0 votes

Hi.
I am in midst of setting up Adaxes for testing(trial lic.). And I need to make sure it can do what we want to use it for.

Here goes:
I have a business rule "When a user is disabled"
If the operation succeeded AND
the User is located under the...... then
Move the User to.....
Modify the user: set Description to...

The issue here is that, before we disable a User we remove group membership from all groups except "Domain Users" and set the "MSExchHideFromAddressLists" AD property to "True". How can I add this to my business rule above, so this is automated?

Thank you.

by (100 points)

1 Answer

0 votes
by (18.0k points)

Hello,

It is possible to do what you need with the help of Business Rules.

  1. Create a Business Rule that will be executed after disabling a user account.

  2. To automatically remove the disabled user from a specific group, you need to add the Remove the User from a group action to your Business Rule.


    Alternatively, if you want to remove disabled users from all groups except 'Domain Users', you can add Run a program or PowerShell script action to your Business Rule that will execute the following PowerShell script:

     Import-Module Adaxes
     $user = Get-AdmUser "%distinguishedName%" -Properties MemberOf
     if ($user.MemberOf -ne $Null)
     {
         foreach ($groupDN in $user.MemberOf)
         {
             Remove-AdmGroupMember $groupDN -Members $user  -Confirm:$False
         }
     }
    


    NOTE: To use this script, you need to install the Adaxes PowerShell Module on the computer, where the Adaxes service is running. Adaxes PowerShell Module is installed with the same installation package as used to install Adaxes service.

    1. To set the MSExchHideFromAddressLists property to True, you need to add Update the user action to your Business Rule:


    And set the msExchHideFromAddressLists property to True.

Also, you can use the Deprovision User custom command to automate user deprovisioning. For details, see Configure User Deprovisioning.

0

Thank you very much Eugene.
The "Show all properties" was the one I overlooked, and the script part is brilliant :)

Almost ready for real testing. Just some issues left how I can handle Exchange mail and user creation.

When I log into the Help Desk part of Adaxes as a HR User, I don't get a Create new user option
!
What should I do to get this option under Actions?

These are currently our HR Permissions:

Regarding my mailbox/Exchange issues, here what I would like to happen:
1 - I log-on to Help-Desk and choose New user under Actions.
2 - I fill out all fields(predefine what fields should be filled out[visible]: i do this from "Adaxes Web Interface Configuration" under "AD Management", right!)
2.1 - Our users are setup like this: "Samuel"[%firstname%] - "L. Jackson"[%lastname%] - User logon name/sAMAccountName "slj"[%?????%].
Exchange: See the screenshot below.

As you can see. This is how I would like the mail addresses set up(and I would like to have the Check-mark "Automatically update e-mail addresses based on e-mail address policy" removed). There is a couple of issues here. In my User example above the last-name is "L. Jackson". You can see the . after the L here in the SMTP address, but what if the user was named "Samuel L. Cool Jackson". Then the mail address would be "Samuel.L.CoolJackson@domain.com". Now there is missing a . between Cool and Jackson. I don't want all spaces replaced by a . and if there already is a . then just remove the empty space. Point being that we always end up with a SMTP address that complies with our IT policy(which btw I did not create :) ).
I assume the sAMAccountname, when entered when creating the user is checked if it is in use already(as login-name and SMTP alias[mailNickname])?(if not, how can I achieve this?)
3 - Then there are the Exchange storage groups. We have 5 exchange storage groups. User mailbox should be placed depending on which Security group he is a member of when he is created(I know how to achieve this, the problem is... see picture below). There are multiple Security groups belonging to single exchange storage groups. If i could change the AND to a OR only in this line(instead it changes all AND to OR), it would solve the issue!

That's all I could think of right now. (Just kidding :) )
I know this can probably be difficult for you to explain everything to me here. If it is possible, we could have a TeamViewer session(please PM me, if this is possible). I bet that would save you some serious time instead of explaining everything to me in details.

