0 votes

Hi!

I want to auto populate the Manager dropdown list (when HR is creating a new user) with the members of two different groups in our AD. Can this be done?

Best regards,

Kaj Lehtinen

by (650 points)

1 Answer

0 votes
by (289k points)
selected by
Best answer

Hello Kaj,

Yes, this can be achieved using a Business Rule triggering After Adding or removing a member from a Group. If a member is added/removed from one of the two groups that contain managers, the Business Rule will automatically update the list of possible values for the Manager property in a Property Pattern. To create the Business Rule:

  1. Launch Adaxes Administration Console.

  2. Right-click your Adaxes service node, navigate to New and click Business Rule.

  3. On step 2 of the Create Business Rule wizard, select Group Object type.

  4. Select After Adding or removing a member from a Group and click Next.

  5. Click Add Action and select Run a program or PowerShell script.

  6. Paste the script below into the Script field.

     $groupDNs = @("CN=Managers1,OU=Groups,DC=domain,DC=com", "CN=Managers2,OU=Groups,DC=domain,DC=com") # TODO: modify me
     $isPropertyRequired = $True # TODO: modify me
     $patternName = "User Pattern" # TODO: modify me
    
     function SearchObjects($path, $filter, $properties, $searchInAllDomans)
     {
         $searcher = $Context.BindToObject($path)
         $searcher.SearchFilter = $filter
         $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
         $searcher.PageSize = 500
         $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
         $searcher.SetPropertiesToLoad($properties)
         if ($searchInAllDomans)
         {
             $searcher.VirtualRoot = $True
         }
    
         try
         {
             $searchResultIterator = $searcher.ExecuteSearch()
             $searchResults = $searchResultIterator.FetchAll()
    
             return ,$searchResults
         }
         finally
         {
             # Release resources
             if ($searchResultIterator){ $searchResultIterator.Dispose() }
         }
     }
    
     $filter = New-Object "System.Text.StringBuilder"
     foreach ($dn in $groupDNs)
     {
         $group = $Context.BindToObjectByDN($dn)
         try
         {
             $guidsBytes = $group.GetEx("adm-DirectMembersGuid")
         }
         catch
         {
             continue
         }
    
         foreach ($guidBytes in $guidsBytes)
         {
             $guid = [Guid]$guidBytes
             [void]$filter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("objectGuid", $guid))
         }
     }
    
     # Search Property Pattern
     $propertyPatternsPath = $Context.GetWellKnownContainerPath("PropertyPatterns")
     $searchResults = SearchObjects $propertyPatternsPath "(&(objectClass=adm-PropertyPattern)(name=$patternName))" @() $False
     if ($searchResults.Length -eq 0)
     {
         $Context.LogMessage("Property Pattern '$patternName' not found.", "Warning")
         return
     }
     elseif ($searchResults.Length -gt 1)
     {
         $Context.LogMessage("Found more than one Property Pattern with the following name: '$patternName'", "Warning")
         return
     }
    
     # Bind to the Property Pattern
     $pattern = $Context.BindToObject($searchResults[0].AdsPath)
    
     # Delete the item for the 'Manager' property
     foreach ($item in $pattern.Items)
     {
         if ($item.PropertyName -ieq "manager")
         {
             $pattern.Items.Remove($item)
             break
         }
     }
    
     if ($filter.Length -eq 0)
     {
         return # Groups have no members
     }
    
     # Get member DNs
     $memberDNs = @()
     $searchResults = SearchObjects "Adaxes://RootDSE" "(&(sAMAccountType=805306368)(|$($filter.ToString())))" @("distinguishedName") $True
     $searchResults | %%{$memberDNs += $_.Properties["distinguishedName"].Value}
    
     # Create a new item for the 'Manager' property
     $item = $pattern.Items.Create()
     $item.PropertyName = "manager"
     $item.IsPropertyRequired = $isPropertyRequired
    
     $constraints = $item.GetConstraints()
     $constraint = $constraints.Create("ADM_PROPERTYCONSTRAINTTYPE_VALUERANGE")
     $constraint.AreValuesDenied = $False
     $constraint.Values = $memberDNs
     $constraints.Add($constraint)
     $item.SetConstraints($constraints)
    
     # Save the changes
     $item.SetInfo()
     $pattern.Items.Add($item)
    
  7. Enter a short description and click OK.

  8. Click Next and add the groups that contain managers to the Activity Scope of the Business Rule.

  9. Finish creating the Business Rule.

You should have something like the following:

0

Thanks,

Do I need to update these two?

$isPropertyRequired = $True # TODO: modify me
$patternName = "User Pattern" # TODO: modify me

0

Hello Kaj,

If the Manager property must not be empty in user accounts, set the $isPropertyRequired variable to $True. Alternatively, set the variable to $False.

The $patternName variable specifies the name of the Property Pattern in which to update possible values of the Manager property. Out of the box, there is only one Property Pattern configured for User Object type (User Pattern). If you want to update possible values of the Manager property in another Property Pattern, enter its name into the variable.

