0 votes

Adaxes Support,

Is there a way to disable the Nested Group function of Active Directory in Adaxes. We are using some nested groups in rare cases but our corporate standard is to not use nested groups due to the security ramifacations and the complexity of deep nested groups. I have tried to deny rights to the memberof attrubute in the permissions that are applied to Owner (Managed By ) Trustee assigned over the OU that all our groups are in but this attempt did not work. How can we accomplish turning off or blocking users that manage groups to only added members and not nest groups.


by (80 points)

1 Answer

0 votes
by (215k points)

Hello Rodney,

There are two ways how you can implement your task.

1. Disallow adding groups to other groups with the help of a Business Rule

You can disallow adding groups to other groups on Adaxes service level, that is, nobody will be able to add groups to other groups in Adaxes. For this purpose you can create a Business Rule executed before adding a member to a Group. When the Business Rule is triggered, it will launch a PowerShell script that will cancel adding member to a group if the new member is another group. If you want to implement this solution, we can help you with the script.

2. Configure Adaxes Web interface

Alternatively, you can configure Adaxes Web interface so that it will not allow adding groups to other groups.

For this purpose, first of all, you need to configure the form that is used for viewing groups and disallow adding/removing group members in the Members section. After doing this, adding/removing members will be possible only in the Member Of section of AD objects or with the help of Home Page Actions. So, to add a user to a group, for example, you will need to locate the necessary user and add him/her to the necessary group in the user's Member Of section. Additionally, you can configure a Home Page Action that will allow to add members to groups and configure the action in such a way that it doesn't allow adding groups to other groups. To implement such a solution:

  1. Launch the Web Interface Configuration tool.
  2. In the Interface type drop-down list, select the Web Interface you want to configure.
  3. Activate the AD Management tab.
  4. Click Customize Forms and Views.
  5. In the dialog box that appears, select the Group object type and activate the View tab.
  6. Select the Members section.
  7. In the Section Parameters section, deselect the Allow adding/removing members option.
  8. Click OK.
  9. For information on how to create a Home Page Action that allows adding members to groups, see Add to Group in Configure Home Page Actions. In Step 3 you will find information on how to allow adding only objects of specific types.

By the way, in our next version that will be available at the end of September it will be possible to specify, which type of objects will be displayed in the Members and Member Of sections and can be added/removed in these sections.


I think option 1 will work for us, can you provide the powershell script that can block nested groups?




Hello Rodney,

Yes, sure, here you are:

$member = $Context.BindToObjectByDN("%member%")

if ($member.Class -ieq "group")
    $Context.Cancel("You cannot add groups to other groups!") # TODO: modify me

To create a Business Rule that does not allow adding groups to other groups:

  1. Create a new Business Rule.
  2. On the 2nd step of the Create Business Rule wizard, select Group and Before Adding a member to a Group.
  3. On the 3rd step, add the Run a program or PowerShell script action and paste the above script in the Script field.

Related questions

0 votes
1 answer

Hi - How can I remove the option of allowing "Copy User Groups" during the copy user process in the interface. I'd like to have it hidden but still active so to not allow our HR team to accidently unclick it during the process.

asked Oct 15, 2019 by 6FigureMission (140 points)
0 votes
1 answer

In the web interface, I would like to display the "Distinguished Name" property but it is not showing it as it would when using ADUC or even in the Adaxes Admin Console. Is ... I would like it to display like this: CN=Mark Smith,OU=Sales,DC=Fabrikam,DC=COM

asked Jan 15, 2020 by mark.it.admin (1.6k points)
0 votes
1 answer

Hi, Is it possible to copy an AD object from within the Web interface?

asked Aug 8, 2011 by nsd1915 (20 points)
0 votes
1 answer

I know this is linked to an older version of the interface, but is possible to disable editing thumbnail photos on all web interfaces? We have a workflow to to edit the ... high quality photo which is resized for the thumbnail and also pushed to a Cloud IdP.

asked Sep 15, 2020 by polley (1.2k points)
0 votes
1 answer

Adaxes support, Is there a way to disable the red x icon in the search results window on a user account. This icon appears by defualt when we disable an account but ... allows is to enable the users picture. Can this be accomplished in the xml config files?

asked Aug 22, 2013 by rjthompson (80 points)
2,524 questions
2,269 answers
503,519 users