You can configure Adaxes to automatically add and remove users from groups based on certain criteria. There are two ways to automatically maintain group membership in Adaxes - centralized automation and rule-based groups.
With the centralized approach, the membership logic of multiple groups can be managed from one place. You can create a set of conditions that will determine whether an AD object should be added to or removed from any group. Adaxes will check these conditions periodically or after certain events in your AD, and will add or remove objects from groups accordingly.
With rule-based groups, the membership logic for each group is configured independently, and the membership of each group is updated based on its update schedule. Another important distinction is that members of rule-based groups can't be added or removed manually.
It is possible to use both approaches in any scenario, however, some cases are better handled with centralized automation, while others - with rule-based groups. For example, if the membership logic for different groups is somehow connected or even mutually exclusive, centralized automation might be more convenient. On the other hand, if the membership logic for multiple groups is totally unrelated, using rule-based groups might be more appropriate.
To manage group membership centrally, you can create a Custom Command with all the necessary actions and conditions, and then execute the command in Business Rules and Scheduled Tasks. Business Rules will trigger group membership changes immediately after certain events in Active Directory, whereas Scheduled Tasks can be used to verify and correct group membership on a periodic basis.
Here is how to create a Custom Command that will add and remove users from groups based on their department:
Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Custom Command.
Enter a name for the new Custom Command.
Since the Custom Command will be executed by Business Rules and Scheduled Tasks only, uncheck the Enabled checkbox. Disabled commands are not displayed in the user interface.
Select the User object type and click Next.
On the Parameters step click Next.
On the Actions step click Add an action.
Select the Add the User to a group action.
In the Action Parameters section, select the group that corresponds to one of the departments.
Actions executed by Business Rules can be submitted for approval. For example, you may want a user to be added to a group only after an approval is granted by the group owner or by the manager of the user.
Click Edit Action in the context menu.
In the Edit Action dialog, check the Get approval for this action checkbox.
Specify the approvers and click OK.
For information on how to request approval for operations that can be performed both manually, by users, and automatically, see Request Approval for Adding Members to Groups.
Right-click the newly added action and select Add Condition in the context menu.
Select the If <property> <relation> <value> condition.
In the Condition Parameters section specify Department - equals - <Department Name>.
Right-click the condition/action block and select Add Else in the context menu.
Right-click Do nothing and select Add Action in the context menu.
Add a Remove the User from a group action for the same group.
Right-click the If block and select Copy in the context menu. To copy the whole block, make sure no actions and conditions are selected.
Right-click outside the block and select Paste in the context menu.
Double-click both actions and the condition and configure them for another department.
Repeat the steps above for each department.
If there are too many departments or the rules for group membership are too complicated, the Custom Command may become bulky and hard to manage. In this case, instead of adding many actions and conditions, you can use a PowerShell script or use rule-based groups instead of the centralized approach. For details on how to use PowerShell to add and remove users from groups, see Change Group Membership Using Scripts.
When done, click Next. On the Permissions page, click Finish.
Select a Business Rule or a Scheduled Task that will execute the Custom Command.
Click Add new action set.
Right-click Do nothing and select Add Action in the context menu.
In the Add Action dialog, select Execute a Custom Command.
In the Action Parameters section, select the Custom Command.
If the Custom Command is executed in a Business Rule triggered after updating a user, add the If the Department property has changed condition.
Add the Custom Command to other Business Rules and Scheduled Tasks.
To make Department a required field and allow users to select a department from a drop-down list, you can use Property Patterns.
For details, see Make an Input Field a Drop-Down List.
Rule-based groups are configured directly from the Web Interface. To automatically manage the membership of a specific group, you need to convert it to rule-based and set up the membership rules.
Here is how to make an existing AD group rule-based and configure it to include only users from a specific department.
In the Web Interface, select a group you would like to make rule-based and click Edit in the Membership Type section.
This section might not be present on the group view. There can be two possible reasons:
In the top left corner, select the Web Interface you want to customize.
In the left navigation menu, click Management.
In the Forms and Views section, select Group in the drop-down list.
Activate the View tab and click Add under the Sections list.
In the dialog that opens, select Membership Type and complete the wizard to add the section to the group view.
Change the membership type of your group to Rule-based, and then click Add under the Membership Rules field to add a new rule.
In the dialog that opens, select Query results from the drop-down.
To include users with a specific Department property value, for example, Sales, do the following:
Click Add under the Criteria field.
In the Add Criteria dialog select Department is Sales.
If necessary, you can exclude objects from the group. For example, if you don't want the group to contain users located in the Deprovisioned Users Organizational Unit, you can add a rule to exclude them.
Click Add under the Membership Rules field.
In the dialog that opens, select Exclude.
Select Objects located in OU or container from the drop-down.
Select the OU in the Location field.
In the Object types drop-down list, select the object types you want to exclude.
Membership rules have an order of priority. If the same object is supposed to be included in the group by one rule but excluded by another rule, Adaxes uses the priority order to determine what to do with the object.
Membership rules are always displayed in their priority order, which is:
Rules that exclude objects have priority over rules of the same type that include objects.
For example, imagine a rule-based group with two membership rules – Exclude group members and Include group members:
The members of the Helpdesk London group will be excluded because the Exclude group members rule has higher priority.
Here's a different scenario – a group with the Include group members and Exclude query results rules:
In this case, if the user account is disabled but they are a Helpdesk group member, they will be included in the group because the Include group members rule has higher priority.
The priority order of membership rules can't be changed.