0 votes

We are currently looking for a way to load balance between select security groups. Doing this by either filling each group to "x" users then moving to the next or 1 user at a time until full till "x" users

Example:

  • creating 38 users
  • 3 groups to load balance
  • Group 1 (10 users)
  • Group 2 (10 users)
  • Group 3 (8 users)
by (180 points)
0

Hello,

It can be done by using a script in your business rule triggering After creating a user. The script will directly add the new user to the corresponding group taking the limit into account. For us to provide you with the script, please, specify the following:

  • Should users be added to the groups in an exact predefined order?
  • What should be done if all the groups are already filled and another user gets created?
  • Should the limit be the same for all the groups?

Any additional details and live examples of the desired behavior will be much appreciated.

0

Should users be added to the groups in an exact predefined order? I would like the option of attempting to keep all groups at the same amount of users

and another option of filling the users to x amount and then moving to the next group

What should be done if all the groups are already filled and another user gets created?

Preferably create a new group following the naming convention "Group #+1"

Should the limit be the same for all the groups? yes

0

Hello,

I would like the option of attempting to keep all groups at the same amount of users

You will be specifying the groups in the script. It will attempt to add the user to each group in the exact order as the groups are specified. If the group already has the predefined number of members, the script will switch to the next group.

Preferably create a new group following the naming convention "Group #+1"

How should the location of the new group be determined? Will it always be the same?

What should the group type and scope be?

0

How should the location of the new group be determined? Will it always be the same?

What should the group type and scope be?

Ideally this will be the same as the groups its coming from in most cases this is a security group but in our other clients its a distrobution group. However, it will always be the same as the group before it. If it needs to be specified it preferably a global security group.

0

Hello,

Thank you for the provided details. Unfortunately, there will be no possibility to predefine the groups and their order. You will only be able to specify the distinguished name (DN) of the OU where the groups are located. As such, the exact naming convention for new groups is required. Please, post here or send us (support@adaxes.com) multiple examples of the group DNs. For information on how to get an object DN, see https://adaxes.com/sdk/HowDoI.GetDnOfObject.

0

We have actually decided that we want the entire user creation to fail if they can not be added to a group we would also like an email if the last group has reached "x" users is this possible?

0

Hello,

Yes, it is possible. Finally, the workflow will be as follows:

  • A business rule triggering Before creating a user will execute a PowerShell script. The script will check the groups from a predefined list. If there is no group that has available member slots, user creation will be cancelled.
  • A business rule triggering After creating a user will execute a PowerShell script. The script will add the user to the first predefined group that has not reached the members limit. If all the groups reach the limit after adding the group an email notification will be sent.

If the approach meets your needs, please, provide us with a live example of the email notification that should be sent in the second business rule. You can post it here or email at support@adaxes.com.

0

We would like it to say

Team,

User creation failed due to all TS security groups being full.

If possbile we would also like the Subject line to be Urgent "companyname" user creation failed.

0

Hello,

Should the company name be taken from the properties of the user account or it should always be the same?

0

It should be taken from the properties of the user account.

1 Answer

0 votes
by (289k points)

Hello,

Thank you for all the provided details. As we mentioned, the workflow will include two business rule. One will trigger Before creating a user and the other After creating a user. Below are the instructions for creating both.

i. Creating the business rule triggering Before creating a user

  1. Launch Adaxes Administration console.

  2. In the Console Tree, right-click your service node.

  3. In the context menu, navigate to New and click Business Rule. image.png

  4. On step 2 of the Create Business Rule wizard, select the User object type.

  5. Select Before creating a user and click Next. image.png

  6. Click Add an action.

  7. Select Cancel this operation.

  8. Specify a cancellation reason and click OK. image.png

  9. Right-click the action you created and then click Add New Action. image.png

  10. Select Send email notification.

  11. Complete the action parameters for sending the email notification in case when all the groups are already filled. You can use value references in the texts. For example, to add the value of the user company property, use %company%. image.png

  12. Click OK.

  13. Right-click the action you created again and then click Add Condition.

  14. Select If PowerShell script returns true.

  15. Paste the below script into the Script field. In the script:

    • $membersLimit - Specifies the maximum number of members groups can have.
    • $groupDNs - Specifies distinguished names (DNs) of the groups taking part in the workflow. For information on how to get an object DN, see https://adaxes.com/sdk/HowDoI.GetDnOfObject.
     $membersLimit = 5 # TODO: modify me
     $groupDNs = @("CN=Group 1,OU=Groups,DC=domain,DC=com", "CN=Group 2,OU=Groups,DC=domain,DC=com") # TODO: modify me
    
