Add Multiple MemberOf in Single Step

Question

I've created a custom web form for our help desk to use to create users and everything is working great but a number of our users belong to quite a long list of groups and (at least the way I've set it up, which might not be the best) having to click the ellipsis, wait for the window to load, select a group, click the Add link and repeat the process is very time consuming when a user needs to be added to 20+ groups.

Is there a way to add multiple Member Of items at a single time or a better way on the web form besides using the Member Of section field.

Thanks in advance. Absolutely love this product!

Comments

On the Web Interface Configuration, under the General tab, click Configure Home Page Actions, Click Add and select "Add to group".

Check "Allow selection only AD objects of specific types" and then "Users" on the Target Object Selection page.

Do your selections on the "Group Selection" page and click Finish.

You now have a way to add a user to multiple groups at once.

Another way to go is Business Rules. If there is a standard set of groups all users will be members of, you could create a business rule that adds newly created users to those groups.

Answer 1

Hello,

In Adaxes, it is impossible to specify group membership for a user until the user is created. So, in your case, you have several options:

1. Right after you create a user, Adaxes Web Interface shows you a page with properties of the newly created user. The page contains the Member Of section. In this section, you can click Add and select the groups you would like to add users to. The group selection page that opens allows multiple selection, which means that you can select all groups that you want to add the user to and only then click OK.
   
2. You can use a template to create users. You create a user template that will be added to all the necessary groups. Then, you can create a Home Page Action in Adaxes Web interface that will create new users by using the template that you've created. Users created from the template will be added to the groups that you specified for the template. See the Allow Using Templates for User Creation Tutorial for information on how to accomplish this task.
3. If your users are added to groups based on certain properties (for example, depending on their department), you can use a Business Rule to automatically add users to the necessary groups upon creation based on a certain property of their accounts. For information on how to create such a Business Rule, see the Automatically Add Users to Groups by Department Tutorial.
4. You can add a field to the form used for user creation. Your help desk staff will be able to use the field to specify a comma-separated list of groups the user should be added to. When the user is created, a Business Rule will add the user to the specified groups. If you chose this option, I will provide you with details on how to implement it.

Comments

Thanks for the reply. I like the options you've specified, right now I'm using Property Patterns to automatically set the common properties for all the created users, but the templates might be an idea. For the time being though I'd like to get information on the fourth option as it's most similar to what I'm actually trying to do right now.

When you say "In Adaxes, it is impossible to specify group membership for a user until the user is created" does that mean that if I've customized a Create User form and add the Member Of to one of the sections as a section field even if I added groups they wouldn't be added to the user when it is created?

EDIT: Well, never mind about the second part of my question, I tried adding that Member Of section to a Create User form and tried to create a user and it wouldn't work. Kept giving me an error about the attribute being owned by the Security Accounts Manager

Thanks!

---

Hello,

The thing why it doesn't work before creating a user is that whenever you add/remove a user to or from a group, you modify the Member property of that group by adding the user's Distinguished Name (DN) to that property. And since a new user is not yet created, the user does not have a valid DN yet.

Also, you cannot change the Member Of property directly. This property can be changed by the system only and is a calculated property. This means that once you change membership of a group and modify the Member property of the group object, the system makes corresponding changes to the Member Of section of the objects that were added or removed.

As to implementing the fourth solution from my post, to implement it, you will need to customize the Web Interface form that is used for user creation and add a property that will be used to pass the list of group names, CustomAttributeText1. This is one of the Adaxes virtual properties that can store text data. Such properties are not stored in Active Directory, but you may use them as any other property of directory objects. You will be able to use this property to specify a list of groups that the user should be added to after creation. Each group should be specified by its SAMAccountName, and the groups in the list should be separated by commas.

Also, you will need to create two Business Rules. The first Business Rule will be launched before creating a user and will check whether the groups specified in the list actually exist in Active Directory. If the groups do not exist, the Business Rule will not allow to create the user specifying in the error message the names of the groups that were not found. The second Business Rule will be launched after creating a user and will add the user to the groups specified in the list.

I. Modify the Web Interface form for user creation
To add a field that will be used to specify the group list, you need to modify the Web Interface form for user creation. To do this:

1. On the computer, where the Web Interface is installed, start the Web Interface Customization tool.
2. Select the Web Interface that you want to configure in the Interface type drop-down list.
3. Activate the AD Management tab and click Customize Forms and Views.
   
