0 votes

Can you please advise on the best way to do this? We have a forest with four domains. In one of those domains we keep consultants, partners, and vendors (lets call it Domain X). The rule is that any user in Domain X should never be a member of any groups in the other three domains, but users in the other three domains can be members of groups in any domain including Domain X. We would like to create a business rule that will prevent Adaxes users from adding users from Domain X to any groups outside of Domain X.

Thanks

by (1.2k points)

1 Answer

0 votes
by (216k points)

Hello,

Yes, this is possible. You can create a Business Rule that will be triggered before adding a member to a group and check, to which domains the user and the group belong. If the user is from the domain where you keep the accounts of your consultants etc, and the group is not from that domain, the Business Rule will cancel the operation. The checking will be done with the help of a PowerShell script. To create such a Business Rule:

  1. Create a new Business Rule.

  2. On the 2nd step of the Create Business Rule wizard, select Group and Before Adding a member to a Group.

  3. On the 3rd step, add the Cancel this operation action.

  4. Click OK.

  5. Double-click Always.

  6. Select the If PowerShell script returns true condition and paste the following script:

     $disallowedDomain = "domain.com" # TODO: modify me
    
     $Context.ConditionIsMet = $False
     $newMemberDomainName = $Context.GetObjectDomain("%member%")
     if ($newMemberDomainName -ine $disallowedDomain)
     {
         return
     }
     $groupDomainName = $Context.GetObjectDomain("%distinguishedName%")
     if ($groupDomainName -ine $disallowedDomain)
     {
         $Context.ConditionIsMet = $True
     }
    

    In the script, $disallowedDomain specifies the domain where you keep accounts for consultants, partners etc.

  7. Enter a short description for the script and click OK.

  8. Finish creation of the Business Rule.

0

Thank you very much for the script. It works as advertised.

0

I need to revisit this. The script has been perfect as long as the changes are being made via the webpage. I am having issue with this business rule and modifying user membership via the Adaxes powershell tools. Right now, I was setting up a after creation user business rule where if the new user attribute employeeType = Consultant then put them into a group, then set that group as the primarygroup, and then remove from the Domain Users group. I receive the following error

 'INT Employee Tpe Rules': Add 'Capt Kirk (alloweddomain.com\\CCG Users)' to 'NoRights (alloweddomain.com\\Security Groups)'  
  Business Rules: Command Processor 'Business Rules' threw an exception when processing the command. A list of actions to be triggered by Business Rules couldn't be generated. Failed to check the following condition of the 'JV Group Access' business rule: If script 'Check for JV domain membership' returns true. Exception calling "GetObjectDomain" with "1" argument(s): "DN '<GUID=d891d948-b77e-4704-8d9e-5e264fe2281d>' is invalid.".

The business rule is using the script provided in this thread unchanged except to insert the disalloweddomain. I used the steps provided here Set user primary group to create the business rule to change the primary group.

I also have the problem when using the Adaxes powershell to modify group memberships and indicating the -adaxesservice switch

PS C:\\Windows\\system32> add-admgroupmember "this group" -member "CN=This User,OU=These Users,DC=alloweddomain,DC=com" -adaxesservice adaxesserver.alloweddomain.com  
add-admgroupmember : Command Processor 'Business Rules' threw an exception when processing the command.  
A list of actions to be triggered by Business Rules couldn't be generated.  
Failed to check the following condition of the 'JV Group Access' business rule: If script 'Check for JV domain membership' returns true.  
Exception calling "GetObjectDomain" with "1" argument(s): "DN '<SID=010500000000000515000000A5209E86A7B2F4A42B877F0E0C940000' is invalid.".  
At line:1 char:1  
+ add-admgroupmember "this group" -member "CN=This User,OU=These ...  
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
 + CategoryInfo : NotSpecified: (:) \[Add-AdmGroupMember\], DirectoryComException  
 + FullyQualifiedErrorId : Softerra.Adaxes.PowerShellModule.Commands.SetAdmGroupMemberCommandExecutor:ProcessRecord,Softerra.Adaxes.PowerShellModule.Commands.AddAdmGroupMemberCommand

This script has been great in maintaining our policy about the disalloweddomain members and I am hoping that this is an easy fix.

Thanks in advance

0

Hello,

Can you post a screenshot of your Business Rule?

0

Emailed the image to the support address. I don't have a way to host the image at the moment.

0

Hello,

We've received your email and passed the info to our script guys. We'll update this topic as soon as they come up with something.

I don't have a way to host the image at the moment.

Actually, whenever you need to post an image on this forum, you can just attach it to you post. For this purpose, click the Upload attachment link at the bottom of the Post a reply box, then click Browse, select the image you want to attach, and click Add the file.

0

Can you also send us / post here a screenshot of your Business Rule that changes the primary group?

0

Actually, no need for the screenshot. We managed to reproduce and find the cause of the issue. The thing is when an object is added to a group with the help of the Add to Group action or with the help of the Add-AdmGroupMember cmdlet, the %member% value reference returns the GUID or SID (Security Identifier) of the object instead of the object DN (Distinguished Name). To fix the issue, you need to update the PowerShell script that checks the user's domain before adding it to a group. Use the following version of the script:

$disallowedDomain = "domain.com" # TODO: modify me

$Context.ConditionIsMet = $False
$newMember = $Context.BindToObject("Adaxes://%member%")
$newMemberPath = New-Object "Softerra.Adaxes.Adsi.AdsPath" $newMember.ADsPath
$newMemberDomainName = $Context.GetObjectDomain($newMemberPath.DN)

if ($newMemberDomainName -ine $disallowedDomain)
{
    return
}
$groupDomainName = $Context.GetObjectDomain("%distinguishedName%")
if ($groupDomainName -ine $disallowedDomain)
{
    $Context.ConditionIsMet = $True
}
0

It is the last set where employeeType = Consultant

0

jiambor, we've already managed to find the cause of the issue. see Prevent user from being added to certain groups.

0

The new script is working nicely. Thanks again

Related questions

0 votes
1 answer

When a new user account is created by copying an existing one, is it possible to prevent the new account from becoming a member of security groups in a specific OU (when the ... same way as the account being added to the group, which I need for audit purposes.

asked Sep 28, 2020 by markcox (70 points)
0 votes
1 answer

We have some accounts that we would like to prevent from changing their password on login when it is expired. This is because we have saml setup on individual interface pages ... of a loophole for us as we require dual factor and use saml to accomplish this.

asked Oct 26, 2021 by mark.it.admin (2.3k points)
0 votes
1 answer

We have a customized the help desk security role to allow only resetting passwords and unlocking accounts. We don't want them to be able to enable accounts that are disabled ... writing to certain "account options"? It seems that its an all or nothing setting.

asked Nov 14, 2019 by mark.it.admin (2.3k points)
0 votes
1 answer

Hi, is there any way as I stated in the subject to prevent Adaxes from talking to certain Exchange servers in the environment? We have a couple of servers which are for ... and Adaxes always try's to contact them, resulting in an error. Regards Ingemar Jacob

asked Sep 12, 2013 by ijacob (960 points)
0 votes
1 answer

This may be a stupid question but I'm looking to create an approval process for users being added to sensitive AD groups such as the domain admins group. How would I ... to use especially since the condition is based on changes that have not yet happened...

asked Nov 1, 2012 by VTPatsFan (610 points)
3,326 questions
3,026 answers
7,727 comments
544,678 users