0 votes

Hello,

I have a large number of groups, one for each branch in the company - named BR_%branchname%. We have staff move from branch to branch frequently, and need to update their group memberships to reflect the branch they are at. Currently we're using a batch script to facilitate this process.

For example:

MoveUser.bat %username% %source group% %destination group%

The problem with this approach is that every time we open a branch, or change the branch name, we need to update the script. With 100+ branches this becomes tedious. Also, being a batch script, the syntax is touchy and prone to mistyping or having to look up the name of the branch group.

I'd like to find a way to complete this process through Adaxes, preferably through the Admin or Helpdesk frontends.

Ideally, I'd like to have a process where the Helpdesk employee can search for a user, select 'Move' (or a Custom Command like Relocate Branch), then have a drop down menu of Source and Destination, with results filtered to only the Branch Groups listed, rather than every group in the AD structure. Once they select a destination, Adaxes would then move them from their current branch group (source) to the new group (destination).

I'm not really sure where to start with this request, and any help or insight would be appreciated.

Thanks,

Dan

by (170 points)

1 Answer

0 votes
by (216k points)

Hello Dan,

For this purpose you can create a Home Page Action that would allow your Helpdesk employees to add a user to one of the groups starting with BR_. Then, with a help of a Business Rule, you can check if the user belongs to other groups starting with BR_ and remove the user from those groups.

I. To create the Home Page Action:

  1. On the computer, where your Web Interface is installed, start the Web Interface Customization tool.
  2. In the Interface type drop-down list, select the Web Interface that you want to configure.
  3. Activate the General tab, select the Actions pane option, and click Configure Home Page Actions.
  4. In the Home Page Actions dialog that appears, click Add...
  5. On the 1st step of the Add Home Page Action wizard, Switch the radio button to Add to Group.
  6. On the 2nd step, specify the name for the Home Page Action, for example, Relocate Branch.
  7. On the 3rd step, select the Allow selecting only AD objects of specific types option and User.
  8. On the 4th step, uncheck the Allow multiple selection and Do not display available objects automatically options.
  9. Select the Allow selecting only AD objects that match the specific LDAP filter option.
  10. Specify the following LDAP filter: (name=BR_*).
  11. Click Finish.
  12. Click OK.

II. To create the Business Rule:

  1. Launch Adaxes Administration Console and create a new Business Rule.

  2. On the 2nd step of the Create Business Rule wizard, select Group and After Adding a member to a Group.

  3. On the 3rd step, click Add Action.

  4. In the Edit Action dialog that appears, add the Run a program or PowerShell script action.

  5. In the Script area you need to add a script that would check if the user is already a member of a any groups starting with BR_ and remove the user from those groups.

    Here's an example of such a script:

     $newMemberDN = "%member%"
     $newMember = $Context.BindToObjectByDN($newMemberDN)
     try
     {
         $memberOf = $newMember.GetEx("memberOf")
     }
     catch
     {
         $Context.LogMessage($_.Exception.Message, "Error")
         return
     }
    
     foreach ($groupDN in $memberOf)
     {
         # Skip the new group
         if ($groupDN -ieq "%distinguishedName%")
         {
             continue
         }
         $group = $Context.BindToObjectByDN($groupDN)
         if ($group.Name -match "BR_*")
         {
             $group.Remove("Adaxes://$newMemberDN")
         }
     }
  6. When finished with the script, write a short description for it and click OK.

  7. Double-click Always.

  8. In the Add condition dialog that appears, select the If <property> <relation> <value> condition.

  9. Select If Group Name starts with and type BR_.

  10. Click OK and finish creation of the Business Rule.

0

That is awesome, and exactly what I was looking for. Thank you!

Am I right in assuming that

 # Skip the new group
    if ($groupDN -ieq "%distinguishedName%")
    {
        continue
    }

would allow me to whitelist a set of groups? For example, I have BR_Print, which allows access to a set of printers for all the branches. Could I change the above to

 # Skip the new group
    if ($groupDN -ieq "%distinguishedName%", "BR_Print")
    {
        continue
    }

and have the printer group remain, as well as the new BR group?

0

I have run into a problem. Is this a security issue or something like that? I have granted the account I'm doing testing with 'Write' permission over all objects.

