Active Directory management & automation

Request Approval for User Deletion

You can configure Adaxes to request an approval for any operation performed in Active Directory. When an operation that requires an approval is performed, Adaxes suspends this operation until it is approved by a responsible person. In this tutorial, you will learn how to configure Adaxes to request an approval for deletion of user accounts.

To request an approval for user deletion, you need to create a Business Rule that will be executed before deleting a user in Active Directory.

1Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Business Rule. The Create Business Rule wizard will open.

Launching the Create Business Rule wizard

2Enter the name for the new Business Rule, and click Next.

3Here you need to specify when the new Business Rule must be executed. As we want to send a request for approval before a user account is deleted, do the following:

  • Select User in the Object Type list.
  • Select Before in the Operation section.
  • Select Deleting a User in the Operation section and click Next.

Selecting the triggering operation for the Business Rule

4 At the next step, you need to specify what the Business Rule will do before a user is deleted. To send an approval request, the Business Rule must execute the 'Send this operation for approval' action.

  • Click the Add Action link.
  • In the dialog that opens, select the Send this operation for approval action.
  • In the Action Parameters section, click Add and select users or groups that will be able to approve deletion of users.
  • Optionally, you can set the following options:
    • Manager of the requestor to allow the manager of the user who performs the deletion to approve or deny this operation. The manager-employee relationship is stored in the Manager property of an AD user object.
    • Owner of the requestor's OU to allow the owner of the Organizational Unit (OU) containing the account of the user who performs the deletion to approve or deny this operation. The OU owner is specified via the Managed By property of OU objects.
    • Manager of the target user to allow the manager of the AD user that is being deleted to approve or deny this operation. The manager-employee relationship is stored in the Manager property of an AD user object.
    • Owner of the target user's OU to allow the owner of the Organizational Unit (OU) containing the user that is being deleted to approve or deny this operation. The OU owner is specified via the Managed By property of OU objects.
    Adaxes service administrators have permissions to approve or deny any approval request.
  • Click OK.

Send the operation for approval action

If you need to build the list of approvers dynamically or based on complex criteria, you can use a PowerShell script to submit the operation for approval.

How to request for approval from PowerShell script

To run a PowerShell script, your Business Rule must execute the Run a program or PowerShell script action.
  • Add a new action to the Business Rule.
  • In the Add Action dialog, select the Run a program or PowerShell script action.
  • In the Short description field, describe what does your script do, its purpose or intention.

    Optionally, assign a custom description for the action

    You can assign a custom description for the Run a program or PowerShell script action that will replace the default description generated by Adaxes. To do this:
    • Click the Assign Custom Action Description button.
    • Type the description in the Custom action description field.

      Add custom action description.

  • Type the text of the script in the Script field and click OK.

To submit a request for approval from a script, you need to call the SubmitForApproval method of the pre-defined PowertShell variable called Context. As the first parameter, the method takes an array of distinguished names (DNs) of users or groups that will be designated as approvers. For detailed information on the input parameters of the method, see SubmitForApproval.

The following script submits an approval request to a specific user and members of a specific group.
$approvers = @(
		"CN=John Smith,CN=Users,DC=example,DC=com",
		"CN=Group,OU=Groups,DC=example,DC=com")
$Context.SubmitForApproval($approvers, $False, $False, $False, $False)

How to get the DN of an object

To get the DN of an Active Directory object:
  • Launch Adaxes Administration Console.
  • Right-click the object you need.
  • In the context menu, open the submenu of the Copy item.
  • Click Copy DN. The DN of the selected Active Directory object will be copied to the clipboard.

You can use value references in distinguished names of approvers. Before executing the script, Adaxes will replace the value references with corresponding property values of the user account on which the operation is performed.

