0 votes

Hello,

I have a lot of rule-based groups which are updated every day at 5 a.m.

  1. but now I would like to change the synchronization time for all groups, for example to update every evening at 6 o'clock, or every 12 hours. How can I change this for all groups so that I don't have to edit all groups individually?
  2. and is it possible that the groups are updated as soon as a new user is created? so that I don't have to wait until 6 o'clock every evening for the groups to be added to the new user? Or can a custom command be created which updates all groups when executed?

Many thanks for your help! D.

by (300 points)

1 Answer

0 votes
by (289k points)

Hello,

How can I change this for all groups so that I don't have to edit all groups individually?

Do we understand correctly that you want to update all the existing rule-based groups schedule with the same time? If that is correct, it can be done using a custom command and a script. The script will search for rule-based groups and update them altogether. The following article will be helpful: https://www.adaxes.com/sdk/IAdmGroup2.

and is it possible that the groups are updated as soon as a new user is created?

It can only be done using a script. You can execute it in a business rule triggering After creating a user. The script will bind to the corresponding groups and execute method UpdateMembershipNow as described in the article we referenced above.

0

This is excellent, I never found this documentation.

So this code is to update the members of the groups:

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Bind to the group
$groupDN = "CN=My Group,OU=Groups,DC=company,DC=com"
$group = $service.OpenObject("Adaxes://$groupDN", $null, $null, 0)

# Initiate group membership update
$group.UpdateMembershipNow()

Is there a way to update all rule-based groups so that I don't have to specify each group individually with $groupDN? I have the same question for the script that customizes the MembershipUpdateSchedule.

0

Hello,

As we mentioned in the previous post, it can be done using a script. The script will find all rule-based groups, bind to them on-by-one and execute the UpdateMembershipNow method. The following SDK article should be helpful about the search part: https://www.adaxes.com/sdk/IAdmDirectorySearcher.

0

I'm sorry, but I don't understand how I can define $groupDN so that all rule-based groups are updated. I searched on the IAdmDirectorySearcher page and couldn't find anything about it, I don't understand all the stuff there. I have tried with a custom command and a DN of a group, so the script works, but it is impossible for me to customize the script to update all rule-based groups.

0

Hello,

As we mentioned in the previous post, you need to execute a search and then use its results to bind to groups and initiate membership update. you can use the below script. It can be executed in a business rule, custom command or scheduled task. The type of target object does not matter for the script.

# Search parameters
$searcher = $Context.TargetObject
$searcher.Criteria = New-AdmCriteria "group" {membershipType -eq "rule-based"}
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.PageSize = 500
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.VirtualRoot = $True

try
{
    # Execute search
    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()

    foreach ($searchResult in $searchResults)
    {
        # Update group membership
        $group = $Context.BindToObjectBySearchResult($searchResult)
        $group.UpdateMembershipNow()
    }
}
finally
{
    # Release resources
    if ($searchResultIterator){ $searchResultIterator.Dispose() }
}
0

Thats great than you very much! Just to finalise the code, how can I specify an OU as a restriction for the search so that not all OU's have to be searched?

0

Hello,

You will need to specify the DN of the OU in the script and then make the OU base for search. Finally, you should have something like below. For details on how to get an object DN, see https://www.adaxes.com/sdk/HowDoI.GetDnOfObject.

$ouDN = "OU=My OU,DC=company,DC=com" # TODO: modify me

# Search parameters
$searcher = $Context.BindToObjectByDN($ouDN)
$searcher.Criteria = New-AdmCriteria "group" {membershipType -eq "rule-based"}
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.PageSize = 500
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"

try
{
    # Execute search
    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()

    foreach ($searchResult in $searchResults)
    {
        # Update group membership
        $group = $Context.BindToObjectBySearchResult($searchResult)
        $group.UpdateMembershipNow()
    }
}
finally
{
    # Release resources
    if ($searchResultIterator){ $searchResultIterator.Dispose() }
}
0

I now have one last question (hopefully). I have now set the script so that it is always executed after an update group. As it is correct, it is now executed as soon as a group is updated. However, if I update several groups at the same time, then the script is also executed x times. Is it possible that as soon as one or more groups are updated, the script is executed ONE time after one minute? So like: I update 10 groups, after 1 minute the script is executed one time and not 10 times.

0

Hello,

Unfortunately, there is no such possibility using a business rule triggering After updating a group like you currently have. It will always trigger separately for each group update. As a solution, you can have a custom command with the script and manually execute it whenever required.

0

Okei, then I will trigger it another way. I have found the following code to add a user to a rule-based group:

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly("localhost")

# Bind to the group
$groupDN = "CN=My Group,OU=Groups,DC=company,DC=com"
$group = $service.OpenObject("Adaxes://$groupDN", $null, $null, 0)

# Add membership rule for user 'John Smith'
$userDN = "CN=John Smith,CN=Users,DC=company,DC=com"
$user = $service.OpenObject("Adaxes://$userDN", $null, $null, 0)
$rules = $group.MembershipRules
$includeRule = $rules.Create("ADM_BUSINESSUNITMEMBERSHIPTYPE_SPECIFIC")
$includeRule.Exclude = $false
$includeRule.Object = $user
$rules.Add($includeRule)
$group.MembershipRules = $rules

# Save the changes
$group.SetInfo()

Can the code be customised to add all users of a group? If so, is it also possible to add multiple rules? In other words, is it possible to add a script that adds the following rule (members of groups): image.png

0

Hello,

Yes, it is possible. However, we are not sure what exactly your goal is. You can do all that manually in the Web interface without using any scripts. Also, it does not initiate membership update, only adds membership rules.

