0 votes

Hi Forum,

I have another quick question. There's a Business Rule with an Approval on Adding Users to certain Groups. Is it possible to trigger this Business Rule when adding a user to that group scope from a Powershell script (add-admgroupmember ...)?

Thanks for your Help
Cheers

by (650 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

The same as other cmdlets from Adaxes PowerShell module for Active Directory, Add-AdmGroupMember can work in 2 modes: it can make changes either directly in AD or via Adaxes service. When Adaxes service is involved, you benefit from all Adaxes workflow features, such as, for example, Business Rules, Property Patterns or logging.

To perform an operation via an Adaxes service, pass the service you need in the -AdaxesService parameter, for example:

Add-AdmGroupMember MyGroup user1,user2,user3 -AdaxesService localhost
0

Thanks a lot. I was missing the -Adaxesservice.

As you can see, i wan't to trigger a Businessrule through a different business rule.

The First Business Rule execute add-admgroupmember and the second one send this for approval. But in the second business rule i don't have the initiator. This means i can't see the Initiator in the approval request. Is it possible to work around this?

Again - thanks a lot

0

Hello,

To resolve the issue, use ADSI interfaces for adding members to the group. For example, you can use the following code:

$groupPath = "Adaxes://adaxesserver.example.com/CN=My Group,CN=Users,DC=example,DC=com"

$group = $Context.BindToObjectEx($groupPath, $true)

try
{
    $group.Add($Context.TargetObject.AdsPath)
}
catch [System.Runtime.InteropServices.COMException]
{
    if ($_.Exception.ErrorCode -eq "-2147483638")
    {
        $groupName = $group.Get("name")
        $Context.LogMessage("A request was made to add the user to group $groupName. The request is pending approval.", "Information")
    }
    else
    {
        throw $_.Exception
    }
}

where $groupPath is the ADS path of the group you want to add a member to.

0

Thanks for your answer. Also with the ADSI interface the initiator is the Adaxes Serviceaccout because it's triggere from a businessrule. is it possible to save the original initiator somewhere?

The background of this question is: I have a User Interface where i don't wan't to display the AD Structure to the users. So they have a Command on their Website, Request Rights. In this Command they can Modify adm-customattribute1-4 (with predefined) values. The selected Values generates the Group they want to be a member of. This triggers the second business rule in which the request is generated.

But the manager of that group just sees the adaxes service account as initiator.

Thanks again

0

Hello,

Could you post here or send us screenshots of the actions/conditions of the Business Rules involved? If you want to send them by e-mail, use the following address: support[at]adaxes.com.

0

Hi Support,

do you have any new information? I already sent the requestet data.

Thanks for your help

0

Hi Support,

i worked around that issue. The main problem we had with the "wrong" initiator data was the email send to the approver. So I worked around that way:

1. Submit the request to a "dummy" user
2. Created a scheduled task that replaces the dummy user with the responsible manager in that request (this does not trigger an email). After the manager was replaced i build the mail on my own in powershell with all the information i need.

I have another question about this but i will open a new thred (with a different topic).

Thanks again and Cheers

Related questions

0 votes
1 answer

We have a business rule that will update an AD attribute when a new member is added to a group. This business rule works when we use powershell commands or the admin console ... set to trigger "After adding a member to a group". Thank you for your support!

asked Mar 29, 2023 by mark.it.admin (2.3k points)
0 votes
1 answer

We currently have a form for HR to deal with ex-employees that are hired once more, but it's not much more than automatic emails sent to IT. If I add some actions ... this trigger the business rule we have that targets "After updating a user" ? Thanks, Louis

asked Oct 18, 2022 by lw.fa (150 points)
0 votes
1 answer

My scheduled task currently: Checks for staff in a particular OU that do not have an O365 license Adds a license Resets their AD Password Moves them to an OU based off ... scheduled task moves them out of the OU that the business rule is looking at. Thanks

asked Apr 15, 2020 by russmerriman (40 points)
0 votes
1 answer

In a business rule, I'd like to pass Adaxes variables into a powershell script that I'll run. For example, pass %username% into the script so it can be used inside the script.

asked Sep 5 by P-Sysadmin (20 points)
0 votes
1 answer

Hi team, I need to update users extensionAttribute6 after adding or removing them from a specific group. This is my setup: Group is updated based on rule set within Adaxes ... would like to update users after they were added or removed from this group. Thanks!

asked Sep 25, 2023 by wintec01 (1.5k points)
3,589 questions
3,278 answers
8,303 comments
548,131 users