0 votes

Hello,

I have some AD Groups I would like to exclude from a business unit I'm using. I have standard group names across multiple OUs, some should be a part of the business unit, others should not.

The Membership rules specify that all children of the Customers OU should be included. Then I have an Exclude by Query to find all groups with Admin in the group name.

When I create the query it looks like this: (&(objectCategory=group)(cn=*Admin*))

When I click on the Affected Objects button I can see only the groups I want to exclude, I have the Exclude Specified Objects checkbox checked.

However when I apply the membership rule I can still see the groups under the business unit and the people using the web console can still see them.

I did try adding the specific groups to the business unit rather than using the query and that works but would be a lot harder to automate than simply having a working exclude query. Any thoughts on how I can get this working?

by (810 points)
0

I found my own answer here:

http://www.adaxes.com/help/?BusinessUni ... rview.html

The different methods for including objects in a business unit are ranked in priority. Query is the last priority method so my Container Children Membership rule on the top level OU was overriding my Exclude object Query. It would be neat if we could control priority by the order of the membership rules in the list.

To fix my problem I created a scheduled task to add all the groups matching the common naming scheme to a "HideObjectsFromSupport" AD Group and set a membership rule to exclude direct members of that group. It's not as dynamic as a query because my task only runs once or twice a day but it'll work.

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

Thanks for your suggestion, but currently we are not planning anything like that.

By the way, actually you can create a Business Unit like you want. To do this:

  1. Create a new Business Unit.

  2. On step 2 of the Create Business Unit wizard, click Add.

  3. Select Query Results.

  4. Click the Select button associated with the Look in field.

  5. Select your Customers OU and click OK.

  6. In the Filter field, specify the following LDAP filter:

    (&(objectCategory=*)(!(|(&(objectCategory=group)(cn=*Admin*))(distinguishedName=OU=Customers,DC=example,DC=com))))

    where OU=Customers,DC=example,DC=com is the Distinguished Name (DN) of your Customers OU.

  7. Click OK, and then click Finish.

0

Oh wow that works way better. thanks!

Related questions

0 votes
1 answer

Hello, I want service desk to be able to select from the web interface only groups that are specified in a Business Unit. it is possible to do it (Adaxes 2009.1)? Thanks you.

asked Sep 2, 2020 by tentaal (1.1k points)
0 votes
1 answer

I'm trying to setup SelfService group management. We have multiple Forests. Because of the Forests we can't add users from a different forest to the ManagedBy. We can add a local ... end up getting all the groups a user is a memberof or nothing at all. :)

asked Jun 23, 2021 by ComputerHabit (790 points)
0 votes
1 answer

In the query portion of creating a business unit: Group Query Section $rules = $unit.GetMembershipRules() $rule = $rules.Create("ADM_BUSINESSUNITMEMBERSHIPTYPE_QUERY") $rule.Exclude = $false ... by. Sorry if this is specified somewhere, but I couldn't find it.

asked Jun 4 by ajmilic (100 points)
0 votes
1 answer

Hi there, I've created a Delete User feature in the Web Interface Configurator. I am trying to restrict object selection via a User Criteria. Need to exclude Service ... won't appear when selecting target user for the 'Delete User' feature. Thanks, David

asked Sep 19 by dshortall (80 points)
0 votes
1 answer

Dear colleagues, can you please advise if it is possible to create (and update reqularly) business unit of computer objects based on a query to external SQL DB (hostnames stored in SQL)? Thanks!

asked Dec 14, 2022 by Dmytro.Rudyi (920 points)
3,588 questions
3,277 answers
8,303 comments
548,092 users