Grant Rights to Modify AD Group Membership


To add and remove members from a group, a user must have the permission to modify the Member property of the group object in Active Directory. The rights to modify properties of Active Directory objects, like any other rights in Adaxes, are granted with the help of Security Roles.

Permissions granted by Security Roles are effective only within Adaxes.

In this tutorial, you will learn how to create and assign a Security Role to grant users the ability to manage membership in Active Directory groups.


  1. Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Security Role.



    Enter a name for the new Security Role and click Next.

  2. On the Permissions step, click Add.

  3. Select Group in the list of object types on the left.

  4. In the Property-specific permissions list, check the Write Member Property permission in the Allow column.

    It is a good practice to add the Read permission to all Security Roles. It will ensure that users have the right to view the objects they manage. By default, the rights to view Active Directory objects are granted by built-in Security Role Domain User. It is recommended to add the Read permission because the default rights can be changed.




    When done, click OK and then click Next.

  5. On the Assignments step, click Add to assign the Security Role to users.

  6. Select the users and groups whom you want to assign the permissions to.


    Owner (Managed By)

    The Owner (Managed By) security principal can be used to assign permissions to group owners. When a permission is assigned to Owner, it is actually assigned to the user or group specified in the Managed By property of group objects in Active Directory. If the owner of a group changes, the previous owner loses, and the new owner gains the rights instantly.


    Click Next.

  7. Select the scope of groups which you want to assign the permissions on.

    Select the following items:

    • All Objects - select to allow users to manage all groups in all domains managed by Adaxes.

    • Specific Domain - select to allow users to manage all groups within a specific domain.

    • OU or Container - select to allow users to manage only the groups located in an Organizational Unit or container.

    • Group - select to allow users to manage only the groups that are members of a group.

    • Business Unit - select to allow users to manage only the groups are members of a Business Unit. To select a Business Unit, open the Look in drop-down list and select the Business Units item.

    You can exclude specific groups, Organizational Units, members of groups and Business Units from the assignment scope. For example, if you've assigned the Security Role on all groups in a domain, but do not want to users to manage the groups located in a specific Organizational Unit, you can exclude the Organizational Unit from the scope. To exclude an object, select the Exclude option in the Assignment Options dialog box.

    • Click the object you want to exclude.

    • In the Assignment Options dialog, select the Exclude option.

    • Click OK.

    When done, click Finish to complete the Assign Role wizard.

  8. Click Finish to complete the Create Security Role wizard.


Control Members

The Write Member Property permission allows adding and removing any member from a group. To control which objects can be members of which groups, you need to create a Business Rule that will be triggered before a new member is added or removed from a group. The Business Rule will cancel the operation if certain conditions are met.

  1. Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Business Rule.



    Enter a name for the new Business Rule and click Next.

  2. To trigger the Business Rule before a new member is added or removed from a group:

    • Select Group in the Object Type list.
    • Select Before and then select Adding or removing a member from a Group.


    Click Next.

  3. Click Add an action and select Cancel the operation.

  4. In the Action Parameters section, enter a reason and click OK.

  5. To cancel the operation only if certain conditions are met, right-click the action and select Add Condition.


    Example 1 - If the member is not the initiator.

    • Select the If the initiator is <User> condition.


    • In the Condition Parameters section, select is not in the drop-down list, and click the button.


    • Activate the Template tab.


    • In the Template field, enter %member%.


      Value reference %member% will be replaced with the DN of the group member.


    • Click OK.


    Example 2 - If the initiator and the group are not in the same Organizational Unit.

    • Select the If located under <location> condition.


    • In the Condition Parameters section, select is not in the drop-down list, and click the button.


    • Activate the Template tab.


    • In the Template field, enter %adm-InitiatorParentDN%.


      Value reference %adm-InitiatorParentDN% will be replaced with the distinguished name (DN) of the Organizational Unit where the account of the initiator is located.


    • Click OK.


    Example 3 - If the Job Title property of the member doesn't contain the word Manager.

    • Select the If PowerShell script return true condition.


    • In the Condition Parameters section, click the Edit button.


    • Use the following script to check the Job Title property of the group member:

      $Context.ConditionIsMet = $True
      $member = $Context.BindToObject("Adaxes://%member%")
      try
      {
          $jobTitle = $member.Get("title")
      }
      catch [System.Runtime.InteropServices.COMException]
      {
         return # the job title is not specified
      }
      $Context.ConditionIsMet = $jobTitle -notlike "*Manager*"
      

      For information on how to create scripts for Business Rules, see Server-Side Scripting.


    • Click OK two times.

    When done, click Next.

  6. To define the scope of activity for the Business Rule, click Add.

    In the Activity Scope dialog, select the following items:

    • All Objects - select to execute the Business Rule for all groups in all domains managed by Adaxes.

    • Specific Domain - select to execute the Business Rule for all groups within an AD domain.

    • OU or Container - select to execute the Business Rule for the groups located under an Organizational Unit or container.

    • Group - select to execute the Business Rule for the groups that are members of a group.

    • Business Unit - select to execute the Business Rule for the groups that are members of a Business Unit. To select a Business Unit, open the Look in drop-down list and select the Business Units item.

    You can exclude specific groups, Organizational Units, Business Units and domains from the activity scope of the Business Rule. For example, if you've assigned the Business Rule over all groups in a domain, but do not want it to trigger for the groups located in a specific Organizational Unit, you can exclude the Organizational Unit from the activity scope. To exclude an object, select the Exclude option in the Assignment Options dialog box.

    • Click the object you want to exclude.

    • In the Assignment Options dialog, select the Exclude option.


    • Click OK.
  7. When done, click OK and then click Finish.

Approvals

For information on how to request approval when members are added or removed from certain groups, see Request Approval for Adding Members to Groups.




Open tutorial filtering

Got questions?
Support Forum