0

If the Manager property must not be empty in user accounts, set the $isPropertyRequired variable to $True. Alternatively, set the variable to $False.

Just to be sure here - we're not out to change the manager properties on the user account, but change the property pattern with list of managers from two groups.

The $patternName variable specifies the name of the Property Pattern in which to update possible values of the Manager property. Out of the box, there is only one Property Pattern configured for User Object type (User Pattern). If you want to update possible values of the Manager property in another Property Pattern, enter its name into the variable.

Tried the suggested rule, changed a user in one of the groups in question - but the property pattern (contents of dropdown box on website) didnt change accordingly when refreshing the page. How fast does the rule trigger and does it trigger when a member is changed in ADUC or only on the AdAxess webinterface?

0

Hello Kaj,

Just to be sure here - we're not out to change the manager properties on the user account, but change the property pattern with list of managers from two groups.

Yes, that is correct.

How fast does the rule trigger and does it trigger when a member is changed in ADUC or only on the AdAxess webinterface?

The Business Rule will trigger immediately if you add/remove members from one of the Groups included into the Activity Scope of the rule. Adaxes Business Rules trigger only if an operation is performed in Adaxes (Web Interface or Administration Console). If you add/remove members with ADUC the Business Rule will not trigger.

0

OK I've tried in AdAxess webconsole also, but it doesnt update the property.

According to the log it detects the change of group membership, but no update of the property pattern.

Currently we have, under Property Patterns & Manager set that the property is required and Must be one of the following values only and then we've earlier manually kept updating the list. This is what we want to get rid of.

On the Business Rule itself & its Activity Scope, we got the two groups entered. But shouldnt it be the user that makes the change that should be in there since the groups in questions is already present in the powershell script?

0

So I think that I start to understand this a bit more,

Our Property Pattern that we want to change is called Managers, so I set the $patternName variable to Managers, the property name in that Property Pattern is named Manager.

Do we need to insert that also somewhere in the script so the event knows what to change & where.

Done the change of the $patternName variable, but nothing still happens. The log section of the administration console doesnt reflect anything more than the actual group membership change

0

Hello Kaj,

Sorry for the confusion, we have provided an incorrect screenshot of the Business Rule Activity Scope. It has to be like the following:

But shouldnt it be the user that makes the change that should be in there since the groups in questions is already present in the powershell script?

No, the Business Rule triggers on updating members of the groups not on updating groups a user is member of.

0

Success, now it started to happen stuff.

Thanks.

/kaj

0

Last question, can the adding of user to group or removal of user from group be assigned to a custom menu in the webinterface? I'm thinking to simplify everything as much as possible for our HR department (who will be doing this).

I'e one action/meny to select user and its automtically inserted into the right group, and one remove user action so that they just select the user to remove from the group.

If the above can be added as custom meny items (think its possible?) then we dont need to expose the wizard that shows all the groups in the second step to the HR departmet, or can we limit the scope for what groups the HR department can act upon?

Currently the HR manager is set as Manager of the two distribution lists.

/Kaj

0

Hello Kaj,

Have a look at the following tutorial: http://www.adaxes.com/tutorials_WebInte ... ctions.htm. You can use the Add to Group and Remove from Group actions.

0

Thanks,

Think I got the hang of it, although when making a custom action to remove users from specific group, I would like to show the members of the group, not all the AD members (as its shown by default).

/Kaj

0

Hello Kaj,

On step 3 of the guide for Remove from Group action, you can specify an LDAP filter for displayed users. You need to use the following LDAP filter: (memberOf=CN=Sales Managers,OU=Sales,DC=example,DC=com), where CN=Sales Managers,OU=Sales,DC=example,DC=com is the distinguished name of the group.

Related questions

0 votes
1 answer

When we create a new user in Adaxes, we can select the job title in a dropdown because we have defined it in the property pattern. Now I would like to create a custom ... How can I bring the same dropdown from "create user" into my custom command? Thank you!

asked Sep 25, 2023 by DRiVSSi (300 points)
0 votes
1 answer

I have a dropdown-field on the web surface, which is populated by a script. The script looks up all groups in a specific OU and displays them. In the Property Pattern ... random order. What should i do to show the groups in alphabetical order in the portal?

asked Sep 15, 2020 by lohnag (160 points)
0 votes
0 answers

Is it possible to do something such as this: When creating a user in the web interface, setup the form so that certain fields have a dropdown list of available values, ... "department", they would see a dropdown list of pre-populate options to choose from.

asked Aug 11, 2016 by HDClown (220 points)
0 votes
1 answer

I need to send an e-mail to the owner ("managed by") for each group. The e-mail should contain a list of group members. What is the best way to do that?

asked May 9 by akindy (20 points)
0 votes
1 answer

Good Morning, I was hoping to get some assistance in creating a powershell script that I could run daily that would do the following. 1. Gather a list of all AD ... "Manager" field in a property pattern with found users Any assistance would be great. Thanks!

asked Jun 15, 2018 by jhair (520 points)
3,549 questions
3,240 answers
8,232 comments
547,814 users