0 votes

This may be a stupid question but I'm looking to create an approval process for users being added to sensitive AD groups such as the domain admins group.

How would I set up the business rule?

My thought is to use the "Before User is Updated" operator which is simple enough but not sure which condition to use especially since the condition is based on changes that have not yet happened...

by (610 points)

1 Answer

0 votes
by (216k points)

Hello,

Actually, you need the Before adding a member to a Group condition. To accomplish your task:

  1. Create a new Business Rule.
  2. On the 2nd step of the of the Business Rule creation wizard, select Group and Before Adding a member to a Group.
  3. On the 3rd step of the wizard, add the Send this operation for approval action.
  4. On the 4th step of the wizard, you can limit the Activity scope of the Business Rule to only the groups that you need. Click Add...
  5. In the Business Rule Activity Scope dialog that appears, select a group you want to create the approval process for and double-click it.
  6. In the Assignment Options dialog that appears, select This Group object if you want approvals to be sent for adding members to this group. Select also Members of this Group, if you also want the Business Rule to be applicable to other groups nested within this group.
  7. Repeat steps 4-6 for as many groups as you want and save the Business Rule.

That should do the job.

0

Like I said I thought it was a stupid question, turns out it was. Obviously wasn't looking in the right place. Thanks again!

Related questions

0 votes
1 answer

When a new user account is created by copying an existing one, is it possible to prevent the new account from becoming a member of security groups in a specific OU (when the ... same way as the account being added to the group, which I need for audit purposes.

asked Sep 28, 2020 by markcox (70 points)
0 votes
1 answer

Can you please advise on the best way to do this? We have a forest with four domains. In one of those domains we keep consultants, partners, and vendors (lets call ... Adaxes users from adding users from Domain X to any groups outside of Domain X. Thanks

asked Jan 29, 2013 by jiambor (1.2k points)
0 votes
1 answer

Hi there, i know the multiple ways of copying the user groups - or all of them within the user creation wizard. I want to copy only a couple of groups ... is it possible to create an approval operation out of an powershellscript? Kind regards, Constantin

asked May 27, 2021 by Constey (190 points)
0 votes
1 answer

I have tried it using the Custom Commands Action "Add the user to a group", which only allows me to add the user to one group at a time, and can't use the multiple DNs that the ... I can't get it to work. Could you assist me in finding the best way to do this?

asked Jan 16 by dominik.stawny (160 points)
0 votes
1 answer

Pretty simple question. Upon user provisioning, based on business unit, is there a way to have the new O365 mailbox and user be added to an existing distribution group in ... could do this with local AD distribution groups, but that is currently not the case.

asked Sep 10, 2015 by eponerine (50 points)
3,326 questions
3,025 answers
7,723 comments
544,675 users