0 votes

We have a need to only allow users to groups based on employee type attribute. We have created a scheduled task today that scans AD every day at 9:00am and adds the desired group to user account if missing, however if the end user was added but not in one of the authorized employee types they stay in the group.

We are looking to change the task to scan all users and only allow the specified employee types to be added and all else will be removed. is the screenshot below an accurate way to achieve this? We would like to stop the user from even be added outside of this task altogether. Any ideas?

by (3.2k points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

We are looking to change the task to scan all users and only allow the specified employee types to be added and all else will be removed. is the screenshot below an accurate way to achieve this?

The appropriate way to achieve what you want is using a regular expression to check if the user has to be a member of the group and validate the user group membership.
To create the Scheduled Task:

  1. Launch Adaxes Administration Console.
  2. Right-click your Adaxes service node, navigate to New and click Scheduled Task.
  3. On step 3 of the Create Scheduled Task wizard, select User Object type and click Next.
  4. Click Add an action.
  5. Select Add the User to a group.
  6. In the Add the user to field, specify the group the user has to be added to.
  7. Click OK.
  8. Right-click the action you created and then click Add Condition.
  9. Select If <property> <relation> <value>.
  10. Select If Employee Type matches regexp and enter the following regular expression in the last field:
    ^(50301|50270|50230|50232|50210|50211|50220|50221|50280|50304|50303)$
  11. Click OK.
  12. Right-click the action you created and click Add Condition again.
  13. Select If is a member of <Group>.
  14. Select If the User is not a member of and specify the group the user has to be added to.
  15. Click OK.
  16. Right-click the set of actions and conditions you created and click Copy.
  17. Press Ctrl+V.
  18. In the Else If block, right-click the If Employee Type matches regexp condition and click Edit Condition.
  19. Select does not match regexp and click OK.
  20. Right-click the If is not a member of condition and click Edit Condition.
  21. Select If the User is member of and click OK.
  22. Right-click the Add the User to a group action and click Edit Action.
  23. Select Remove the User from a group.
  24. In the Remove the user from field, specify the group the user has to be removed from.
  25. Click OK.
  26. Click Next and finish creating the Scheduled Task. The task should look like the following:

We would like to stop the user from even be added outside of this task altogether. Any ideas?

To prevent users with inappropriate Employee Type from being added to a group, you need to use a Business Rule triggering Before Adding a member to a Group. In the rule, a script condition will check the member’s Employee Type. If the value of the Employee Type is absent in the list of allowed values, adding to the group will be cancelled. To create the Business Rule:

  1. Launch Adaxes Administration Console.

  2. Right-click your Adaxes service node, navigate to New and click Business Rule.

  3. On step 2 of the Create Business Rule wizard, select Group Object type.

  4. Select Before Adding a member to a Group and click Next.

  5. Click Add an action and select Cancel this operation.
    Optionally, you can specify a Reason for the operation cancellation.

  6. Click OK.

  7. Right-click the action you created and click Add Condition.

  8. Select If PowerShell script returns true.

  9. Paste the following script into the Script field. In the script:

    • $attributeName – specifies the LDAP name of the property that stores a value for comparison (i.e. employeeType);
    • $employeeTypeValues – specifies the list of allowed values.
     $attributeName = "employeeType" # TODO: modify me
     $employeeTypeValues = @("50301", "50270", "50230", "50232", "50210", "50211", "50220", "50221", "50280", "50304", "50303") # TODO: modify me
    
     $Context.ConditionIsMet = $True
     $member = $Context.BindToObject("Adaxes://%member%")
     try
     {
         $value = $member.Get($attributeName)
     }
     catch
     {
         return
     }
    
     $Context.ConditionIsMet = $employeeTypeValues -notcontains $value

  10. Click OK.

  11. Click Next and finish creating the Business Rule. You should have something like the following:

0

We have an issue where this Powershell script blocks ALL groups being added. We need it just to block the one group we are trying to monitor.

0

Hello,

If you need the Business Rule to prevent users with improper Employee Type from being added only to one specific group, the Activity Scope of the rule should include only this group. The Business Rule will look like the following:

If that is not what you need, please, provide us with all the possible details on the desired workflow.

0

Thank you, I feel silly that worked. As always you guys rock.

Related questions

0 votes
0 answers

I have a deprovision task that our desktop support staff uses to terminate a user and want to setup a scheduled task that goes through and looks for users who are past their ... to the current date it is still applied to ALL users in the organization. Why?

asked May 16, 2013 by trscott (80 points)
0 votes
1 answer

Currently, when I disable a user account in Adaxes, the group memberships of the user remain intact. I'd like to automate the removal of group memberships such as distribution ... a list of groups/DL that the user was previously in and removed from. Thanks!

asked Nov 3, 2021 by jayden.ang (20 points)
0 votes
1 answer

I have a scheduled task that runs a Powershell script against an AD group, "Group 1". I need to get all of the members of Group 1, and add them to Group 2. The ... identity in the error message start with 'user;'? What is the correct way to accomplish this?

asked Aug 27, 2019 by ngb (220 points)
0 votes
1 answer

Hello, I have my OUs structured so each department we're working with has an OU for their service accounts under their department OU. e.g. OU=Service Accounts,OU=Sales,OU= ... add each new OU to the scheduled task but I was hoping for something more hands off.

asked Oct 19, 2015 by drew.tittle (810 points)
0 votes
1 answer

Hi All, I'm trying to have a scheduled task email the helpdesk a list of machines from AD that have no description. I created a script and it runs the way I want it ... into just one email. Id like to run that in scheduled task if possible. Many thanks, Will

asked Nov 20, 2017 by will17 (350 points)
3,326 questions
3,026 answers
7,727 comments
544,678 users