0 votes

This may be a stupid question but I'm looking to create an approval process for users being added to sensitive AD groups such as the domain admins group.

How would I set up the business rule?

My thought is to use the "Before User is Updated" operator which is simple enough but not sure which condition to use especially since the condition is based on changes that have not yet happened...

by (610 points)

1 Answer

0 votes
by (216k points)

Hello,

Actually, you need the Before adding a member to a Group condition. To accomplish your task:

  1. Create a new Business Rule.
  2. On the 2nd step of the of the Business Rule creation wizard, select Group and Before Adding a member to a Group.
  3. On the 3rd step of the wizard, add the Send this operation for approval action.
  4. On the 4th step of the wizard, you can limit the Activity scope of the Business Rule to only the groups that you need. Click Add...
  5. In the Business Rule Activity Scope dialog that appears, select a group you want to create the approval process for and double-click it.
  6. In the Assignment Options dialog that appears, select This Group object if you want approvals to be sent for adding members to this group. Select also Members of this Group, if you also want the Business Rule to be applicable to other groups nested within this group.
  7. Repeat steps 4-6 for as many groups as you want and save the Business Rule.

That should do the job.

0

Like I said I thought it was a stupid question, turns out it was. Obviously wasn't looking in the right place. Thanks again!

Related questions

0 votes
1 answer

When a new user account is created by copying an existing one, is it possible to prevent the new account from becoming a member of security groups in a specific OU (when the ... same way as the account being added to the group, which I need for audit purposes.

asked Sep 28, 2020 by markcox (70 points)
0 votes
1 answer

Can you please advise on the best way to do this? We have a forest with four domains. In one of those domains we keep consultants, partners, and vendors (lets call ... Adaxes users from adding users from Domain X to any groups outside of Domain X. Thanks

asked Jan 29, 2013 by jiambor (1.2k points)
0 votes
1 answer

Hi there, i know the multiple ways of copying the user groups - or all of them within the user creation wizard. I want to copy only a couple of groups ... is it possible to create an approval operation out of an powershellscript? Kind regards, Constantin

asked May 27, 2021 by Constey (190 points)
0 votes
1 answer

I need a specific user, when requesting another user to join a group, to have an approval sent to the AD management team. I tried to create a "Business Rule", but I'm getting an "Access Denied" error. Any idea what this could be?

asked Aug 20 by fgmello (40 points)
0 votes
1 answer

I have tried it using the Custom Commands Action "Add the user to a group", which only allows me to add the user to one group at a time, and can't use the multiple DNs that the ... I can't get it to work. Could you assist me in finding the best way to do this?

asked Jan 16 by dominik.stawny (280 points)
3,589 questions
3,278 answers
8,303 comments
548,130 users