The following example submits an approval request to the user's secretary and members of the group called Admins located in the Organizational Unit where the user account resides.
$approvers = @(
		"%secretary%",
		"CN=Admins,%adm-InitiatorParentDN%")
$Context.SubmitForApproval($approvers, $False, $False, $False, $False)
The next example submits a request to the members of the group with a name consisting of the name of the user's department plus Managers.
$approvers = @("%department%Managers,CN=Users,DC=example,DC=com")
$Context.SubmitForApproval($approvers, $False, $False, $False, $False)
The following example allows the user whose account is to be deleted to approve or deny this operation.
$approvers = @("%distinguishedName%")
$Context.SubmitForApproval($approvers, $False, $False, $False, $False)
For information on how to create scripts for Business Rules, Custom Commands, and Scheduled Tasks, see Server-Side Scripting.

5 You can configure the Business Rule to send approval requests, only if certain conditions are met. For example, an operation can be sent for approval, only if the user that is going to be deleted is a member of a specific AD group or Business Unit, or the account of this user is enabled, or this user is located in a specific OU, etc. Also, the operation can be sent for approval depending on who performs this operation. For example, if the user who is trying to perform the deletion is a member of a specific AD group or Business Unit.

To request an approval for user deletion, only if the user who performs this operation is a member of a specific AD group, do the following:

  • Select the action/condition set (click the created action to highlight the set) and click the Add Condition icon.
  • In the dialog that opens, select the If the initiator is a member of <Group> condition type.
  • In the Condition Parameters section, click Select Group, select an Active Directory group, and click OK.

Adding conditions for the action

If necessary, add other conditions. When finished, click Next.

6 Here, at the Activity Scope page you need to specify where in Active Directory a user must be located or what groups or Business Units he/she should be a member of to be affected by the Business Rule. Click Add.

Specifying rule activity scope

7 In the Business Rule Activity Scope dialog that opens, select one of the following items:

  • All Objects - select if you want this Business Rule to be executed when deleting users in any AD domain managed by the Adaxes service.

  • Specific Domain - select if you want this Business Rule to be executed when deleting users in the AD domain you specify.

  • OU or Container - select if you want this Business Rule to be executed only when deleting users located under the selected OU or container.

  • Group - select a specific group if you want this Business Rule to be executed only when deleting users that are members of the selected group.

  • Business Unit - select a Business Unit if you want this Business Rule to be executed only when deleting users that are members of the selected Business Unit. To view available Business Units, select the Business Units item in the Look in drop-down list.
  • Viewing Business Units

Select the item you need and click Add. When finished, click OK.

8 The specified activity scope items will be displayed in the Assignments list. Click Finish.

Now, when the Business Rule is complete, every time a user account is deleted (no matter in which way - using Administration Console, Web Interface, via PowerShell scripts, etc.), Adaxes will suspend this operation until it is approved by one of the specified approvers.


How to approve, deny or cancel approval requests

To approve, deny or cancel approval requests, users can use either Adaxes Web Interface, or Administration Console.

Web Interface:

Approving or denying approval requests via Web Interface

Administration Console:

Approving or denying approval requests via Administration Console


How to configure Adaxes to send e-mail notifications to approvers and requestors

To enable Adaxes to send e-mail notifications to the operation approvers and requestor when an operation is sent for approval, approved, denied or cancelled, you need to configure the outgoing mail settings for your Adaxes service:

  • Right-click your Adaxes service and click Properties in the context menu.
  • Click the Mail Settings tab and change the SMTP settings.

Specifying SMTP settings for Adaxes service

If you want e-mail notifications to contain a web link to view and update the approval request, as well as links to the Active Directory objects related to this approval request, you need to register a Web Interface for your Adaxes service:

  • Right-click your Adaxes service and click Properties in the context menu.
  • Click the Web Interface tab.
  • Specify the address of an Adaxes Web Interface in the Web interface address field.

Registering Web Interface for Adaxes service

To customize templates for e-mail notifications sent during the approval workflow process:

  • Expand your Adaxes service.
  • Right-click Approval Requests and click Properties in the context menu.
  • Click the E-Mail Notifications tab.
  • Opening Approval Request Notifications Settings

? Waiting

Progress status: Checking...