0 votes

Hi Team,

We are using a set of form/business rules/custom commands for user creation that move user account to the right OU given the Office attribute value.
I would like to check during On Before User creation BR if the the operator has the right on the target OU before creating the user account. Right now, if he hasn't got the rights, the account is created in the default OU and not moved, which is not exactly what we expect.
I'm sure it will be easy to do through a script, but can't find valuable information on the web site.

Thanks in advance

Regards

Stephen

by (800 points)
0

Stephan,

We were hitting something like this as well, but we decided that Adaxes logs everything and we could reduce the visibility of AD, so being strict with the OU access was kind of a mute point. We set up home page actions for our help desk techs to be able to create users in a very specific OU. They do have the right to create in the other user OUs, but they do not see the AD organization or the OUs. We set different rules on office and company name to move the objects to other OUs after they have been created.

0

Well, that's more or less what we are doing right now in Europe but we are hitting the limits now for some of our affiliates.
Of course Adaxes logs everything but we want to prevent errors/misuse of the forms.
I'm sure that through a pre processing BR, it should be possible to check operator's role and then cancel the operation if needed, i just need the object model/script logic.

Thanks for your answer

1 Answer

0 votes
by (216k points)

Hello Stephen.

The issue is not in Security Roles. When an object is moved with a Business Rule, the permissions of the user who performed the initial operation are not checked. My guess is that something is wrong with the Business Rule (for example, there exist offices, for which no conditions are met).

0

I think you misunderstood me (which is perfectly normal, it's not very clear :-) )

I'm not facing an issue, i'm just trying to implement something.
I would like to check in a business rule (before user account creation) the role operator is member of, to allow or cancel the operation.
For instance, in the user creation form, i select "FR Office Paris" in the Office attribute. When i submit the form, i want to check if the operator is member of the role "FR Paris Administrator" and if not, i cancel the operation.

Quite simple on the paper.

Thanks

Stephen

0

Hello Stephen,

Yes, I misunderstood you, sorry. :)

I would like to check in a business rule (before user account creation) the role operator is member of, to allow or cancel the operation.
For instance, in the user creation form, i select "FR Office Paris" in the Office attribute. When i submit the form, i want to check if the operator is member of the role "FR Paris Administrator" and if not, i cancel the operation.

You can check if the initiator of the operation is assigned to a certain role with the help of a PowerShell script. You can use such a script in the If PowerShell script returns true condition to determine when to cancel the operation.

As to the actual script, our script guy is working on it. As soon as he comes up with something, I will post the script in this topic and provide you with more detailed instructions.

0

Hello Stephen,

To accomplish your task, you need to create a Business Rule that is triggered before creating a user. In this Business Rule, you can check whether the initiator of the operation has sufficient permissions to create users in the OU, to which the user will be moved after creation. The checking is performed by a PowerShell script using the If PowerShell script returns true condition. If the initiator does not have sufficient permissions, the Business Rule will cancel the operation. To create such a Business Rule:

  1. Create a new Business Rule.

  2. On the 2nd step of the Create Business Rule wizard, select User and Before Creating a User.

  3. On the 3rd step, add the Cancel this operation action.

  4. Specify the reason for cancelling, if necessary, and click OK.

  5. Double-click Always.

  6. Add the If PowerShell script returns true condition and paste the following script:

     # TODO: Specify offices in the following format: "Office name"="Office OU DN", each office should be followed by a semicolon
     # Example: $officesInfo = @{"Germany"="OU=Germany,DC=domain,DC=com";"Paris"="OU=Paris,OU=France,DC=domain,DC=com";}
     $officesInfo = @{"Germany"="OU=Germany,DC=domain,DC=com";"Paris"="OU=Paris,OU=France,DC=domain,DC=com";}
    
     $Context.ConditionIsMet = $False
     $targetUserOffice = $Context.GetModifiedPropertyValue("physicalDeliveryOfficeName")
    
     if($targetUserOffice -ne $NULL)
     {
         $ouDN = $officesInfo[$targetUserOffice]
     }
    
     if($ouDN -ne $NULL)
     {
         $targetOU = $Context.BindToObjectEx("Adaxes://"+ $officesInfo[$targetUserOffice], $True)
         $objectTypesAllowedToCreate = $targetOU.ObjectTypesAllowedToCreate
    
         if (-not($objectTypesAllowedToCreate -contains "user"))
         {
             $Context.ConditionIsMet = $True
         }
     }
    

    In the script, $officesInfo specifies a list of offices. Each office should be be specified in the "Office name"="Office OU DN" format,
    where:

    • "Office name" - the name of the office,
    • "Office OU DN" - the Distinguished Name (DN) of the OU, to which newly created users are moved when this office is specified.

    Each office should be followed by a semicolon, for example:
    $officesInfo = @{"Germany"="OU=Germany,DC=domain,DC=com";"Paris"="OU=Paris,OU=France,DC=domain,DC=com";}

    To get the DN of an Organizational Unit:

    • Right-click the OU you need in the Console Tree (Adaxes Administration Console).
    • In the context menu, open the submenu of the Copy item.
    • Click Copy DN. The DN of the selected OU will be copied to the clipboard.
  7. Click OK and finish creation of the Business Rule.

0

Excellent, this exactly what i need.

Thanks !

Related questions

0 votes
1 answer

I used this script from the repository https://www.adaxes.com/script-repository/check-if-number-of-unused-microsoft-365-licenses-is-below-limit-s594.htm I have amended to include ... count is below what I specify. Please can you advise what I am doing wrong.

asked Jan 31 by MikeBeattie (110 points)
0 votes
1 answer

Hi all, I have a condition during new user creation - Where the corporate email is entered into the email address field, but a custom drop-down for "Mailbox required?" is No. ... screen, and be able to save the result of this choice to a variable? Thanks all,

asked Oct 24 by dshortall (80 points)
0 votes
1 answer

I've tried the following script to adapt the UPN to the country, the step will be processed in "before user creation" but the UPN stays ... # Save changes $Context.TargetObject.Put("userPrincipalName", $userPrincipalName) $Context.TargetObject.SetInfo()

asked Oct 12, 2022 by boris (530 points)
0 votes
1 answer

Hi, I used this script from the repository https://www.adaxes.com/script-repository/check-if-number-of-unused-microsoft-365-licenses-is-below-limit-s594.htm which works fine, but ... creation form, so I can see if whether it makes sense to fill out the form

asked Apr 3 by boris (530 points)
0 votes
1 answer

Hi, I need a bit of scripting help within Adaxes. We have a number of o365 licence checks that occur, some on a schedule, some before creating a ... $to -from $from -SmtpServer $smtpServer -Subject $messageSubject -Body $messageBody Remove-PSSession $session

asked Dec 13, 2022 by gazoco (490 points)
3,538 questions
3,229 answers
8,224 comments
547,747 users