule activity scope

7 In the Business Rule Activity Scope dialog that opens, select one of the following items:

  • All Objects - select if you want this Business Rule to be executed when disabling user accounts in any AD domain managed by the Adaxes service.

  • Specific Domain - select if you want this Business Rule to be executed when disabling user accounts in the AD domain you specify.

  • OU or Container - select if you want this Business Rule to be executed only when disabling user accounts located under the selected OU or container.

  • Group - select a specific group if you want this Business Rule to be executed only when disabling users that are members of the selected group.

  • Business Unit - select a Business Unit if you want this Business Rule to be executed only when disabling users that are members of the selected Business Unit. To view available Business Units, select the Business Units item in the Look in drop-down list.
  • Viewing Business Units

Select the item you need and click Add. When finished, click OK.

8 The specified activity scope items will be displayed in the Assignments list. Click Finish.

Now, when the Business Rule is complete, every time a user account is disabled (no matter in which way - using Administration Console, Web Interface, via PowerShell scripts, etc.), Adaxes will automatically add this user to the specified AD group.

? Waiting

Progress status: Checking...