0

Hello Dan,

First of all, the script from my previous post was missing some error handling code. I've updated it.

As to the error that you get, the account that you are testing with is not granted the permission to read Group objects. To grant such a permission:

  1. Open Adaxes Administration Console.
  2. Open your Security Role that grants the Write permission.
  3. Right-click in the Permissions area and click Add...
  4. In the Add Permissions dialog that appears, switch the radio button to Only selected object types and check Group.
  5. Select the Read permission in the Allow column.

As to "white-listing" groups, yes, but there are two things that you need to remember. The first one is that the syntax will be a bit different:

 # Skip the new group
    if (($groupDN -ieq "%distinguishedName%") -or ($groupDN -ieq "<Distinguished_Name_of_Group_2>"))
    {
        continue
    }

Secondly, you should use the Distinguished Name (DN) of the group, for example CN=BR_Print,CN=Groups,DC=example,DC=com. So, eventually, we get the following line:

    if (($groupDN -ieq "%distinguishedName%") -or ($groupDN -ieq "CN=BR_Print,CN=Groups,DC=example,DC=com"))

To get the DN of an Active Directory object:

  1. Launch the Adaxes Administration Console.
  2. Right-click the object you need.
  3. In the context menu, open the submenu of the Copy item.
  4. Click Copy DN. The DN of the selected Active Directory object will be copied to the clipboard.
0

Hello Dan,

I've modified the script provided by our support to meet your needs. Here it is:

# Bind to the new member
$newMemberDN = "%member%"
$newMember = $Context.BindToObjectByDN($newMemberDN)
# Get the groups the new member belongs to
try
{
    $memberOf = $newMember.GetEx("memberOf")
}
catch
{
    $Context.LogMessage($_.Exception.Message, "Error")
    return
}

# Remove the member from all groups whose name starts from 'BR_'

# Groups that need to be skipped
$groupsToSkip = New-Object "System.Collections.Generic.HashSet[String]"
# TODO: modify me
$groupsToSkip.Add("BR_Print")
$groupsToSkip.Add("BR_MyGroup")

foreach ($groupDN in $memberOf)
{
    # Skip the new group
    if ($groupDN -ieq "%distinguishedName%")
    {
        continue
    }

    # Bind to the group
    $group = $Context.BindToObjectByDN($groupDN)
    $groupName = $group.Get("cn")

    # Skip specific groups
    if ($groupsToSkip.Contains($groupName))
    {
        continue
    }

    if ($groupName -match "^BR_")
    {
        $group.Remove("Adaxes://$newMemberDN")
    }
}

Just add names of the groups that you want to be skipped to the $groupsToSkip hashset.

Related questions

0 votes
1 answer

Hi, I need business rule that will forbid changing group membership type to rule-based for selected groups. Additionally I need PowerShell script for adding more groups to be watched by this rule. Thanks in advance!

asked Mar 9, 2023 by KIT (960 points)
0 votes
1 answer

Hi, I am trying to write a PS script for a business rule, that would cancel operation when user tries to remove the "last" RBAC group. Say the group structure is like that: ... "Main RBAC" - but I can't figure out how to do it properly. Thanks for suggestiong

asked Oct 15, 2018 by KIT (960 points)
0 votes
1 answer

I am trying to create a process where a user can request access to one or more groups via a web form that also prompts for a date/time to ... = "ADS_SCOPE_SUBTREE" $scopeItem.Exclude = $False $scopeItem.SetInfo() $task.ActivityScopeItems.Add($scopeItem)

asked Apr 15, 2016 by adaxes_user (420 points)
0 votes
1 answer

Hi support, We have security groups named like Test-Group--Users, where is different for each group. I have a powershell query which gets a list of those Test-Group--Users" ... only Test-Group-&lt;variable&gt;-User that user is member of but it is an array

asked Oct 31 by Vish539 (460 points)
0 votes
1 answer

Our helpdesk asked for a solution to easily compare 'member of' details between 2 (or more) users so they can see the differences in group memberships.

asked Oct 28 by ddesmedt (40 points)
3,588 questions
3,277 answers
8,303 comments
548,094 users