0 votes

Hi!

I want to auto populate the Manager dropdown list (when HR is creating a new user) with the members of two different groups in our AD. Can this be done?

Best regards,

Kaj Lehtinen

by (650 points)

1 Answer

0 votes
by (223k points)
selected by
Best answer

Hello Kaj,

Yes, this can be achieved using a Business Rule triggering After Adding or removing a member from a Group. If a member is added/removed from one of the two groups that contain managers, the Business Rule will automatically update the list of possible values for the Manager property in a Property Pattern. To create the Business Rule:

  1. Launch Adaxes Administration Console.

  2. Right-click your Adaxes service node, navigate to New and click Business Rule.

  3. On step 2 of the Create Business Rule wizard, select Group Object type.

  4. Select After Adding or removing a member from a Group and click Next.

  5. Click Add Action and select Run a program or PowerShell script.

  6. Paste the script below into the Script field.

     $groupDNs = @("CN=Managers1,OU=Groups,DC=domain,DC=com", "CN=Managers2,OU=Groups,DC=domain,DC=com") # TODO: modify me
     $isPropertyRequired = $True # TODO: modify me
     $patternName = "User Pattern" # TODO: modify me
    
     function SearchObjects($path, $filter, $properties, $searchInAllDomans)
     {
         $searcher = $Context.BindToObject($path)
         $searcher.SearchFilter = $filter
         $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
         $searcher.PageSize = 500
         $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
         $searcher.SetPropertiesToLoad($properties)
         if ($searchInAllDomans)
         {
             $searcher.VirtualRoot = $True
         }
    
         try
         {
             $searchResultIterator = $searcher.ExecuteSearch()
             $searchResults = $searchResultIterator.FetchAll()
    
             return ,$searchResults
         }
         finally
         {
             # Release resources
             if ($searchResultIterator){ $searchResultIterator.Dispose() }
         }
     }
    
     $filter = New-Object "System.Text.StringBuilder"
     foreach ($dn in $groupDNs)
     {
         $group = $Context.BindToObjectByDN($dn)
         try
         {
             $guidsBytes = $group.GetEx("adm-DirectMembersGuid")
         }
         catch
         {
             continue
         }
    
         foreach ($guidBytes in $guidsBytes)
         {
             $guid = [Guid]$guidBytes
             [void]$filter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("objectGuid", $guid))
         }
     }
    
     # Search Property Pattern
     $propertyPatternsPath = $Context.GetWellKnownContainerPath("PropertyPatterns")
     $searchResults = SearchObjects $propertyPatternsPath "(&(objectClass=adm-PropertyPattern)(name=$patternName))" @() $False
     if ($searchResults.Length -eq 0)
     {
         $Context.LogMessage("Property Pattern '$patternName' not found.", "Warning")
         return
     }
     elseif ($searchResults.Length -gt 1)
     {
         $Context.LogMessage("Found more than one Property Pattern with the following name: '$patternName'", "Warning")
         return
     }
    
     # Bind to the Property Pattern
     $pattern = $Context.BindToObject($searchResults[0].AdsPath)
    
     # Delete the item for the 'Manager' property
     foreach ($item in $pattern.Items)
     {
         if ($item.PropertyName -ieq "manager")
         {
             $pattern.Items.Remove($item)
             break
         }
     }
    
     if ($filter.Length -eq 0)
     {
         return # Groups have no members
     }
    
     # Get member DNs
     $memberDNs = @()
     $searchResults = SearchObjects "Adaxes://RootDSE" "(&(sAMAccountType=805306368)(|$($filter.ToString())))" @("distinguishedName") $True
     $searchResults | %%{$memberDNs += $_.Properties["distinguishedName"].Value}
    
     # Create a new item for the 'Manager' property
     $item = $pattern.Items.Create()
     $item.PropertyName = "manager"
     $item.IsPropertyRequired = $isPropertyRequired
    
     $constraints = $item.GetConstraints()
     $constraint = $constraints.Create("ADM_PROPERTYCONSTRAINTTYPE_VALUERANGE")
     $constraint.AreValuesDenied = $False
     $constraint.Values = $memberDNs
     $constraints.Add($constraint)
     $item.SetConstraints($constraints)
    
     # Save the changes
     $item.SetInfo()
     $pattern.Items.Add($item)
    
  7. Enter a short description and click OK.

  8. Click Next and add the groups that contain managers to the Activity Scope of the Business Rule.

  9. Finish creating the Business Rule.

You should have something like the following:

0

Thanks,

Do I need to update these two?

$isPropertyRequired = $True # TODO: modify me
$patternName = "User Pattern" # TODO: modify me

0

Hello Kaj,

If the Manager property must not be empty in user accounts, set the $isPropertyRequired variable to $True. Alternatively, set the variable to $False.

The $patternName variable specifies the name of the Property Pattern in which to update possible values of the Manager property. Out of the box, there is only one Property Pattern configured for User Object type (User Pattern). If you want to update possible values of the Manager property in another Property Pattern, enter its name into the variable.

