Request Approval for Adding Members to Groups


Using Adaxes you can allow users to manage their own group memberships and delegate group membership management to non-administrative users. To control the process, membership in important security groups and distribution lists can be allowed only after approval is given by an authorized person.

For information on how to delegate the permission to add and remove members from a group, see Grant Rights to Modify AD Group Membership.

In this tutorial, you will learn how to create a Business Rule to request approval for adding new members to Active Directory groups.

  1. Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Business Rule.



    Enter a name for the new Business Rule and click Next.

  2. To trigger the Business Rule before a new member is added to a group:

    • Select Group in the Object Type list.
    • Select Before and then select Adding a member to a Group.


    To also request approval for removing members from groups, select Adding or removing a member from a Group.


    Click Next.

  3. Click Add an action and select Send this operation for approval.

  4. In the Action Parameters section specify the approvers for the operation.

    • Click Add to select specific users and groups.

    • Select Manager of the requestor to allow the manager of operation initiator to approve or deny the operation. The manager is specified in the Manager property of user accounts.
    • Select Owner of the target group to allow the owner of the group to approve or deny the operation. The owner is specified in the Managed By property of group objects.
    • Select Owner of the requestor's OU to allow the owner of the Organizational Unit where the account of the operation initiator is located to approve or deny the operation. The owner is specified in the Managed By property of Organizational Units.
    • Select Owner of the target group's OU to allow the owner of the Organizational Unit where the group is located to approve or deny the operation. The owner is specified in the Managed By property of Organizational Units.
    • When done, click OK.
    Adaxes service administrators have the rights to approve or deny any request.

    Using Scripts

    If you need to build the list of approvers based on complex criteria, you can use a PowerShell script to submit the operation for approval. For example, using a script you can request approval from current members of the group.

    • In the Add Action dialog, select the Run a program or PowerShell script action.
    • Click the Edit button.

      Click the button to provide a custom description for the action.
    • To submit a request for approval from a script, you need to call the SubmitForApproval method of the predefined PowerShell variable $Context. As the first parameter, the method takes an array of distinguished names (DNs) of users or groups that will be designated as approvers.

      The following script submits an approval request to a specific user and members of a specific group.

      $approvers = @(
      		"CN=John Smith,CN=Users,DC=example,DC=com",
      		"CN=My Group,OU=Groups,DC=example,DC=com")
      $Context.SubmitForApproval($approvers, $False, $False, $False, $False)
      • Launch Adaxes Administration Console.
      • Right-click the object you need.
      • In the context menu, open the submenu of the Copy item.
      • Click Copy DN. The DN of the selected object will be copied to the clipboard.


      You can use value references in the script (e.g. %name%, %distinguishedName%, %managedBy%). Value references will be replaced with corresponding property values of the group object.


      The following example submits an approval request to the current members of the group.

      $approvers = @("%distinguishedName%")
      $Context.SubmitForApproval($approvers, $False, $False, $False, $False)

      Value reference %distinguishedName% will be replaced with the DN of the group object.



      For information on how to create scripts for Business Rules, see Server-Side Scripting.

    Multi-Level Approval

    Approval workflow can be configured for multiple levels of approval. To request approval from another group of approvers, you need to add another Send operation for approval action to the Business Rule.

  5. To request an approval only if certain conditions are met, right-click the action and select Add Condition.


    Example 1 - If the initiator is not a member of a specific group.

    • Select the If the initiator is a member of <Group> condition.


    • In the Condition Parameters section, select is not in the drop-down list and specify the group.


    • Click OK.


    Example 2 - If the new member is not the initiator.

    • Select the If the initiator is <User> condition.


    • In the Condition Parameters section, select is not in the drop-down list, and click the button.


    • Activate the Template tab.


    • In the Template field, enter %member%.


      Value reference %member% will be replaced with the distinguished name (DN) of the new member.


    • Click OK.


    Example 3 - If the initiator and the group are not in the same Organizational Unit.

    • Select the If located under <location> condition.


    • In the Condition Parameters section, select is not in the drop-down list, and click the button.


    • Activate the Template tab.


    • In the Template field, enter %adm-InitiatorParentDN%.


      Value reference %adm-InitiatorParentDN% will be replaced with the distinguished name (DN) of the Organizational Unit where the account of the initiator is located.


    • Click OK.

    When done, click Next.

  6. To define the scope of activity for the Business Rule, click Add.

    In the Activity Scope dialog, select the following items:

    • All Objects - select to execute the Business Rule when a new member is added to any group in any domain managed by Adaxes.

    • Specific Domain - select to execute the Business Rule when a new member is added to any group within an Active Directory domain.

    • OU or Container - select to execute the Business Rule when a new member is added to a group located under an Organizational Unit or container.

    • Group - select to execute the Business Rule when a new member is added to a group that is a member of the selected group.

    • Business Unit - select to execute the Business Rule when a new member is added to a group that is a member of a Business Unit. To select a Business Unit, open the Look in drop-down list and select the Business Units item.

    You can exclude specific groups, Organizational Units, Business Units and domains from the activity scope of the Business Rule. For example, if you've assigned the Business Rule over all groups in a domain, but do not want it to trigger for the groups located in a specific Organizational Unit, you can exclude the Organizational Unit from the activity scope. To exclude an object, select the Exclude option in the Assignment Options dialog box.

    • Click the object you want to exclude.

    • In the Assignment Options dialog, select the Exclude option.


    • Click OK.
  7. When done, click OK and then click Finish.

See Also



Open tutorial filtering

Got questions?
Support Forum