0 votes

This may be a stupid question but I'm looking to create an approval process for users being added to sensitive AD groups such as the domain admins group.

How would I set up the business rule?

My thought is to use the "Before User is Updated" operator which is simple enough but not sure which condition to use especially since the condition is based on changes that have not yet happened...

by (610 points)

1 Answer

0 votes
by (216k points)


Actually, you need the Before adding a member to a Group condition. To accomplish your task:

  1. Create a new Business Rule.
  2. On the 2nd step of the of the Business Rule creation wizard, select Group and Before Adding a member to a Group.
  3. On the 3rd step of the wizard, add the Send this operation for approval action.
  4. On the 4th step of the wizard, you can limit the Activity scope of the Business Rule to only the groups that you need. Click Add...
  5. In the Business Rule Activity Scope dialog that appears, select a group you want to create the approval process for and double-click it.
  6. In the Assignment Options dialog that appears, select This Group object if you want approvals to be sent for adding members to this group. Select also Members of this Group, if you also want the Business Rule to be applicable to other groups nested within this group.
  7. Repeat steps 4-6 for as many groups as you want and save the Business Rule.

That should do the job.


Like I said I thought it was a stupid question, turns out it was. Obviously wasn't looking in the right place. Thanks again!

Related questions

0 votes
1 answer

When a new user account is created by copying an existing one, is it possible to prevent the new account from becoming a member of security groups in a specific OU (when the ... same way as the account being added to the group, which I need for audit purposes.

asked Sep 28, 2020 by markcox (70 points)
0 votes
1 answer

Can you please advise on the best way to do this? We have a forest with four domains. In one of those domains we keep consultants, partners, and vendors (lets call ... Adaxes users from adding users from Domain X to any groups outside of Domain X. Thanks

asked Jan 29, 2013 by jiambor (1.2k points)
0 votes
1 answer

Hi there, i know the multiple ways of copying the user groups - or all of them within the user creation wizard. I want to copy only a couple of groups ... is it possible to create an approval operation out of an powershellscript? Kind regards, Constantin

asked May 27, 2021 by Constey (190 points)
0 votes
1 answer

Pretty simple question. Upon user provisioning, based on business unit, is there a way to have the new O365 mailbox and user be added to an existing distribution group in ... could do this with local AD distribution groups, but that is currently not the case.

asked Sep 10, 2015 by eponerine (50 points)
0 votes
1 answer

Dear Support, I'm using this Script for adding User to Groups. Import-Module Adaxes $User = "%distinguishedName%" $group = get-AdmGroup "KendoxUser_%adm-CustomAttributeText17%" -Properties ... is in a Subdomain it doesn't work. Do you have any idea why?

asked Jan 28, 2014 by Napoleon (700 points)
3,175 questions
2,878 answers
507,627 users