Business Rule not triggered when action is done by script

Question

I have created a Business Rule (call it BR1) that occurs “After adding or removing a member from a group”. For testing purposes, it currently runs a PowerShell script that only logs a message, nothing more. The Activity Scope of BR1 is a particular Group (call it G1); both for the group itself and its members (not “direct members only”). The idea is that any membership change in G1 or any of its sub-groups triggers BR1.

This works fine in the Console (and presumably in the Web Interface too): when you add a new member to G1, either a user or a group, BR1 triggers and the message appears in the log. If you remove a member from G1, either a user or a group, BR1 triggers and the message appears in the log. This applies even to members that are more than one level deep, i.e. inside a sub-group that is a member of G1. This is exactly what I want!

Unfortunately, when I attempt to remove a member using a Custom Command that runs a PowerShell script, BR1 is not triggered. More details:

• In the Console, navigate to G1 and use the right-click menu to choose All Tasks > CC.
• The CC has a hard-coded group that it removes (just for testing). It calls “$Context.TargetObject.Remove($group.AdsPath)” to do the work. Note that there is more code in that script to populate $group, but that line is the heart of it.
• The CC succeeds, the group is removed from the parent as expected.
• However, BR1 never runs, there is no log message.

I tried some variations:

1. Instead of calling Remove() in the script, I invoked the Remove-AdmGroupMember cmdlet. This worked, but did not trigger BR1.
2. As per https://www.adaxes.com/questions/13571/business-rule-being-trigger-adsi-context-command-group-member, I tried binding the group using “$Context.BindToObjectByDNEx()”, but this made no difference: although the group was removed as expected, BR1 was not triggered.
3. Instead of using a PowerShell script CC, I created a CC that calls the built-in “Remove this group from another group” with a parameter to choose the parent group. This did trigger BR1 when it was run.

It seems that removing a member from a group from within a PowerShell script bypasses the Business Rule I created. Is this expected behavior? Or am I doing something wrong?

Answer 1

Hello Alex,

This behavior is by design as your scripts bypass Adaxes pipeline. For the business rule to trigger, you can use one of the below approaches:

Using the $Context variable

$group = $Context.BindToObjectByDNEx("%distinguishedName%", $True)
$group.Remove($memberAdsPath)

Using the Remove-AdmGroupMember

Remove-AdmGroupMember -Identity DocumentReaders -Members WilsonPais -AdaxesService localhost

Comments

As I mentioned in variation point 2, I did in fact try this. However, when I carefully compared my code with your suggestion, I noticed that you were calling BindToObjectByDNEx() on the parent group, not on the member group. So I modified my Custom Command as follows:

$groupDN = Get-AdmGroup -Filter 'Name -eq "role_AlexTest21"'
if ($groupDN) {
    $group = $Context.BindToObjectByDN($groupDN)
    $parentGroupDN = $Context.TargetObject.Get("DistinguishedName")
    $parentGroup = $Context.BindToObjectByDNEx($parentGroupDN, $True)
    $parentGroup.Remove($group.AdsPath)
}

This worked! The BR is now being triggered.

Note that just using $Context.TargetObject.Remove() in the script was failing to trigger the BR, presumably because that variable bypasses the Adaxes pipeline. By rebinding using the "Ex" version of the function, the object reference is now in the pipeline, and calling Remove() on it works as expected.