0

If the Manager property must not be empty in user accounts, set the $isPropertyRequired variable to $True. Alternatively, set the variable to $False.

Just to be sure here - we're not out to change the manager properties on the user account, but change the property pattern with list of managers from two groups.

The $patternName variable specifies the name of the Property Pattern in which to update possible values of the Manager property. Out of the box, there is only one Property Pattern configured for User Object type (User Pattern). If you want to update possible values of the Manager property in another Property Pattern, enter its name into the variable.

Tried the suggested rule, changed a user in one of the groups in question - but the property pattern (contents of dropdown box on website) didnt change accordingly when refreshing the page. How fast does the rule trigger and does it trigger when a member is changed in ADUC or only on the AdAxess webinterface?

0

Hello Kaj,

Just to be sure here - we're not out to change the manager properties on the user account, but change the property pattern with list of managers from two groups.

Yes, that is correct.

How fast does the rule trigger and does it trigger when a member is changed in ADUC or only on the AdAxess webinterface?

The Business Rule will trigger immediately if you add/remove members from one of the Groups included into the Activity Scope of the rule. Adaxes Business Rules trigger only if an operation is performed in Adaxes (Web Interface or Administration Console). If you add/remove members with ADUC the Business Rule will not trigger.

0

OK I've tried in AdAxess webconsole also, but it doesnt update the property.

According to the log it detects the change of group membership, but no update of the property pattern.

Currently we have, under Property Patterns & Manager set that the property is required and Must be one of the following values only and then we've earlier manually kept updating the list. This is what we want to get rid of.

On the Business Rule itself & its Activity Scope, we got the two groups entered. But shouldnt it be the user that makes the change that should be in there since the groups in questions is already present in the powershell script?

0

So I think that I start to understand this a bit more,

Our Property Pattern that we want to change is called Managers, so I set the $patternName variable to Managers, the property name in that Property Pattern is named Manager.

Do we need to insert that also somewhere in the script so the event knows what to change & where.

Done the change of the $patternName variable, but nothing still happens. The log section of the administration console doesnt reflect anything more than the actual group membership change

0

Hello Kaj,

Sorry for the confusion, we have provided an incorrect screenshot of the Business Rule Activity Scope. It has to be like the following:

But shouldnt it be the user that makes the change that should be in there since the groups in questions is already present in the powershell script?

No, the Business Rule triggers on updating members of the groups not on updating groups a user is member of.

0

Success, now it started to happen stuff.

Thanks.

/kaj

0

Last question, can the adding of user to group or removal of user from group be assigned to a custom menu in the webinterface? I'm thinking to simplify everything as much as possible for our HR department (who will be doing this).

I'e one action/meny to select user and its automtically inserted into the right group, and one remove user action so that they just select the user to remove from the group.

If the above can be added as custom meny items (think its possible?) then we dont need to expose the wizard that shows all the groups in the second step to the HR departmet, or can we limit the scope for what groups the HR department can act upon?

Currently the HR manager is set as Manager of the two distribution lists.

/Kaj

0

Hello Kaj,

Have a look at the following tutorial: http://www.adaxes.com/tutorials_WebInte ... ctions.htm. You can use the Add to Group and Remove from Group actions.

0

Thanks,

Think I got the hang of it, although when making a custom action to remove users from specific group, I would like to show the members of the group, not all the AD members (as its shown by default).

/Kaj

0

Hello Kaj,

On step 3 of the guide for Remove from Group action, you can specify an LDAP filter for displayed users. You need to use the following LDAP filter: (memberOf=CN=Sales Managers,OU=Sales,DC=example,DC=com), where CN=Sales Managers,OU=Sales,DC=example,DC=com is the distinguished name of the group.

Related questions

0 votes
1 answer

I have a dropdown-field on the web surface, which is populated by a script. The script looks up all groups in a specific OU and displays them. In the Property Pattern ... random order. What should i do to show the groups in alphabetical order in the portal?

asked Sep 15, 2020 by lohnag (100 points)
0 votes
0 answers

Is it possible to do something such as this: When creating a user in the web interface, setup the form so that certain fields have a dropdown list of available values, ... "department", they would see a dropdown list of pre-populate options to choose from.

asked Aug 11, 2016 by HDClown (220 points)
0 votes
1 answer

Good Morning, I was hoping to get some assistance in creating a powershell script that I could run daily that would do the following. 1. Gather a list of all AD ... "Manager" field in a property pattern with found users Any assistance would be great. Thanks!

asked Jun 15, 2018 by jhair (520 points)
0 votes
1 answer

In the Reports section, there is an option to view "All Users" and then export the view. There is also an option to include additional columns. If I include "Manager", ... along with the complete AD path gets exported. Is it possible to export only the name?

asked Jan 14, 2014 by sdavidson (730 points)
0 votes
1 answer

Hi there, I've a business unit containing all shared mailboxes. In The Admin Console the filter is okay and the affected objects show the accounts: But when ... provide a list of all shared mailboxes (which are disabled aswell). Kind regards Constantin

asked May 28, 2021 by Constey (190 points)
2,761 questions
2,495 answers
6,538 comments
1,483,398 users