Adaxes

Business Unit LDAP Query of ManagedBy when ManagedBy is a group

0 votes

I'm trying to setup SelfService group management. We have multiple Forests. Because of the Forests we can't add users from a different forest to the ManagedBy. We can add a local security group and do group nesting of a global group from the other forest though.

I'm trying build an ldap query for a business unit that will list the groups a user is allowed to manage. Since it's a group that is in the ManagedBy I need to get that first then find if the user is a memberof that group and then have it display in the Business Unit.

I'm not great with LDAP and seem to be finding it difficult to build this kind of query if it's even possible.

Any suggestions would help.

Thank you.

Current Query for Business Unit, there are two different ones: (&(objectCategory=group)(managedBy=%distinguishedName%)) (&(objectCategory=group)(msExchCoManagedByLink=%distinguishedName%))

These get the manageBy if the DN of the user is a member. I'm having a hard time trying to figure out how to get the managedBy Group first then find if the users %distinguishedName% is a member of that group.

If seems like my queries end up getting all the groups a user is a memberof or nothing at all. :)

by (790 points)

1 Answer

0 votes
by (289k points)

Hello,

Unfortunately, there is no way to achieve the desired behavior using just a Query results membership rule with an explicit LDAP filter. You will need to store the filter for each user in their properties and use a value reference for the property in the business unit settings. For details, have a look at the following script from our repository: https://www.adaxes.com/script-repository/create-ldap-filter-to-find-all-objects-managed-by-user-s268.htm.

Related questions

0 votes
1 answer
Is it better to grant access via multiple OU and group assignments in the security role or use a business unit?

I have 18 domains managed by Adaxes and have noticed that Admin (full access) t all objects acts normally, but for piecemeal scopes like Service Desk that scopes to individual ... role (including 16 denies) and expect it to grow as we add more domains.

asked Sep 20, 2022 by DA-symplr (100 points)
0 votes
1 answer
Unable to exclude object from a Business Unit with Query

Hello, I have some AD Groups I would like to exclude from a business unit I'm using. I have standard group names across multiple OUs, some should be a part of the ... than simply having a working exclude query. Any thoughts on how I can get this working?

asked Mar 24, 2016 by drew.tittle (810 points)
0 votes
1 answer
Business Rule - 'After user updated' not triggered when the user is added to a group.

I need a way of triggering a business rule based on the user (and not the group) being added or removed from a group. The reason I would like this triggered on the user is so ... prefer not to do that. I am checking to see if there is another way to do this.

asked May 16, 2023 by mark.it.admin (2.3k points)
0 votes
1 answer
Is it possible to generate a report of all of the business rules carried out on a user when they are disabled?

I'd like to be able to either send an email report or export a CSV of all of the business rules carried out when a user is disabled. This would be ... Management Activity section but this includes things that weren't part of the disable operation. Thanks

asked Feb 19, 2020 by bavery (250 points)
0 votes
1 answer
Is there any way to add a warning when adding a group member that is already part of the group?

Is there any way to add a warning message when someone tries to add a group member that already is member? Checked config but found nothing related. Added a new member that ... the group and there is no warning, and the logs show that the task was completed.

asked Jul 9 by lramirez (20 points)
3,547 questions
3,238 answers
8,232 comments
547,809 users