0 votes

Is there a way to auto-populate AD group membership without specifying a separate condition statement for each group? I was hoping to pass the 'department' value by reference after the user is created and then have the membership assigned to the referenced group accordingly.

by (90 points)

1 Answer

0 votes
by (18.0k points)

Hello,

Yes it is possible using a script. Here is a sample one:

Import-Module Adaxes
# Bind to a group. The distinguished name of the group depends on the Department property of the user.
$myGroup = Get-AdmGroup "CN=%department%,CN=Users,DC=company,DC=com"
# Add the user to the group
Add-AdmGroupMember $myGroup "%distinguishedName%"

To use the script, you need to install the Adaxes PowerShell Module on the computer, where the Adaxes service is running. Adaxes PowerShell Module is installed with the same installation package as used to install Adaxes service.

For more details, please see Automatically Change Group Membership Using Scripts.

0

0

Hello Joe,

Probably, the issue is that the conditions of your Business Rule are not met. Can you also post the actions and conditions of your Business Rule?

0

I'm attempting to use this script and receiving the following error:

Cannot validate argument on parameter 'TargetPath'. The argument is null or empty. Supply an argument that is not null or empty and then try the command again.

This is my modified version of the script:

Import-Module Adaxes
$Office = "%Office%"
$departmentMap = # TODO: modify me
@{
"Dallas"="OU=USA-Dallas,OU=Adaxes,DC=mydomain,DC=local";
"London"="OU=GBR-London,OU=Adaxes,DC=mydomain,DC=local";
}
$targetOU = $departmentMap[$Office]
if ($targetOU -eq $NULL)
{
$Context.LogMessage("No target OU specified for Office '$Office'", "Warning")
return
}
Move-AdmObject "%distinguishedName%" $targetOU

0

Michael,

The value reference for the Office property is not %Office%, it is %physicalDeliveryOfficeName% because the LDAP name for this property is physicalDeliveryOfficeName. Here's the script modified to your needs:

Import-Module Adaxes
$Office = "%physicalDeliveryOfficeName%"
if ([System.String]::IsNullOrEmpty($Office))
{
    $Context.LogMessage("The Office property is not specified", "Warning")
    return
}

$departmentMap = # TODO: modify me
@{ 
    "Dallas"="OU=USA-Dallas,OU=Adaxes,DC=mydomain,DC=local";
    "London"="OU=GBR-London,OU=Adaxes,DC=mydomain,DC=local";
}

$targetOU = $departmentMap[$Office]
if ([System.String]::IsNullOrEmpty($targetOU))
{
    $Context.LogMessage("No target OU specified for Office '$Office'", "Warning")
    return
}
Move-AdmObject "%distinguishedName%" $targetOU

We tested the script in our testing environment and it works perfectly. We didn't manage to reproduce the error that you get.

0

Thank you that did the trick!

Related questions

0 votes
1 answer

We have four OUs in Active Directory (Pending Deletion, Disabled with Mail Delegates, Disabled with HR Extensions and Disabled_Temp_Leave) that users are moved to prior to their eventual ... past 7 days have been moved to one of 4 of these OUs. Thanks!

asked Jun 3, 2021 by RayBilyk (230 points)
0 votes
1 answer

Is it possible to script having users added (or removed) from a Security Group based on another AD Attribute? I have found ways to do this in Powershell (something like): ... just utilize the PS script and just run it through Adaxes on a timed fashion? Thanks!

asked Oct 7, 2014 by PunkinDonuts (360 points)
0 votes
1 answer

Hi, Is there a way to give an (by default for every user) automatic lockout expiry to each new user account that is created? I know there's a way of adding expiry ... -Feb-2013, then it should by automatically get locked out again on 04-Mar-2013. Regards,

asked Sep 29, 2013 by jeet (80 points)
0 votes
1 answer

I'm unable to Browse the AD OUs my Security Role Trustee is Assigned Over in my Custom Web Portal. When clicking Browse it states "No objects to display". How can I rectify this issue?

asked Feb 1, 2013 by mdeflice (350 points)
0 votes
1 answer

Hi! Can ADAxess be used to populate a AD group with computer objects who's name partly matches a AD username from another group? I'e let say we have a group named ' ... channel until problem is solved by just adjusting which group they belong to .... /Kaj

asked Jun 12, 2018 by KajLehtinen (650 points)
3,326 questions
3,026 answers
7,727 comments
544,678 users