0 votes

Hi Forum,

I have another quick question. There's a Business Rule with an Approval on Adding Users to certain Groups. Is it possible to trigger this Business Rule when adding a user to that group scope from a Powershell script (add-admgroupmember ...)?

Thanks for your Help
Cheers

by (650 points)

1 Answer

0 votes
by (215k points)
selected by
Best answer

Hello,

The same as other cmdlets from Adaxes PowerShell module for Active Directory, Add-AdmGroupMember can work in 2 modes: it can make changes either directly in AD or via Adaxes service. When Adaxes service is involved, you benefit from all Adaxes workflow features, such as, for example, Business Rules, Property Patterns or logging.

To perform an operation via an Adaxes service, pass the service you need in the -AdaxesService parameter, for example:

Add-AdmGroupMember MyGroup user1,user2,user3 -AdaxesService localhost
0

Thanks a lot. I was missing the -Adaxesservice.

As you can see, i wan't to trigger a Businessrule through a different business rule.

The First Business Rule execute add-admgroupmember and the second one send this for approval. But in the second business rule i don't have the initiator. This means i can't see the Initiator in the approval request. Is it possible to work around this?

Again - thanks a lot

0

Hello,

To resolve the issue, use ADSI interfaces for adding members to the group. For example, you can use the following code:

$groupPath = "Adaxes://adaxesserver.example.com/CN=My Group,CN=Users,DC=example,DC=com"

$group = $Context.BindToObjectEx($groupPath, $true)

try
{
    $group.Add($Context.TargetObject.AdsPath)
}
catch [System.Runtime.InteropServices.COMException]
{
    if ($_.Exception.ErrorCode -eq "-2147483638")
    {
        $groupName = $group.Get("name")
        $Context.LogMessage("A request was made to add the user to group $groupName. The request is pending approval.", "Information")
    }
    else
    {
        throw $_.Exception
    }
}

where $groupPath is the ADS path of the group you want to add a member to.

0

Thanks for your answer. Also with the ADSI interface the initiator is the Adaxes Serviceaccout because it's triggere from a businessrule. is it possible to save the original initiator somewhere?

The background of this question is: I have a User Interface where i don't wan't to display the AD Structure to the users. So they have a Command on their Website, Request Rights. In this Command they can Modify adm-customattribute1-4 (with predefined) values. The selected Values generates the Group they want to be a member of. This triggers the second business rule in which the request is generated.

But the manager of that group just sees the adaxes service account as initiator.

Thanks again

0

Hello,

Could you post here or send us screenshots of the actions/conditions of the Business Rules involved? If you want to send them by e-mail, use the following address: support[at]adaxes.com.

0

Hi Support,

do you have any new information? I already sent the requestet data.

Thanks for your help

0

Hi Support,

i worked around that issue. The main problem we had with the "wrong" initiator data was the email send to the approver. So I worked around that way:

1. Submit the request to a "dummy" user
2. Created a scheduled task that replaces the dummy user with the responsible manager in that request (this does not trigger an email). After the manager was replaced i build the mail on my own in powershell with all the information i need.

I have another question about this but i will open a new thred (with a different topic).

Thanks again and Cheers

Related questions

0 votes
1 answer

My scheduled task currently: Checks for staff in a particular OU that do not have an O365 license Adds a license Resets their AD Password Moves them to an OU based off ... scheduled task moves them out of the OU that the business rule is looking at. Thanks

asked Apr 15, 2020 by russmerriman (40 points)
0 votes
1 answer

Let's say I have a Business Rule that is fired prior to adding members to a group. Is it possible to get the number of objects being added to that group as ... that tells me that 6 objects will be added or is each added user treated completely independently?

asked Apr 20 by ngb (90 points)
0 votes
1 answer

I'm trying to create a business rule that is executed before a user is created. I used the Adaxes tutorial Run PowerShell Script after Creating a User for ... execute. Are there permissions I'm forgetting somewhere? Thanks in advance for the assistance.

asked Jun 29, 2021 by lgibbens (320 points)
0 votes
1 answer

How can I execute a Business Rule through PowerShell? I have a Business Rule that fires when a User is created. I have a custom field on the User that can be updated though ... based on the value in this custom field, when the User is updated. Is it possible?

asked Feb 10, 2014 by sdavidson (730 points)
0 votes
1 answer

I would like to add the following logic into a Powershell script that will be triggered on 'After Create User'. Read the value of the 'title' property of the user just created ... 'True' or 'False'. Could you assist with how to script this please? Many thanks.

asked May 1, 2020 by Bernie (310 points)
2,740 questions
2,474 answers
6,475 comments
1,372,167 users