Request Approval for User Creation


Adaxes enables you to track and control critical administrative tasks, such as user and group management, by adding approval steps to the process. Approval workflow can be configured for any operation, including adding and removing members from groups, enabling and disabling user accounts, assigning Office 365 licenses, etc. In this tutorial, you will learn how to request approval for creation of new user accounts in Active Directory.

For information on how to delegate the permission to create user accounts, see Grant Rights to Create Users.

To submit requests for approval, you need to create a Business Rule that will be triggered before a user account is created in Active Directory.

  1. Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Business Rule.



    Enter a name for the new Business Rule and click Next.

  2. To trigger the Business Rule before a user account is created:

    • Select User in the Object Type list.
    • Select Before and then select Creating a User.


    Click Next.

  3. Click Add an action and select Send this operation for approval.

  4. In the Action Parameters section specify the approvers for the operation.

    • Click Add to select specific users and groups.

    • Select Manager of the requestor to allow the manager of the user who initiated account creation to approve or deny the operation. The manager is specified in the Manager property of user accounts.
    • Select Manager of the target user to allow the manager of the new user to approve or deny the operation. The manager is specified in the Manager property of user accounts.
    • Select Owner of the requestor's OU to allow the owner of the Organizational Unit where the account of the operation initiator is located to approve or deny the operation. The owner is specified in the Managed By property of Organizational Units.
    • Select Owner of the target user's OU to allow the owner of the Organizational Unit where the new user will be created to approve or deny the operation. The owner is specified in the Managed By property of Organizational Units.
    • When done, click OK.
    Adaxes service administrators have the rights to approve or deny any request.

    Using Scripts

    If you need to build the list of approvers based on complex criteria, you can use a PowerShell script to submit the operation for approval.

    • In the Add Action dialog, select the Run a program or PowerShell script action.
    • Click the Edit button.

      Click the button to provide a custom description for the action.
    • To submit a request for approval from a script, you need to call the SubmitForApproval method of the predefined PowerShell variable $Context. As the first parameter, the method takes an array of distinguished names (DNs) of users or groups that will be designated as approvers.

      The following script submits an approval request to a user and members of a group.

      $approvers = @(
      		"CN=John Smith,CN=Users,DC=example,DC=com",
      		"CN=My Group,OU=Groups,DC=example,DC=com")
      $Context.SubmitForApproval($approvers, $False, $False, $False, $False)
      • Launch Adaxes Administration Console.
      • Right-click the object you need.
      • In the context menu, open the submenu of the Copy item.
      • Click Copy DN. The DN of the selected object will be copied to the clipboard.


      You can use value references in the script (e.g. %department%). Value references will be replaced with corresponding property values of the new user account.

      The following example submits an approval request to the members of a group with the name consisting of the name of the user's department plus Managers.

      $approvers = @("%department%Managers,CN=Users,DC=example,DC=com")
      $Context.SubmitForApproval($approvers, $False, $False, $False, $False)

      The following example submits an approval request to the user's secretary and members of group Admins located in the user's Organizational Unit.

      $approvers = @(
      		"%secretary%",
      		"CN=Admins,%adm-InitiatorParentDN%")
      $Context.SubmitForApproval($approvers, $False, $False, $False, $False)

      For information on how to create scripts for Business Rules, see Server-Side Scripting.

    Multi-Level Approval

    Approval workflow can be configured for multiple levels of approval. To request approval from another group of approvers, you need to add another Send operation for approval action to the Business Rule.

  5. To request an approval only if certain conditions are met, right-click the action and select Add Condition.


    Example 1 - If the initiator is not a member of a specific group.

    • Select the If the initiator is a member of <Group> condition.


    • In the Condition Parameters section, select is not in the drop-down list and specify the group.


    • Click OK.


    Example 2 - If the Job Title property of the new user's account contains the word Manager.

    • Select the If <property> <relation> <value> condition.


    • In the Condition Parameters section specify Job Title - contains - Manager.


    • Click OK.

    When done, click Next.

  6. To define the scope of activity for the Business Rule, click Add.

    In the Activity Scope dialog, select the following items:

    • All Objects - select to request approval when a user account is created in any domain managed by Adaxes.

    • Specific Domain - select to request approval when a user account is created in a specific AD domain.

    • OU or Container - select to request approval when a user account is created in a specific Organizational Unit or container.

    You can exclude specific Organizational Units and domains from the activity scope of the Business Rule. For example, if you've assigned the Business Rule over the whole domain, but do not want it to trigger when a user account is created in a specific Organizational Unit, you can exclude the Organizational Unit from the activity scope. To exclude an object, select the Exclude option in the Assignment Options dialog box.

    • Click the object you want to exclude.

    • In the Assignment Options dialog, select the Exclude option.


    • Click OK.
  7. When done, click OK and then click Finish.

Approval Notifications

When an operation is submitted for approval, approved, denied or cancelled, Adaxes sends email notifications to request approvers and the request initiator. To enable Adaxes to send email messages, you need to configure the outgoing mail settings for your Adaxes service.


To configure outgoing mail settings:

  • In Adaxes Administration Console, right-click your Adaxes service and click Properties in the context menu.

  • Activate the Mail Settings tab and change the SMTP settings.

  • Click Apply.




If you want email notifications to include a link to view and process the approval request, as well as links to the Active Directory objects related to it, you need to register a Web Interface for your Adaxes service.


To register a Web Interface:

  • Activate the Web Interface tab.
  • Specify the URL of the Web Interface you want to use for processing requests.

  • Click OK.




It is possible to customize templates for email notifications sent during the approval workflow process.


To customize email templates:

  • Right-click Approval Requests and click Properties in the context menu.

  • Activate the E-Mail Notifications tab.

  • When finished, click OK.

Processing Approval Requests

To approve, deny and cancel approval requests, users can use either Adaxes Web Interface, or Administration Console.

Open tutorial filtering

Got questions?
Support Forum