Automate Group Membership Management


You can configure Adaxes to automatically add and remove users from groups based on certain criteria. There are two ways to automatically maintain group membership in Adaxes - centralized automation and rule-based groups.

With the centralized approach, the membership logic of multiple groups can be managed from one place. You can create a set of conditions that will determine whether an AD object should be added to or removed from any group. Adaxes will check these conditions periodically or after certain events in your AD, and will add or remove objects from groups accordingly.

With rule-based groups, the membership logic for each group is configured independently, and the membership of each group is updated based on its update schedule. Another important distinction is that members of rule-based groups can't be added or removed manually.

It is possible to use both approaches in any scenario, however, some cases are better handled with centralized automation, while others - with rule-based groups. For example, if the membership logic for different groups is somehow connected or even mutually exclusive, centralized automation might be more convenient. On the other hand, if the membership logic for multiple groups is totally unrelated, using rule-based groups might be more appropriate.

In this tutorial, you will learn how to apply centralized automation and rule-based groups to automatically maintain the group membership of users based on their department.

Centralized automation

To manage group membership centrally, you can create a Custom Command with all the necessary actions and conditions, and then execute the command in Business Rules and Scheduled Tasks. Business Rules will trigger group membership changes immediately after certain events in Active Directory, whereas Scheduled Tasks can be used to verify and correct group membership on a periodic basis.

Here is how to create a Custom Command that will add and remove users from groups based on their department:

  1. Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Custom Command.



    Enter a name for the new Custom Command.

  2. Since the Custom Command will be executed by Business Rules and Scheduled Tasks only, uncheck the Enabled checkbox. Disabled commands are not displayed in the user interface.


    Click Next.

  3. Select the User object type and click Next.


  4. On the Parameters step click Next.


  5. On the Actions step click Add an action.



    Select the Add the User to a group action.



    In the Action Parameters section, select the group that corresponds to one of the departments.



    Click OK.


    Approvals

    Actions executed by Business Rules can be submitted for approval. For example, you may want a user to be added to a group only after an approval is granted by the group owner or by the manager of the user.

    • Right-click the action for which you want an approval to be requested.
    • Click Edit Action in the context menu.


    • In the Edit Action dialog, check the Get approval for this action checkbox.


    • Specify the approvers and click OK.


    For information on how to request approval for operations that can be performed both manually, by users, and automatically, see Request Approval for Adding Members to Groups.

  6. Right-click the newly added action and select Add Condition in the context menu.



    Select the If <property> <relation> <value> condition.



    In the Condition Parameters section specify Department - equals - <Department Name>.



    Click OK.

  7. Right-click the condition/action block and select Add Else in the context menu.




    Right-click Do nothing and select Add Action in the context menu.




    Add a Remove the User from a group action for the same group.




    Right-click the If block and select Copy in the context menu. To copy the whole block, make sure no actions and conditions are selected.




    Right-click outside the block and select Paste in the context menu.




    Double-click both actions and the condition and configure them for another department.




    Repeat the steps above for each department.


    Using Scripts

    If there are too many departments or the rules for group membership are too complicated, the Custom Command may become bulky and hard to manage. In this case, instead of adding many actions and conditions, you can use a PowerShell script or use rule-based groups instead of the centralized approach. For details on how to use PowerShell to add and remove users from groups, see Change Group Membership Using Scripts.

  8. When done, click Next. On the Permissions page, click Finish.


  9. Select a Business Rule or a Scheduled Task that will execute the Custom Command.


    To execute the Custom Command after a new user account is created, you can use built-in Business Rule After User Creation. For details on how to configure and activate the rule, see Automate User Provisioning.

    For instructions on how to create a Scheduled Task, see Schedule Tasks for AD Management.

  10. Click Add new action set.


    Right-click Do nothing and select Add Action in the context menu.


    In the Add Action dialog, select Execute a Custom Command.


    In the Action Parameters section, select the Custom Command.


    Click OK.

  11. If the Custom Command is executed in a Business Rule triggered after updating a user, add the If the Department property has changed condition.



    Add the Custom Command to other Business Rules and Scheduled Tasks.






To make Department a required field and allow users to select a department from a drop-down list, you can use Property Patterns.

For details, see Make an Input Field a Drop-Down List.

Rule-based groups

Rule-based groups are configured directly from the Web Interface. To automatically manage the membership of a specific group, you need to convert it to rule-based and set up the membership rules.

Here is how to make an existing AD group rule-based and configure it to include only users from a specific department.

  1. In the Web Interface, select a group you would like to make rule-based and click Edit in the Membership Type section.

    This section might not be present on the group view. There can be two possible reasons:

    • The group is a system group (e.g. Domain Admins). System groups can't be converted to rule-based.
    • The Membership Type section is not enabled in this particular Web Interface. In this case, you need to enable it to be able to configure rule-based groups.

    • Open Adaxes Web Interface Configurator.
    • In the top left corner, select the Web Interface you want to customize.

    • In the left navigation menu, click Management.

    • In the Forms and Views section, select Group in the drop-down list.

    • Activate the View tab and click Add under the Sections list.

    • In the dialog that opens, select Membership Type and complete the wizard to add the section to the group view.

    • If necessary, activate the Create or Modify tabs and add the Membership Type section to the forms for creating and editing groups.
    • Save the changes.
  2. Change the membership type of your group to Rule-based, and then click Add under the Membership Rules field to add a new rule.

  3. In the dialog that opens, select Query results from the drop-down.


    To include users with a specific Department property value, for example, Sales, do the following:

    • Select User in the Object types drop-down list.
    • Click Add under the Criteria field.


    • In the Add Criteria dialog select Department is Sales.

    • Click OK twice.

    If necessary, you can exclude objects from the group. For example, if you don't want the group to contain users located in the Deprovisioned Users Organizational Unit, you can add a rule to exclude them.


    • Click Add under the Membership Rules field.

    • In the dialog that opens, select Exclude.


    • Select Objects located in OU or container from the drop-down.


    • Select the OU in the Location field.


    • In the Object types drop-down list, select the object types you want to exclude.


    • Click OK.


  4. When done, save the changes and repeat the steps above for each department.

You can delegate the rights to configure rule-based groups to other users. To do this, you need to grant them appropriate permissions. For details, see how to Grant Rights to Modify AD Group Membership.



See Also




Open tutorial filtering

Got questions?
Support Questions & Answers