Create Dynamic Business Unit


Virtual collections of Active Directory objects, called Business Units, allow grouping objects based on certain criteria. You can create static Business Units, the membership in which does not depend on the logged in user. For example, if you create a Business Unit that includes users whose department is Sales, members of the Business Unit will be the same no matter who is logged in.

You can also create dynamic Business Units, members of which differ for different users. For example, a Business Unit can include users whose department is the same as the department of the logged in user. A user whose department is Sales will see members of the Sales department in the Business Unit, but the very same Business Unit will contain members from the IT department, when viewed by a user whose department is IT.

Apart from allowing users to browse and manage AD objects, Business Units can also be used to distribute permissions. Dynamic Business Units simplify the delegation process when objects which you want to delegate permissions for are related to users which you want to delegate the permissions to. For example, if you want to assign rights to users within their own department, instead of creating multiple assignments for each department, you can create just one for a Business Unit that includes objects whose department is the same as the department of the logged in user.

For information on how to use Business Units in Security Role assignments, see Delegate Rights on Business Unit Members.

Dynamic Business Units cannot be used in the activity scope of Business Rules, Scheduled Tasks, Password Self-Service Policies and Office 365 Tenants.

Membership in Business Units is based on membership rules. To create dynamic Business Units, instead of using specific AD objects and search filters in membership rules, you need to use templates. To include properties of the logged in user into templates, use value references (e.g. %department%). Value references will be replaced with corresponding property values of the account of the logged in user.

In this tutorial, you will learn how create a Business Unit that will have different members for different users.

  1. Launch Adaxes Administration Console.

    Expand your Adaxes service, right-click Business Units, point to New and click Business Unit.


    Enter a name for the new Business Unit and click Next.

  2. On the Membership Rules page, you need to specify the criteria to include AD objects to the new Business Unit. Click the Add button.

  3. Select whether you want to include specific objects, members of a group, objects located in an OU, or objects that match certain search criteria.

    Specific Objects

    Using the Specific Objects rule, you can configure the Business Unit to include individual AD objects. To include different objects for different users, you need to specify a template that will be used to build the distinguished name (DN) of an Active Directory object.

    • In the Rule Parameters section, click Add.


    • Activate the Template tab.


    • In the Template field, specify a template for the distinguished name (DN) of an Active Directory object. In order for the template to produce different object DNs for different users, you need to use value references (e.g. %department%). Value references will be replaced with corresponding account properties of the logged in user. For example, value reference %department% will be replaced with the value of the Department property of the user. Value reference %adm-ParentDN% will be replaced with the DN of the Organizational Unit where the user's account is located. Value reference %adm-DomainDN% will be replaced with the DN of the user's domain.

      To insert a value reference, click the button.

      For example, if you specify OU=%department%,DC=example,DC=com, and a user whose department is Sales logs in, the Business Unit will include the Organizational Unit with DN OU=Sales,DC=example,DC=com.

      For more examples, click the View Examples link.


    • Click OK.

    Group Members

    Using the Group Members rule, you can configure the Business Unit to include members of a group. To include members of different groups depending on who is logged in, you need to specify a template that will be used to build the distinguished name (DN) of a group.

    • In the Rule Parameters section, click the button.


    • Activate the Template tab.


    • In the Template field, specify a template for the distinguished name (DN) of a group. In order for the template to produce DNs of different groups for different users, you need to use value references (e.g. %title%). Value references will be replaced with corresponding account properties of the logged in user. For example, value reference %title% will be replaced with the value of the Job Title property of the user. Value reference %adm-ParentDN% will be replaced with the DN of the Organizational Unit where the user's account is located. Value reference %adm-DomainDN% will be replaced with the DN of the user's domain.

      To insert a value reference, click the button.

      For example, if you specify CN=%title%,CN=Users,DC=example,DC=com, and a user whose job title is Sales Manager logs in, the Business Unit will include members of the group with the following DN: CN=Sales Manager,CN=Users,DC=example,DC=com.

      For more examples, click the View Examples link.


    • Click OK.
    • If you want the Business Unit to include not only direct group members but also members of the nested groups, uncheck the Direct members only checkbox.

    • Click OK.

    Container Children

    Using the Container Children membership rule, you can configure the Business Unit to include objects located in a container, such as an Organizational Unit. To include objects located in different containers depending on who is logged in, you need to specify a template that will be used to build the distinguished name (DN) of a container.

    • In the Rule Parameters section, click the button.


    • Activate the Template tab.


    • In the Template field, specify a template for the distinguished name (DN) of a container. In order for the template to produce DNs of different containers for different users, you need to use value references (e.g. %company%). Value references will be replaced with corresponding account properties of the logged in user. For example, value reference %company% will be replaced with the value of the Company property of the user. Value reference %adm-ParentDN% will be replaced with the DN of the Organizational Unit where the user's account is located. Value reference %adm-DomainDN% will be replaced with the DN of the user's domain.

      To insert a value reference, click the button.

      For example, if you specify OU=%company%,DC=example,DC=com, and a user whose company is Acme logs in, the Business Unit will include objects located under the Organizational Unit with the following DN: OU=Acme,DC=example,DC=com.

      For more examples, click the View Examples link.

    • Click OK.
    • If you want the Business Unit to include not only objects located directly under the container, but the whole subtree, select the Sub-tree level option.

    • Click OK.

    Query Results

    Using the Query Results rule, you can configure the Business Unit to include objects that match certain search criteria. For example, a Business Rule can include groups with the word Department in their name, or users with the word Sales in the Job Title property. In order for the search criteria to change based on the logged in user, you need to use value references (e.g. %department%) in the LDAP search filter.

    To build an LDAP search filter, click the Edit button associated with the Filter field.

    Example 1: Users whose department is the same as the department of the logged in user.

    • Activate the Simple tab.

    • Select User in the Type drop-down list.

    • In the Department field, enter %department%. The value reference will be replaced with the value of the Department property of the logged in user.


    Example 2: Users whose city is the same as the city of the logged in user.

    • Activate the Advanced tab.

    • Select User in the Type drop-down list.

    • Specify the following search criteria: City equals %l%. Value reference %l% will be replaced with the value of the City property of the logged in user.

    • Click Add to List.


    Example 3: Disabled users whose manager is the logged in user.

    • Activate the LDAP Filter Editor tab.

    • In the LDAP filter field, specify the following filter:

      (&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=2)(manager=%distinguishedName%))

      The %distinguishedName% value reference will be replaced with the DN of the logged in user.


    To limit the search to a specific Organizational Unit or domain, you can configure the location from which to start searching. To perform a search in different locations depending on who is logged in, you need to specify a template that will be used to build the distinguished name (DN) of the search base object.

    • In the Rule Parameters section, click the button embedded in the Look in field.


    • Activate the Template tab.


    • In the Template field, specify a template for the distinguished name (DN) of the search base object. In order for the template to produce DNs of different objects for different users, you need to use value references (e.g. %company%). Value references will be replaced with corresponding account properties of the logged in user. For example, value reference %company% will be replaced with the value of the Company property of the user. Value reference %adm-ParentDN% will be replaced with the DN of the Organizational Unit where the user's account is located. Value reference %adm-DomainDN% will be replaced with the DN of the user's domain.

      To insert a value reference, click the button.

      For more examples, click the View Examples link.

    • Click OK.

  4. If necessary, add other membership rules. When finished, click Next.
  5. On the Columns page, specify which columns will be visible by default for the Business Unit, configure sorting and grouping options.


    Click Finish.

Open tutorial filtering

Got questions?
Support Forum