0 votes

I have created a Business Rule (call it BR1) that occurs “After adding or removing a member from a group”. For testing purposes, it currently runs a PowerShell script that only logs a message, nothing more. The Activity Scope of BR1 is a particular Group (call it G1); both for the group itself and its members (not “direct members only”). The idea is that any membership change in G1 or any of its sub-groups triggers BR1.

This works fine in the Console (and presumably in the Web Interface too): when you add a new member to G1, either a user or a group, BR1 triggers and the message appears in the log. If you remove a member from G1, either a user or a group, BR1 triggers and the message appears in the log. This applies even to members that are more than one level deep, i.e. inside a sub-group that is a member of G1. This is exactly what I want!

Unfortunately, when I attempt to remove a member using a Custom Command that runs a PowerShell script, BR1 is not triggered. More details:

  • In the Console, navigate to G1 and use the right-click menu to choose All Tasks > CC.
  • The CC has a hard-coded group that it removes (just for testing). It calls “$Context.TargetObject.Remove($group.AdsPath)” to do the work. Note that there is more code in that script to populate $group, but that line is the heart of it.
  • The CC succeeds, the group is removed from the parent as expected.
  • However, BR1 never runs, there is no log message.

I tried some variations:

  1. Instead of calling Remove() in the script, I invoked the Remove-AdmGroupMember cmdlet. This worked, but did not trigger BR1.
  2. As per https://www.adaxes.com/questions/13571/business-rule-being-trigger-adsi-context-command-group-member, I tried binding the group using “$Context.BindToObjectByDNEx()”, but this made no difference: although the group was removed as expected, BR1 was not triggered.
  3. Instead of using a PowerShell script CC, I created a CC that calls the built-in “Remove this group from another group” with a parameter to choose the parent group. This did trigger BR1 when it was run.

It seems that removing a member from a group from within a PowerShell script bypasses the Business Rule I created. Is this expected behavior? Or am I doing something wrong?

by (60 points)

1 Answer

0 votes
by (294k points)

Hello Alex,

This behavior is by design as your scripts bypass Adaxes pipeline. For the business rule to trigger, you can use one of the below approaches:

Using the $Context variable

$group = $Context.BindToObjectByDNEx("%distinguishedName%", $True)
$group.Remove($memberAdsPath)

Using the Remove-AdmGroupMember

Remove-AdmGroupMember -Identity DocumentReaders -Members WilsonPais -AdaxesService localhost
0

As I mentioned in variation point 2, I did in fact try this. However, when I carefully compared my code with your suggestion, I noticed that you were calling BindToObjectByDNEx() on the parent group, not on the member group. So I modified my Custom Command as follows:

$groupDN = Get-AdmGroup -Filter 'Name -eq "role_AlexTest21"'
if ($groupDN) {
    $group = $Context.BindToObjectByDN($groupDN)
    $parentGroupDN = $Context.TargetObject.Get("DistinguishedName")
    $parentGroup = $Context.BindToObjectByDNEx($parentGroupDN, $True)
    $parentGroup.Remove($group.AdsPath)
}

This worked! The BR is now being triggered.

Note that just using $Context.TargetObject.Remove() in the script was failing to trigger the BR, presumably because that variable bypasses the Adaxes pipeline. By rebinding using the "Ex" version of the function, the object reference is now in the pipeline, and calling Remove() on it works as expected.

Related questions

0 votes
1 answer

I need a way of triggering a business rule based on the user (and not the group) being added or removed from a group. The reason I would like this triggered on the user is so ... prefer not to do that. I am checking to see if there is another way to do this.

asked May 16, 2023 by mark.it.admin (2.3k points)
0 votes
1 answer

We have a business rule that will update an AD attribute when a new member is added to a group. This business rule works when we use powershell commands or the admin console ... set to trigger "After adding a member to a group". Thank you for your support!

asked Mar 29, 2023 by mark.it.admin (2.3k points)
0 votes
1 answer

I have a Rule-Based group with users. Every time a users gets added or removed from this group I want to trigger a Business Rule for "Atter adding or removing a member ... Rules be triggered by a Rule-Based group adding or removing a user? Morten A. Steien

asked Mar 27, 2023 by Morten A. Steien (300 points)
0 votes
1 answer

The rule runs but since the first name and last name are passed as parameters, I only get the sequential # as a userID without the initials.

asked Oct 24 by curtisa (290 points)
0 votes
1 answer

Hi team, I need to update users extensionAttribute6 after adding or removing them from a specific group. This is my setup: Group is updated based on rule set within Adaxes ... would like to update users after they were added or removed from this group. Thanks!

asked Sep 25, 2023 by wintec01 (1.5k points)
3,588 questions
3,277 answers
8,303 comments
548,082 users