Autopopulate manager dropdown list in webinterface

Question

Hi!

I want to auto populate the Manager dropdown list (when HR is creating a new user) with the members of two different groups in our AD. Can this be done?

Best regards,

Kaj Lehtinen

Answer 1

Hello Kaj,

Yes, this can be achieved using a Business Rule triggering After Adding or removing a member from a Group. If a member is added/removed from one of the two groups that contain managers, the Business Rule will automatically update the list of possible values for the Manager property in a Property Pattern. To create the Business Rule:

1. Launch Adaxes Administration Console.

2. Right-click your Adaxes service node, navigate to New and click Business Rule.
   

3. On step 2 of the Create Business Rule wizard, select Group Object type.

4. Select After Adding or removing a member from a Group and click Next.
   

5. Click Add Action and select Run a program or PowerShell script.

6. Paste the script below into the Script field.

    $groupDNs = @("CN=Managers1,OU=Groups,DC=domain,DC=com", "CN=Managers2,OU=Groups,DC=domain,DC=com") # TODO: modify me
    $isPropertyRequired = $True # TODO: modify me
    $patternName = "User Pattern" # TODO: modify me
   
    function SearchObjects($path, $filter, $properties, $searchInAllDomans)
    {
        $searcher = $Context.BindToObject($path)
        $searcher.SearchFilter = $filter
        $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
        $searcher.PageSize = 500
        $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
        $searcher.SetPropertiesToLoad($properties)
        if ($searchInAllDomans)
        {
            $searcher.VirtualRoot = $True
        }
   
        try
        {
            $searchResultIterator = $searcher.ExecuteSearch()
            $searchResults = $searchResultIterator.FetchAll()
   
            return ,$searchResults
        }
        finally
        {
            # Release resources
            if ($searchResultIterator){ $searchResultIterator.Dispose() }
        }
    }
   
    $filter = New-Object "System.Text.StringBuilder"
    foreach ($dn in $groupDNs)
    {
        $group = $Context.BindToObjectByDN($dn)
        try
        {
            $guidsBytes = $group.GetEx("adm-DirectMembersGuid")
        }
        catch
        {
            continue
        }
   
        foreach ($guidBytes in $guidsBytes)
        {
            $guid = [Guid]$guidBytes
            [void]$filter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("objectGuid", $guid))
        }
    }
   
    # Search Property Pattern
    $propertyPatternsPath = $Context.GetWellKnownContainerPath("PropertyPatterns")
    $searchResults = SearchObjects $propertyPatternsPath "(&(objectClass=adm-PropertyPattern)(name=$patternName))" @() $False
    if ($searchResults.Length -eq 0)
    {
        $Context.LogMessage("Property Pattern '$patternName' not found.", "Warning")
        return
    }
    elseif ($searchResults.Length -gt 1)
    {
        $Context.LogMessage("Found more than one Property Pattern with the following name: '$patternName'", "Warning")
        return
    }
   
    # Bind to the Property Pattern
    $pattern = $Context.BindToObject($searchResults[0].AdsPath)
   
    # Delete the item for the 'Manager' property
    foreach ($item in $pattern.Items)
    {
        if ($item.PropertyName -ieq "manager")
        {
            $pattern.Items.Remove($item)
            break
        }
    }
   
    if ($filter.Length -eq 0)
    {
        return # Groups have no members
    }
   
    # Get member DNs
    $memberDNs = @()
    $searchResults = SearchObjects "Adaxes://RootDSE" "(&(sAMAccountType=805306368)(|$($filter.ToString())))" @("distinguishedName") $True
    $searchResults | %%{$memberDNs += $_.Properties["distinguishedName"].Value}
   
    # Create a new item for the 'Manager' property
    $item = $pattern.Items.Create()
    $item.PropertyName = "manager"
    $item.IsPropertyRequired = $isPropertyRequired
   
    $constraints = $item.GetConstraints()
    $constraint = $constraints.Create("ADM_PROPERTYCONSTRAINTTYPE_VALUERANGE")
    $constraint.AreValuesDenied = $False
    $constraint.Values = $memberDNs
    $constraints.Add($constraint)
    $item.SetConstraints($constraints)
   
    # Save the changes
    $item.SetInfo()
    $pattern.Items.Add($item)
   

7. Enter a short description and click OK.
   

8. Click Next and add the groups that contain managers to the Activity Scope of the Business Rule.
   

9. Finish creating the Business Rule.

You should have something like the following:

Comments

Success, now it started to happen stuff.

Thanks.

/kaj

---

Last question, can the adding of user to group or removal of user from group be assigned to a custom menu in the webinterface? I'm thinking to simplify everything as much as possible for our HR department (who will be doing this).

I'e one action/meny to select user and its automtically inserted into the right group, and one remove user action so that they just select the user to remove from the group.

If the above can be added as custom meny items (think its possible?) then we dont need to expose the wizard that shows all the groups in the second step to the HR departmet, or can we limit the scope for what groups the HR department can act upon?

Currently the HR manager is set as Manager of the two distribution lists.

/Kaj

---

Hello Kaj,

Have a look at the following tutorial: http://www.adaxes.com/tutorials_WebInte ... ctions.htm. You can use the Add to Group and Remove from Group actions.

---

Thanks,

Think I got the hang of it, although when making a custom action to remove users from specific group, I would like to show the members of the group, not all the AD members (as its shown by default).

/Kaj

---

Hello Kaj,

On step 3 of the guide for Remove from Group action, you can specify an LDAP filter for displayed users. You need to use the following LDAP filter: (memberOf=CN=Sales Managers,OU=Sales,DC=example,DC=com), where CN=Sales Managers,OU=Sales,DC=example,DC=com is the distinguished name of the group.