     $Context.ConditionIsMet = $True
    
     foreach ($groupDN in $groupDNs)
     {
         # Bind to the group
         try
         {
             $group = $Context.BindToObjectByDN($groupDN)
         }
         catch
         {
             $Context.LogMessage("Group with DN $groupDN does not exist.", "Information")
             return
         }
    
         # Get group members
         try
         {
             $groupMembers = $group.GetEx("adm-DirectMembersGuid")
         }
         catch
         {
             $groupMembers = @()
         }
    
         # Check if group reached the members limit
         if($groupMembers.Length -lt $membersLimit)
         {
             $Context.ConditionIsMet = $False
             return
         }
     }
  16. Enter a short description and click OK. image.png

  17. Click Next and finish creating the business rule.

ii. Creating the business rule triggering After creating a user

  1. Launch Adaxes Administration console.

  2. In the Console Tree, right-click your service node.

  3. In the context menu, navigate to New and click Business Rule.

  4. On step 2 of the Create Business Rule wizard, select the User object type.

  5. Select After creating a user and click Next. image.png

  6. Click Add an action.

  7. Paste the below script into the Script field. In the script:

    • $membersLimit - Specifies the maximum number of members groups can have. Must be the same as $membersLimit in the script executed in the business rule created in part i.
    • $groupDNs - Specifies distinguished names (DNs) of the groups taking part in the workflow. For information on how to get an object DN, see https://adaxes.com/sdk/HowDoI.GetDnOfObject. Must be the same as $groupDNs in the script executed in the business rule created in part i.
    • $to - Specifies the recipient of the email that will be sent if all groups are full after adding the user.
    • $subject - Specifies the subject of the email that will be sent if all groups are full after adding the user. You can use value references in the subject. For example, to add the value of the user company property, use %company%.
    • $body - Specifies the body of the email that will be sent if all groups are full after adding the user. You can use value references in the body. For example, to add the value of the user company property, use %company%.
     $membersLimit = 5 # TODO: modify me
     $groupDNs = @("CN=Group 1,OU=Groups,DC=domain,DC=com", "CN=Group 2,OU=Groups,DC=domain,DC=com") # TODO: modify me
    
     # Mail settings
     $to = "recipient@domain.com" # TODO: modify me
     $subject = "All TS security groups are full." # TODO: modify me
     $body = @"
     All TS security groups are full.
     "@ # TODO: modify me
    
     # Add user to a group
     $addToGroup = $True
     $sendMail = $True
     foreach ($groupDN in $groupDNs)
     {
         # Bind to the group
         $group = $Context.BindToObjectByDN($groupDN)
    
         # Get group members
         try
         {
             $groupMembers = $group.GetEx("adm-DirectMembersGuid")
         }
         catch
         {
             $groupMembers = @()
         }
    
         # Check if group reached the members limit
         if ($groupMembers.Length -lt $membersLimit)
         {
             if ($addToGroup)
             {
                 $group.Add($Context.TargetObject.AdsPath)
                 $addToGroup = $False
    
                 if (($groupMembers.Length + 1) -ge $membersLimit)
                 {
                     continue
                 }
             }
             $sendMail = $False
             break
         }    
     }
    
     # Send mail if all groups are full
     if ($sendMail)
     {
         $Context.SendMail($to, $subject, $body, $NULL)
     }
  8. Enter a short description and click OK.

  9. Click Next and finish creating the business rule.

Related questions

0 votes
0 answers

We are looking for a tool that can support a blacklist for password resets and that will enforce this blacklist to certain OU groups but not others, or potentially use a whitelist of users that it will not be enforced upon.

asked Mar 2, 2020 by zachThankYou (20 points)
0 votes
1 answer

We're delegating admin rights to our various IT departments, only giving them access over their stuff under their OUs. They're missing the option to see the group membership ... on user's management history, is there another approach that I'm not aware of?

asked Sep 18 by felix (150 points)
0 votes
1 answer
0 votes
1 answer

For instance to execute a powershell script that enable MFA for all member in that group?

asked Jan 27, 2023 by samuel.anim-addo (20 points)
0 votes
1 answer

Can you clarify the answer as it's a bit confusing? Will there be new major release available this month?

asked Nov 17, 2022 by ColinB (180 points)
3,549 questions
3,240 answers
8,232 comments
547,814 users