I have to demo this to a couple of people, and it has to work correctly when i do this demo/live test. It will be the decisive factor if my boss wants to pay for a license or not(which i of course want him to, so we can be offloaded at bit regarding general user maintenance).

0

When I log into the Help Desk part of Adaxes as a HR User, I don't get a Create new user option

By default, the Web Interface for Help Desk is not configured to display the Create User operation on the Home page.
On how to configure the Actions page to display the Create User operation, please see Configure Home Page Actions.

I fill out all fields(predefine what fields should be filled out[visible]: i do this from "Adaxes Web Interface Configuration" under "AD Management", right!)

Right! For more details, see Customize Forms for User Creation and Editing.

Our users are setup like this: "Samuel"[%firstname%] - "L. Jackson"[%lastname%] - User logon name/sAMAccountName "slj"[%?????%]...

I suggest you generate user logon names using a script.

  1. Remove the User Logon Name and User Logon Name (pre-Windows 2000) fields from the user creation form.

  2. Create a Business Rule that is executed BEFORE user creation. This Business Rule must execute a script that will generate user logon names.
    The script may look as follows (probably you need to modify it to exactly comply with your policy):

     Import-Module Adaxes
    
     # If either First Name or Last Name is not specified, do nothing
     if (-not($Context.IsPropertyModified("givenName")) -or -not($Context.IsPropertyModified("sn")))
     {
         return;
     }
    
     # TODO: specify your domain name
     $domainName = "domain.com";
    
     # Get First Name and Last Name
     $firstName = $Context.GetModifiedPropertyValue("givenName");
     $lastName = $Context.GetModifiedPropertyValue("sn");
    
     # Replace spaces in First Name and Last Name.
     # The regular expression replaces sequences that contain dots and spaces with dots.
     $regEx = New-Object "System.Text.RegularExpressions.RegEx" "\s*\.?\s+";
     $firstName = $regEx.Replace($firstName, ".");
     $lastName = $regEx.Replace($lastName, ".")
    
     # Generate User Logon Name (pre-Windows 2000)
     $samAccountName = $firstName  + "." + $lastName;
    
     # If a user with the generated logon name exists, add a digit to the end of it
     $initialUserName = $samAccountName;
     $digit = 1;
     while ((Get-AdmUser $samAccountName -erroraction silentlycontinue) -ne $NULL)
     {
         $samAccountName = $initialUserName + $digit;
         $digit = $digit + 1;
     }
    
     # Build User Logon Name
     $userPrincipalName = $samAccountName + "@" + $domainName;
    
     # Update the user logon name
     $Context.SetModifiedPropertyValue("samAccountName", $samAccountName);
     $Context.SetModifiedPropertyValue("userPrincipalName", $userPrincipalName);
    
     # Update the Execution Log
     $Context.LogMessage("User Logon Name:  " + $userPrincipalName, "Information");
     $Context.LogMessage("User Logon Name (pre-Windows 2000): " + $samAccountName, "Information");
    

    The script generates a user logon name, and if another user with the same logon name exists in AD, adds a digit to the end of it.
    The generated user logon name is displayed in the Execution Log.

    For more details, see Validate/Modify User Input Using a Script.

I would like to have the Check-mark "Automatically update e-mail addresses based on e-mail address policy" removed

To clear this check box, just set the msExchPoliciesExcluded property to {26491CFC-9E50-4857-861B-0CB8DF22B5D7}. Read more.
You can do this automatically with the help of a Business Rule that is triggered after user creation, or after mailbox creation.


Alternatively, your Business Rule can execute the following PowerShell script to disable this option:

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin
Set-Mailbox -Identity "%distinguishedName%" -EmailAddressPolicyEnabled $false

User mailbox should be placed depending on which Security group he is a member of when he is created.

It is impossible to do it the way you want. I suggest you create mailboxes right after you add users to groups.