4. In the Object types list (located on the left), select the User object type.
5. Activate the Create tab.
6. Select the section you would like to add the field to in the above list.
7. Click the Add button located under the Section fields list.
   
8. In the dialog box that appears, check the Show all properties option.
9. Select CustomAttributeText1.
   
10. Click OK 3 times.

II. Create Business Rule to check group names
To create a Business Rule that will be launched before creating a user and check group names passed by the virtual property:

1. Create a new Business Rule.

2. On the 2nd step of the Create Business Rule wizard, select User and Before Creating a User.
   

3. On the 3rd step, add the Run a program or PowerShell script action and paste the following script:
   

    Import-Module Adaxes
    try
    {
        $groupNames = ($Context.GetModifiedPropertyValue("adm-CustomAttributeText1")).Split(",")
    }
    catch
    {
        return
    }
   
    # Trim spaces at the beginning and at the end of each group name
    for ($i = 0; $i -lt $groupNames.Length; $i++)
    {
        $groupNames[$i] = $groupNames[$i].Trim()
    }
   
    # Get user domain name
    $domainName = $Context.GetObjectDomain("%distinguishedName%")
   
    # Check groups
    foreach ($groupName in $groupNames)
    {
        try
        {
            Get-AdmGroup -Identity $groupName -AdaxesService localhost -Server $domainName -ErrorAction Stop
        }
        catch
        {
            $Context.Cancel("The group with name $groupName was not found in domain $domainName")
        }
    }
   

4. Add a short description for the script and click OK.

5. Finish creation of the Business Rule.

III. Create Business Rule that will add users to groups
To create a Business Rule that will be launched after creating a user and add the user to the groups specified in the list:

1. Create a new Business Rule.

2. On the 2nd step of the Create Business Rule wizard, select User and After Creating a User.
   

3. On the 3rd step, add the Run a program or PowerShell script action and paste the following script:
   

    Import-Module Adaxes
   
    try
    {
        $groupNames = ($Context.TargetObject.Get("adm-CustomAttributeText1")).Split(",")
    }
    catch
    {
        return
    }
   
    # Trim spaces at the beginning and at the end of each group name
    for ($i = 0; $i -lt $groupNames.Length; $i++)
    {
        $groupNames[$i] = $groupNames[$i].Trim()
    }
   
    # Get user domain name
    $domainName = $Context.GetObjectDomain("%distinguishedName%")
   
    # Add user to groups
    foreach ($groupName in $groupNames)
    {
        Add-AdmGroupMember -Identity $groupName -AdaxesService localhost -Members %username% -Server $domainName
    }
   

4. Add a short description for the script and click OK.

5. Click the Add Action button.
   

6. In the dialog box that appears, select the Update the User action and click Add.
   

7. In the dialog box that appears, open the Property to modify drop-down list and select the Show all properties option.

8. Select CustomAttributeText1.
   

9. Switch the radio button to Remove property. This will clear the property as we no longer need it.
   

10. Click OK twice and finish creation of the Business Rule.

Also, since a name like CustomAttributeText1 will not tell much to your users about the meaning and the function of the field, you would probably like to give it your own name. See Customizing Display Names for AD Properties on how to do that.

---

"Also, you cannot change the Member Of property directly. This property can be changed by the system only and is a calculated property. This means that once you change membership of a group and modify the Member property of the group object, the system makes corresponding changes to the Member Of section of the objects that were added or removed."

Hello

I'm trying to detect a change on the users memberOf property, when the users is added to a group - but it does not work ?

The idea is, when adding a user to a specific group, the user should also be added to another group(s).
Group in group is not an option.

- Thanks

---

Hello,

MemberOf property is not modified, it is calculated based on the group Member property. For more details about backlink calculated attributes, have a look at the following article: https://msdn.microsoft.com/en-us/librar ... s.85).aspx.

There are two alternatives:

• A Business Rule that will trigger on Adding a Member to a Group and execute a script that will add users to other groups.
• A Scheduled Task that will add users to certain groups if users are members of other groups.

Which of the options is the best to meet your needs?

---

"Which of the options is the best to meet your needs?"

I'm already using the Business Rule method. Just had to be sure, that this were the right way to do it.

- Thanks.