0 votes

Hi!

I want to auto populate the Manager dropdown list (when HR is creating a new user) with the members of two different groups in our AD. Can this be done?

Best regards,

Kaj Lehtinen

by (650 points)

1 Answer

0 votes
by (220k points)
selected by
Best answer

Hello Kaj,

Yes, this can be achieved using a Business Rule triggering After Adding or removing a member from a Group. If a member is added/removed from one of the two groups that contain managers, the Business Rule will automatically update the list of possible values for the Manager property in a Property Pattern. To create the Business Rule:

  1. Launch Adaxes Administration Console.

  2. Right-click your Adaxes service node, navigate to New and click Business Rule.

  3. On step 2 of the Create Business Rule wizard, select Group Object type.

  4. Select After Adding or removing a member from a Group and click Next.

  5. Click Add Action and select Run a program or PowerShell script.

  6. Paste the script below into the Script field.

     $groupDNs = @("CN=Managers1,OU=Groups,DC=domain,DC=com", "CN=Managers2,OU=Groups,DC=domain,DC=com") # TODO: modify me
     $isPropertyRequired = $True # TODO: modify me
     $patternName = "User Pattern" # TODO: modify me
    
     function SearchObjects($path, $filter, $properties, $searchInAllDomans)
     {
         $searcher = $Context.BindToObject($path)
         $searcher.SearchFilter = $filter
         $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
         $searcher.PageSize = 500
         $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
         $searcher.SetPropertiesToLoad($properties)
         if ($searchInAllDomans)
         {
             $searcher.VirtualRoot = $True
         }
    
         try
         {
             $searchResultIterator = $searcher.ExecuteSearch()
             $searchResults = $searchResultIterator.FetchAll()
    
             return ,$searchResults
         }
         finally
         {
             # Release resources
             if ($searchResultIterator){ $searchResultIterator.Dispose() }
         }
     }
    
     $filter = New-Object "System.Text.StringBuilder"
     foreach ($dn in $groupDNs)
     {
         $group = $Context.BindToObjectByDN($dn)
         try
         {
             $guidsBytes = $group.GetEx("adm-DirectMembersGuid")
         }
         catch
         {
             continue
         }
    
         foreach ($guidBytes in $guidsBytes)
         {
             $guid = [Guid]$guidBytes
             [void]$filter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("objectGuid", $guid))
         }
     }
    
     # Search Property Pattern
     $propertyPatternsPath = $Context.GetWellKnownContainerPath("PropertyPatterns")
     $searchResults = SearchObjects $propertyPatternsPath "(&(objectClass=adm-PropertyPattern)(name=$patternName))" @() $False
     if ($searchResults.Length -eq 0)
     {
         $Context.LogMessage("Property Pattern '$patternName' not found.", "Warning")
         return
     }
     elseif ($searchResults.Length -gt 1)
     {
         $Context.LogMessage("Found more than one Property Pattern with the following name: '$patternName'", "Warning")
         return
     }
    
     # Bind to the Property Pattern
     $pattern = $Context.BindToObject($searchResults[0].AdsPath)
    
     # Delete the item for the 'Manager' property
     foreach ($item in $pattern.Items)
     {
         if ($item.PropertyName -ieq "manager")
         {
             $pattern.Items.Remove($item)
             break
         }
     }
    
     if ($filter.Length -eq 0)
     {
         return # Groups have no members
     }
    
     # Get member DNs
     $memberDNs = @()
     $searchResults = SearchObjects "Adaxes://RootDSE" "(&(sAMAccountType=805306368)(|$($filter.ToString())))" @("distinguishedName") $True
     $searchResults | %%{$memberDNs += $_.Properties["distinguishedName"].Value}
    
     # Create a new item for the 'Manager' property
     $item = $pattern.Items.Create()
     $item.PropertyName = "manager"
     $item.IsPropertyRequired = $isPropertyRequired
    
     $constraints = $item.GetConstraints()
     $constraint = $constraints.Create("ADM_PROPERTYCONSTRAINTTYPE_VALUERANGE")
     $constraint.AreValuesDenied = $False
     $constraint.Values = $memberDNs
     $constraints.Add($constraint)
     $item.SetConstraints($constraints)
    
     # Save the changes
     $item.SetInfo()
     $pattern.Items.Add($item)
    
  7. Enter a short description and click OK.

  8. Click Next and add the groups that contain managers to the Activity Scope of the Business Rule.

  9. Finish creating the Business Rule.

You should have something like the following:

0

Success, now it started to happen stuff.

Thanks.

/kaj

0

Last question, can the adding of user to group or removal of user from group be assigned to a custom menu in the webinterface? I'm thinking to simplify everything as much as possible for our HR department (who will be doing this).

I'e one action/meny to select user and its automtically inserted into the right group, and one remove user action so that they just select the user to remove from the group.

If the above can be added as custom meny items (think its possible?) then we dont need to expose the wizard that shows all the groups in the second step to the HR departmet, or can we limit the scope for what groups the HR department can act upon?

Currently the HR manager is set as Manager of the two distribution lists.

/Kaj

0

Hello Kaj,

Have a look at the following tutorial: http://www.adaxes.com/tutorials_WebInte ... ctions.htm. You can use the Add to Group and Remove from Group actions.

0

Thanks,

Think I got the hang of it, although when making a custom action to remove users from specific group, I would like to show the members of the group, not all the AD members (as its shown by default).

/Kaj

0

Hello Kaj,

On step 3 of the guide for Remove from Group action, you can specify an LDAP filter for displayed users. You need to use the following LDAP filter: (memberOf=CN=Sales Managers,OU=Sales,DC=example,DC=com), where CN=Sales Managers,OU=Sales,DC=example,DC=com is the distinguished name of the group.

Related questions

0 votes
1 answer

I have a dropdown-field on the web surface, which is populated by a script. The script looks up all groups in a specific OU and displays them. In the Property Pattern ... random order. What should i do to show the groups in alphabetical order in the portal?

asked Sep 15, 2020 by lohnag (100 points)
0 votes
0 answers

Is it possible to do something such as this: When creating a user in the web interface, setup the form so that certain fields have a dropdown list of available values, ... "department", they would see a dropdown list of pre-populate options to choose from.

asked Aug 11, 2016 by HDClown (220 points)
0 votes
1 answer

Good Morning, I was hoping to get some assistance in creating a powershell script that I could run daily that would do the following. 1. Gather a list of all AD ... "Manager" field in a property pattern with found users Any assistance would be great. Thanks!

asked Jun 15, 2018 by jhair (520 points)
0 votes
1 answer

In the Reports section, there is an option to view "All Users" and then export the view. There is also an option to include additional columns. If I include "Manager", ... along with the complete AD path gets exported. Is it possible to export only the name?

asked Jan 14, 2014 by sdavidson (730 points)
0 votes
1 answer

Hi there, I've a business unit containing all shared mailboxes. In The Admin Console the filter is okay and the affected objects show the accounts: But when ... provide a list of all shared mailboxes (which are disabled aswell). Kind regards Constantin

asked May 28, 2021 by Constey (190 points)
2,737 questions
2,471 answers
6,466 comments
1,350,803 users