0 votes

How would I define a "Group Manager" role that only allows the trustee to add direct users (not groups) to a managed group?

Thanks

by (950 points)

1 Answer

0 votes
by (18.0k points)
selected by
Best answer

Hello,

Unfortunately it is impossible to do it with the help of Security Roles. However, you can control the type of group members using Business Rules:

  1. Create a Business Rule that is triggered before adding a member to a group.

  2. Add Run a program or PowerShell script action to the Business Rule.

  3. Enter the following PowerShell script for the action:

     Import-Module Adaxes
     $Context.GetModifiedPropertyValues("member") |  Get-AdmObject | Foreach-Object { if ($_.ObjectClass -ne "user") {$Context.Cancel("Only users can be added to the group.")} }
    

    Please note: to use this script, you need to install the Adaxes PowerShell Module on the computer, where the Adaxes service is running. Adaxes PowerShell Module is installed with the same installation package as used to install Adaxes service.

  4. Add conditions for the action. For example:

For more details, please see Validate/Modify User Input Using a Script.

0

That is perfect. It works as expected. Thanks!

Related questions

0 votes
1 answer

I have 18 domains managed by Adaxes and have noticed that Admin (full access) t all objects acts normally, but for piecemeal scopes like Service Desk that scopes to individual ... role (including 16 denies) and expect it to grow as we add more domains.

asked Sep 20, 2022 by DA-symplr (100 points)
0 votes
0 answers

I have applied a security role to a group at the top of a Business Unit Container and set it to apply to the subtree and it does, all Containers and Business Units do ... Unit. Did I apply the permissions wrong or is there some setting I need to change?

asked Aug 9 by ajmilic (100 points)
0 votes
1 answer

How can I grant read only rights for Configuration items in the Adaxes Admin Console?

asked Jan 26 by mark.it.admin (2.3k points)
0 votes
1 answer

What specific permission is needed in a security role to grant access to enable a user account?

asked Dec 7, 2023 by mightycabal (1.0k points)
0 votes
1 answer

I only want to allow a security role to write 'user must change password at next logon' and not all options they have under 'Account Options'. The only permission I can see in ... ". I'd rather not assign permissions to all these settings if I don't have to.

asked Apr 6, 2021 by cfrazier (20 points)
3,589 questions
3,278 answers
8,303 comments
548,134 users