0

Could you tell me what the script should look like?

To explain, we are currently customising all groups and implementing them on a rule-based basis. Since many groups have the same criteria, it would save me time if I could do this with a script.

0

Hello,

Thank you for clarifying. Do you want to execute the script in Adaxes (e.g. using a custom command) or in Windows PowerShell?

0

I will run the scripts in adaxes

0

Hello,

Thank you for the confirmation. You can find the script below. It should be executed in Adaxes using a custom command, business rule or scheduled task configured for the Group object type. In the script, the $groupDNs variable specifies distinguished names (DNs) of the groups to add membership rules for. For details on how to get an object DN, see https://www.adaxes.com/sdk/HowDoI.GetDnOfObject.

The schedule is set to update membership hourly. If you want to change it, have a look at the following article: https://www.adaxes.com/sdk/IAdmGroup2/#MembershipUpdateSchedule_details.

$groupDNs = @("CN=Group 1,OU=Groups,DC=company,DC=com", "CN=Group 2,OU=Groups,DC=company,DC=com") # TODO: modify me

# Check membership type
$membershipType = $Context.TargetObject.MembershipType

if ($membershipType -ne "ADM_GROUPMEMBERSHIPTYPE_RULEBASED")
{
    $Context.TargetObject.MembershipType = "ADM_GROUPMEMBERSHIPTYPE_RULEBASED"
}

# Specify membership update schedule
$recurrencePattern = New-Object "Softerra.Adaxes.Adsi.AdmRecurrencePattern"
$recurrencePattern.RecurrenceType = "ADM_RECURRENCEPATTERNTYPE_HOURLY"
$recurrencePattern.Interval = 2
$Context.TargetObject.MembershipUpdateSchedule = $recurrencePattern

# Set membership rules
$rules = $Context.TargetObject.MembershipRules

foreach ($groupDN in $groupDNs)
{    
    $includeRule = $rules.Create("ADM_BUSINESSUNITMEMBERSHIPTYPE_GROUP")
    $includeRule.IncludeDirectMembersOnly = $True
    $includeRule.Group = $Context.BindToObjectByDN($groupDN)
    $rules.Add($includeRule)
}
$Context.TargetObject.MembershipRules = $rules

# Save the changes
$Context.TargetObject.SetInfo()
0

that's great, thank you very much. What if I need to add another query? Say $groupDNs remains as it is, but I only want all English-speaking members, i.e. preferred language is EN. so that would be the rules: image.png

And how can I set the "look in (OU)" of the query?

thx a lot

0

Hello,

You will need to create a membership rule of the Query results type (i.e. ADMBUSINESSUNITMEMBERSHIPTYPEQUERY) and fill it with the required criteria. The following article will be helpful: https://www.adaxes.com/sdk/IAdmBusinessUnitQueryRule.

0

like this?

    # Include users by Query Rule
    $rule = $rules.Create("ADM_BUSINESSUNITMEMBERSHIPTYPE_QUERY")
    $rule.BaseObjectDnTemplate = "%adm-ParentDN%"
    $rule.Exclude = $false
    $rule.Scope = "ADS_SCOPE_SUBTREE"
    $criteria = New-AdmCriteria "user" {directMemberOf -eq $groupDN -and preferredLanguage -eq "EN"}
    $rule.SetCriteria($criteria)
    $rules.Add($rule)

how can I set the OU where the query should search the groups and members?

0

Hello,

You can use the BaseObjectPath or BaseObjectDnTemplate property.

0

top thx

Related questions

0 votes
1 answer

I am trying to create a business rule to send an email to the manager of the group when a member is added or removed from a rule-based group. I have created the business rule and it works for other groups but not for a rule-based group. Can this be done?

asked Jul 19, 2021 by mark.it.admin (2.3k points)
0 votes
1 answer

When setting up a rule based group, GMSA objects are not visible. Is there a setting or view I need to add to make these availabe to rule based groups, or is it simply not an option?

asked Sep 16 by ajmilic (100 points)
0 votes
1 answer

Hi, would it be possible to achieve the following idea: Creating and updating rule based groups, based on user attributes like company? For each company value in AD, ... get all unique company values, then create a group with this company value as filter.

asked Mar 7 by wintec01 (1.5k points)
0 votes
1 answer

We would like to use the "Rule Based Groups" functionality that Adaxes has to create distribution groups where we have one group per manager and the members are the user ... so that the link doesn't break when changes happend to the managers AD object?

asked Oct 27, 2021 by odsven (1.8k points)
0 votes
1 answer

I followed these instructions but still don't see the edit button unless I log in with my full adaxes administrator account. https://www.adaxes.com/ ... Membership" to the Group Manager built in security role. What am I missing?

asked Mar 4, 2021 by mark.it.admin (2.3k points)
3,548 questions
3,238 answers
8,232 comments
547,811 users