Identity and Active Directory management

Tutorials

Automatically Change Group Membership Using Scripts

With the help of Business Rules, Scheduled Tasks, and Custom Commands you can automatically add or remove AD objects from groups. For this purpose you usually use the Add Object to Group and Remove Object from Group actions. However, in scenarios where you need to deal with many groups and complex membership policies, you may prefer to use a script for this purpose.

To execute a script automatically, you need to add the Run a program or PowerShell script action to your Business Rule, Scheduled Tasks, or Custom Command.

Run PowerShell Script action.

Select PowerShell script in the Type field. In the Short description field, describe what does your script do, its purpose or intention.


To execute PowerShell scripts, PowerShell must be installed on the computer, where the Adaxes service is running. To install PowerShell, visit Script Center Downloads and follow the instructions provided there.

To pass parameters to the script, you can use value references (e.g. %username%). Before the script is executed, value references will be replaced with the property values of the target AD object. For example, you can enter the following:

    $department = "%department%"
    $title = "%title%"
After the replacement of the value references, this part of the script will look as follows: 
    $department = "Sales"
    $title = "Manager"


Also, to get the data entered by the user and access other parameters of the operation, you can use a predefined PowerShell variable called $Context. For more details, please see Validate/Modify User Input Using a Script.


Example 1 

    Import-Module Adaxes

    $userDN = "%distinguishedName%"

    # If the department is 'Sales', the user must be a member of the 'Sales Staff' group.
    $department = "%department%"
    $salesStaffGroup = Get-AdmGroup "Sales Staff"
    if ($department -eq "Sales")
    {
        # Add the user to the Sales Staff group
        Add-AdmGroupMember $salesStaffGroup $userDN -ErrorAction SilentlyContinue
    }
    else
    {
        # Remove the user from the Sales Staff group
        Remove-AdmGroupMember $salesStaffGroup $userDN -Confirm:$False `
            -ErrorAction SilentlyContinue
    }

    # If the user is located under the 'New York' OU, add this user to
    the 'New York Office' group
    $newYorkOUDN = "OU=New York,DC=example,DC=com"
    $dn = New-Object "Softerra.Adaxes.Ldap.DN" $userDN
    $userOUDN = $dn.Parent.ToString()
    $newYorkGroup = Get-AdmGroup "New York Office"
    if ($newYorkOUDN -eq $userOUDN)
    {
        # Add the user to the 'New York Office' group
        Add-AdmGroupMember $newYorkGroup $userDN -ErrorAction SilentlyContinue
    }
    else
    {
        # Remove the user from the 'New York Office' group
        Remove-AdmGroupMember $newYorkGroup $userDN -Confirm:$False `
            -ErrorAction SilentlyContinue
    }

Example 2 - Remove a users from all groups 
    Import-Module Adaxes
    $user = Get-AdmUser "%distinguishedName%" -Properties MemberOf
    if ($user.MemberOf -ne $Null)
    {
        foreach ($groupDN in $user.MemberOf)
        {
            Remove-AdmGroupMember $groupDN -Members $user  -Confirm:$False
        }
    }

Example 3 - Remove a users from all mail-enabled groups 
    Import-Module Adaxes
    $username = "%username%"
    $domainName = $Null

    Get-AdmPrincipalGroupMembership $username -server $domainName -adaxesservice localhost |
    Get-AdmGroup -Properties mail -server $domainName | Where {$_.mail -ne $NULL} |
    Remove-AdmGroupMember -member $username -server $domainName  -Confirm:$False

To use the scripts, you need to install the Adaxes PowerShell Module on the computer, where the Adaxes service is running. Adaxes PowerShell Module is installed with the same installation package as used to install Adaxes service.

Delegating Permissions

Hide Active Directory objects from users
Grant rights to create users
Grant rights to modify account options
Grant rights to modify AD group membership
Grant rights to reset passwords and unlock accounts
Grant rights to create and modify Business Units
Deny rights to delete users
Grant rights to execute Custom Commands
Grant rights to modify specific properties of AD objects
Grant rights to move users between OUs

Automating Daily Tasks

Automate user home directory creation
Relocate home directories after disabling users
Automatically add users to groups by department
Add users to a specific group when they are disabled
Automatically change group membership using scripts
Move newly created users to a specific OU
Request approval for user deletion
Run PowerShell script after creating a user
Automate Exchange mailboxes creation for new users
Schedule tasks for AD management
Automatically set Terminal Services Profile path for new users
Send e-mail on adding members to specific groups
Send initial password to newly created users via SMS
Delete inactive computers from Active Directory
Automatically deprovision inactive AD users

Simplifying Data Entry

Auto-populate the company name when creating users
Change template for auto-generating users' full name
Specify list of departments to avoid repetitive typing
Disallow specifying telephones without country code
Make Employee ID a required property & specify its format
Set default account options for creating users
Validate/modify user input using a script
Predefine selection of Exchange mailbox stores
Automatically set account expiration date for new users
Generate initial password on user creation
Automatically set users' address based on their office
Provide custom help and tips for AD object properties

Active Directory Management

View & manage AD objects collectively
Create a Custom Command
Rename multiple AD users with one operation
Reset passwords for multiple users
Import user accounts from a CSV file
Schedule import of users from a CSV file
Modify Terminal Services settings in bulk
Update user account options in bulk
Update multiple AD objects using PowerShell
View AD operations performed via Adaxes
Manage Fine-Grained Password Policies
Configure user deprovisioning

Web Interface Customization

Set custom logo and colors
Customize forms for user creation and editing
Customize Sign-In page and logon name options
Prevent users from viewing the Active Directory structure
Allow/deny access to the Web Interface
Disallow certain operations on Active Directory objects
Customize the Home page
Configure Home page actions
Configure the Active Directory pane
Customize Active Directory search
Put a custom message on the Change Password form
Hide specific Active Directory reports
Disable specific Web Interface components
Select the AD object types to be displayed in the UI
Manage Active Directory objects of a custom type
Configure columns in Active Directory object lists
Allow using templates for user creation
Create additional Web Interface sites

Self-Service

Configure Password Self-Service
Autoenroll users for Self-Password Reset
Allow users to modify specific properties of their accounts