I hope this will help ;)

If you want to arrange a TeamViewer session or something like this, please write me a PM.

0

Hi again Eugene and thank you again for your help.

1 - I have decided to make much use of the "User Pattern" functionality in Adaxes. There is just one more thing I'm unable to get in there. I want to auto-populate users group membership after creation[LDAP name: "memberOf"]. I know(and have) used that option in the web-form, so HR can add group memberships to newly created users. But the group memberships I want to make, are special and HR knows nothing of these groups. How can I do this?

2 - When I try to create a user from Adaxes Help-Desk(logged in as a HR user), I just get a red line at the top saying "Access denied!". I can't see anything useful in the log either!
Any ideas, as I'm kinda stuck here(regarding testing)?

Thank you.

0

Hello Brandur,

I want to auto-populate users group membership after creation

You can automatically add newly created users to groups using Business Rules.
For more details, see Automatically Add Users to Groups by Department.

For complicated use-cases you can configure your Business Rule to add users to groups via a script:

Import-Module Adaxes

$dnGroup1 = "CN=My Group 1,CN=Users,DC=domain,DC=com;
$dnGroup2 = "CN=My Group 2,CN=Users,DC=domain,DC=com";

Add-AdmPrincipalGroupMembership "%distinguishedName%" -MemberOf $dnGroup1, $dnGroup2

When I try to create a user from Adaxes Help-Desk(logged in as a HR user), I just get a red line at the top saying "Access denied!".

This error occurs because the user doesn't have the rights to create new user accounts in the selected OU.
You need to assign this user to a Security Role over the OU in which you are trying to create a new account:


For details, see Grant Rights to Create Users.

0

Now the first error is gone, but I receive a new one "Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM). (Server: DOMAIN.NAME)". It does not state what attribute it's having issues with! I'm almost at the point where I wouldn't mind a TeamViewer session with you!

I know it's probable me, but... help :oops:

0

It looks like you configured Adaxes to automatically update some properties of AD users that can be modified by the system only.

This can happen, for example, if you configured a Business Rule to update the Member Of property of newly created users.

0

You guess you are right as usual ;)
Is there any rights I can give HR security group, so that they have the right to set Member of in the web ui, when creating new users(the special group memberships I can handle from a Business rule, which works fine)?

0

Hello,

At the moment it is impossible to add a user to groups during creation. Right after a new user is created, the Member Of section is displayed and you can add the new user to groups.

Related questions

0 votes
1 answer

Is it possible to disable the logging of a specific Business Rule on the web interface? I see the option "Show Execution Log", which I've set to "Only if it contains errors or ... to see any of the logs of the Business Rules. Is it possible to turn if off?

asked Feb 13, 2014 by sdavidson (730 points)
0 votes
1 answer

I'd like to be able to either send an email report or export a CSV of all of the business rules carried out when a user is disabled. This would be ... Management Activity section but this includes things that weren't part of the disable operation. Thanks

asked Feb 19, 2020 by bavery (250 points)
0 votes
1 answer

We'll be updating over 14K accounts with data (adding data to a virtual attribute) using a scheduled task but I don't want the updates to trigger Business Rules and flood the Adaxes log with entries. Is there an easy way to prevent this?

asked Apr 12 by sandramnc (820 points)
0 votes
0 answers

Hi, I'm trying to create a business rule that basically says if a user is a member of group a, they can't be a member of group b. Optionally would also like to ... removed from group a. Can i get some guidance on how I could accomplish this in adaxes?

asked Mar 14 by blaiseb (120 points)
0 votes
1 answer

Is is possible to have complex conditions or groups f conditions in business rules? For example, We want to send for approval if any of these attributes are updated AND it ... one attribute changed. Any suggestions on how to accomplish what I am looking to do?

asked Mar 10, 2021 by techg (240 points)
2,803 questions
2,535 answers
6,605 comments
62,352 users