Add Users to a Specific Group When They are Disabled
In this tutorial you will learn how to configure Adaxes to automatically add users to a specific AD group when a user account is disabled. This is useful, for example, if you need to add deprovisioned user accounts to an AD group, for which access to Active Directory resources is denied.
To automatically change the group membership of disabled users, you need to create a Business Rule that will be automatically executed after an Active Directory user account is disabled.
Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Business Rule. The Create Business Rule wizard will open.
Enter the name for the new Business Rule, and click Next.
Here you need to specify when the new Business Rule must be executed. As we want to change group membership after a user account is disabled, do the following:
- Select User in the Object Type list.
- Select After in the Operation section.
- Select Disabling a User account in the Operation section and click Next.
At the next step, you need to specify what the Business Rule will do when a user account is disabled. To add the Add User to Group action to the Business Rule, do the following:
- Click the Add Action link.
- In the dialog that opens, select the Add the User to a group action.
- In the Action Parameters section click Select Group and select the group where you want to add disabled users. Click OK.
Automatically Change Group Membership Using Scripts.
Optionally, you may want the Business Rule to remove disabled users from specific AD groups or move these users to a specific OU. To add a new Business Rule action, select the action/condition set (click the created action to highlight the set), and click the Add Action icon.
When finished, click Next.
Here, at the Activity Scope page you need to specify where in Active directory a user must be located, or to what groups or Business Units it must belong to be affected by the Business Rule. Click Add.
In the Business Rule Activity Scope dialog that opens, select one of the following items:
All Objects - select if you want this Business Rule to be executed when disabling
user accounts in any AD domain managed by the Adaxes service.
Specific Domain - select if you want this Business Rule to be executed when
disabling user accounts in the AD domain you specify.
OU or Container - select if you want this Business Rule to be executed only
when disabling user accounts located under the selected OU or container.
Group - select a specific group if you want this Business Rule to be executed
only when disabling users that are members of the selected group.
- Business Unit - select a Business Unit if you want this Business Rule to be executed only when disabling users that are members of the selected Business Unit. To view available Business Units, select the Business Units item in the Look in drop-down list.
Select the item you need and click Add. When finished, click OK.
The specified activity scope items will be displayed in the Assignments list. Click Finish.
Now, when the Business Rule is complete, every time a user account is disabled (no matter in which way - using Administration Console, Web Interface, via PowerShell scripts, etc.), Adaxes will automatically add this user to the specified AD group.