Bypass Property Pattern for User(s)

Question

Is there a way I can bypass a property pattern for a set of users? For example we have an AP team that creates an account and want to restrict Job Title and Department to a managed list of entries however we have admins that we would like to be able to override that list.

Is there an easy way to do that?

Comments

my idea: Setup different actions and create object in two separeted OUs with own property patterns

---

Hello,

In this case, you just need to have multiple property patterns. The scope should only include a single OU per pattern.

---

Thanks everyone, I appreciate the discourse.

I was able to work around this by setting up web interfaces with a separate section and using renamed extensionAttributes and powershell.

Basically, on the web interface, I created a layout for the group of users who need to ovverride the property.

On the back end, I used extensionAttribute1 named "Job Title (Override)" with a condition that if X updates that field, to then run a powershell script that basically runs Set-ADUser. This bypasses the global properties.

and on the Web Interface side I created "Organization (Managed)" which is the global property and "Organization" containing "Job Title (Override) to bypass the global properties.

Hope this helps everyone in the future!

---

Hello,

Pay attention, that your script bypasses all Adaxes functionality. There will be no log records created and business rules will not trigger. If that is not a requirement, you can just use the Update the user action like you have for clearing the extension attribute.

Also, it is not a good idea to use extension attributes this way as they are dedicated to Exchange. You can use one of Adaxes custom attributes (e.g. CustomAttributeText1).

---

Yes, you are correct but Microsoft confirmed in multiple forum posts that it is safe to use these as they are intended for such purposes, but you should know your directory before using them. I agree anyone using this method to use CustomAttributeText1.

I did attempt to use the "Update the user" action as you suggested but it fails as it still checks the Global Property Pattern, the powershell way was the only way and as we have a robust Auditing system, it was not a concern.

---

Hello,

You can keep the script as is, but pay attention that in case users might face issues updating accounts. For example, if a field that has a value not allowed by a property pattern is on a modification form, there will be no way to save the updates without giving the property an allowed value.

---

Yes, that issue is the reason why we asked. We are currently in the processs of an HCM refresh and not all Job Titles are added to the system or formatted properly. We want to allow the supervisor of our Provision team to override the global properties until the title is added instead of waiting on an Admin to be available to update the system.

---

One remark from my end, as I used the native AD commands in past as well and had sometimes issues with them

Use instead the Adaxes commands:

Set-ADMUser -Identity x -Title y -AdaxesService localhost/servername

---

Hello,

This is exactly what they are trying to avoid as it will fail due to setting unallowed values. As such, using AD cmdlets is the only option.

Answer 1

Hello,

Unfortunately, there is no such possibility. Property patterns apply based on the specified scope. There is no way to bypass a property pattern based on the initiator.