0 votes

Hello,

I have my OUs structured so each department we're working with has an OU for their service accounts under their department OU.

e.g.

OU=Service Accounts,OU=Sales,OU=Department,DC=domain,DC=com
OU=Service Accounts,OU=Engineering,OU=Department,DC=domain,DC=com
OU=Service Accounts,OU=Support,OU=Department,DC=domain,DC=com

All accounts under those OUs should be a member of a specific Security group.

I see I can use value references in a template to point to the OU but I'm hoping it's possible to put a wildcard in the template like so:

OU=Service Accounts,OU=*,OU=Department,DC=domain,DC=com

I suppose this could be done with a powershell script but I wanted to see if there's a wildcard we can use for DNs in the built in scheduled tasks. It looks like I could also add each new OU to the scheduled task but I was hoping for something more hands off.

by (810 points)

1 Answer

0 votes
by (810 points)

I went ahead and made a PowerShell script with the Adaxes cmdlets to do what I was trying to do.

$SRVAccounts = Get-ADMUser -AdaxesService Servername.domain.com -Filter * -Properties Name,DistinguishedName | `
    Where-Object {($_.DistinguishedName -like "*,OU=ServiceAccounts,OU=SharedAccounts,DC=domain,DC=com"`
    -or $_.DistinguishedName -like "*,OU=Service Accounts,*,OU=departments,DC=domain,DC=com")}

ForEach ($_ in $SRVAccounts) {Add-AdmGroupMember AddToGroupTest $_}
0

Made a small change to check to see if the user is a member of the group already before attempting to add. I also added the import module command so it works in the task scheduler.

Import-Module Adaxes
$SRVAccounts = Get-ADMUser -AdaxesService Servername.domain.com -Filter * -Properties Name,DistinguishedName | `
    Where-Object {($_.DistinguishedName -like "*,OU=ServiceAccounts,OU=SharedAccounts,DC=domain,DC=com"`
    -or $_.DistinguishedName -like "*,OU=Service Accounts,*,OU=departments,DC=domain,DC=com" -and $_.memberof -notlike "AddToGroupTest")}

ForEach ($_ in $SRVAccounts) {Add-AdmGroupMember AddToGroupTest $_}
0

Hello,

Actually, instead of using a script, you can use the ParentDN property. This is a constructed (virtual) property that returns the Distinguished Name (DN) of the container or OU where an object is located.

Thus, for your task, you can check whether the DN contains Service Accounts. Checking whether the user is already a member of the group is also a good idea. Thus, the actions/conditions of your Scheduled Task will look as follows:

To add, such actions/conditions to your task:

  1. Add a new action to your Scheduled Task.
  2. Select Add the User to a group.
  3. Click Select Group and specify the necessary group.
  4. Click OK 2 times.
  5. Add a condition.
  6. Select the If <property> <relation> <value> condition type.
  7. In the Condition Parameters section, specify If ParentDN contains Service Accounts.
  8. Click OK.
  9. Add another condition. Select the If is member of <Group> condition type.
  10. Select is not.
  11. Click Select Group and specify the necessary group.
  12. Click OK 2 times.
0

Thanks! I was just coming back to say the script works alone ok but within the Adaxes task scheduler it wasn't working quite like I wanted it to. I'll give the suggested setup a try and see how it works!

0

Thanks a bunch, that works exactly like I wanted!

Related questions

0 votes
1 answer

From the Administration Console, when adding users to a group, I would like the ability to paste a list of users, like I can in ADUC. Also, I would like the ability to paste a list of groups to a user.

asked Mar 22, 2013 by Kikaida (1.1k points)
0 votes
1 answer

I'm trying to automate adding users who are enrolled in MFA to an AD group. The scripts I found elsewhere here that do not work so I believe they may have been written against a prior Adaxes version or referencing a report that does not meet our needs.

asked May 31 by neal (50 points)
0 votes
1 answer

Currently, when I disable a user account in Adaxes, the group memberships of the user remain intact. I'd like to automate the removal of group memberships such as distribution ... a list of groups/DL that the user was previously in and removed from. Thanks!

asked Nov 3, 2021 by jayden.ang (20 points)
0 votes
1 answer

I have a scheduled task that runs a Powershell script against an AD group, "Group 1". I need to get all of the members of Group 1, and add them to Group 2. The ... identity in the error message start with 'user;'? What is the correct way to accomplish this?

asked Aug 27, 2019 by ngb (280 points)
0 votes
1 answer

We have four OUs in Active Directory (Pending Deletion, Disabled with Mail Delegates, Disabled with HR Extensions and Disabled_Temp_Leave) that users are moved to prior to their eventual ... past 7 days have been moved to one of 4 of these OUs. Thanks!

asked Jun 3, 2021 by RayBilyk (240 points)
3,504 questions
3,196 answers
8,148 comments
547,431 users