0 votes

I'm creating a business rule to identify active non-employee accounts (sub contractors, temps, etc). These employees are members of a special group. I have created two membership rules:

Include: Groups Members of Domain\Contractors group *Included by the Group Members rule.
Exclude: (userAccountControl:1.2.840.113556.1.4.803:=2) *Exclude by Query to remove disabled users

The membership rules work individually, however, I'd expect to see only Contractor accounts that are Enabled. I see contractor accounts that are disabled as well.

Is there anyway to make the exclusion rule 'override' the inclusion rule?

by (510 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

The thing is that if an AD object is included in a Business Unit by one membership rule and excluded by another, membership is determined by the priority of these rules. In your case, a Query Result rule has lower priority and is ignored. You can find more information on Membership Rule priority in the http://www.adaxes.com/help/?BusinessUni ... rview.html help article.

To get around the issue, you can create a single Membership Rule that would specify both the criteria for including the objects and the criteria for excluding them. For example:

  • You can use a rule of the Query Results type with the following LDAP query filter:
    (&(sAMAccountType=805306368)(memberOf=CN=Contractors,DC=example,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
    This query will include enabled users who are direct members of the Contractors group. However, if certain non-employee accounts are members of the Contractors group via membership in other groups, this query filter will not include them.
  • If non-employee accounts can be defined via a certain attribute of their user accounts (for example, Employee Type), you can use a rule of the Query Results type with the following LDAP query filter:
    (&(sAMAccountType=805306368)(|(employeeType=Contractor)(employeeType=Temp))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
    This query looks for enabled user accounts of the specified type (for example, Contractor or Temp).

If none of the solutions works for you, can you describe your situation in more detail? How are you going to use the Business Unit? Are there any other ways to determine non-employees besides membership in the Contractors group?

Related questions

0 votes
1 answer

Hello, I've setup an Business Rule with trigger after creating user object. I deal inside with multiple types of objects (Employee-, Shared Mailbox-, Admin-Accounts,..), ... and screenshot about my current config. thank a lot in advanced best regards R.Aich

asked May 16, 2022 by R.Aich (20 points)
0 votes
1 answer

Hello Adaxes team, We experienced a problem this week-end with a scheduled task that rely on AccountExpires field. It check the property in that way : if 'Account Expires' ... ). That should be corrected in my opinion, i'm waiting for yours Regards Stephen

asked Mar 26, 2012 by sroux (800 points)
0 votes
1 answer

Hi Because we are in the process of integrating a new company, we need to create their new users in their old domain and then migrate across using ADMT. Once migrated, ... running. Would the business rules be classed as part of the scheduled task? Thanks Matt

asked Sep 11, 2017 by chappers77 (2.0k points)
0 votes
0 answers

We have an inactive user task which runs daily that disables accounts after 30 days of inactivity. We had an example yesterday of a user account which had been disabled ... Are you able to provide any explanation of how this could have happened? Regards Andy

asked Sep 12, 2017 by Andy_W (40 points)
0 votes
1 answer

I've adapted a RegEx to normalize phone numbers, source: http://www.regexplanet.com/cookbook/pho ... index.html. Import-Module Adaxes $identity = "%sAMAccountName%" $mobileNumber = ' ... 555-5555, adaxes returned +1+1 (888) 555-5555. Any guidance on this?

asked Dec 20, 2014 by polley (1.2k points)
3,589 questions
3,278 answers
8,303 comments
548,122 users