0 votes

We have two groups I'm trying to manage, Allow Internet Access and Deny Internet Access. I am trying to set up a group so that if one of our admins adds a user to the Deny group, the users is automatically removed from the Allow group.

To do this I have created a rule:
After Updating a User:
if the user is located under "users" container AND
The user is a member of the "deny internet access" group AND
the users is a member of the "allow internet access" group then
Remove the user from the "allow internet access" group.

My problem is that when I add a user to the deny group, this rule is not triggered. If I update other properties of a user, it works fine.

Does adding / removing groups not count as updating a user? And if so, what should I use?

Thanks.

by (710 points)

1 Answer

0 votes
by (216k points)

Does adding / removing groups not count as updating a user?

No, it doesn't. When you add a user to a group, you modify the group, not the user. When a user is added to a group, the user's Distinguished Name (DN) is added to the Member property of the group, and Member Of is just a backlink.

For your task, you can use a Business Rule triggered after adding a member to the Allow Internet Access group that will automatically remove the new member from the Allow Internet Access group. To create such a Business Rule:

  1. Create a new Business Rule.

  2. On the 2nd step of the Create Business Rule wizard, select Group and After Adding a member to a Group.

  3. On the 3rd step, add the Run a program or PowerShell script action and paste the following script in the Script field.

     $allowInetAccessGroupDn = "CN=Allow Internet Access,OU=Misc,DC=example,DC=com" # TODO: Modify me
     $allowInetAccessGroup = $Context.BindToObjectByDN($allowInetAccessGroupDn)
     $allowInetAccessGroup.Remove("Adaxes://%member%")
    
  4. The script will remove the new member from the group, the Distinguished Name (DN) of which is specified by $allowInetAccessGroupDn. Modify it to match your requirements.

  5. Enter a short description for the script and click OK.

  6. On the last step, add your Deny Internet Access group to the Activity Scope of the Business Rule. In the Assignment Options dialog, select the This Group object option.

Related questions

0 votes
0 answers

I have a set of groups: -General --Specific 1 --Specific 2 --etc Since the specific groups are members of the general group, I am trying to remove direct ... conditions of direct membership, but the rule is never triggered. Has anyone done this before?

asked May 13, 2015 by polley (1.2k points)
0 votes
1 answer

Hi, How to set up Business Rule to automatically mail-enable new groups?

asked Sep 16, 2011 by bambor (40 points)
0 votes
1 answer

I am trying to create a business rule to send an email to the manager of the group when a member is added or removed from a rule-based group. I have created the business rule and it works for other groups but not for a rule-based group. Can this be done?

asked Jul 19, 2021 by mark.it.admin (2.3k points)
0 votes
1 answer

Hi Support, We are looking into a way for providing the security group owners in AD to manage the group memberships in Adaxes via self service portal. I did see a ... to manage group membership in Adaxes self service portal. Any help with this is appreciated.

asked Sep 9 by Vish539 (460 points)
0 votes
1 answer

I am trying to see if I can implement this in Adaxes somehow to support role-based provisioning to external apps (using appropriate Powershell scripts) but struggling to work ... to invest in a full-blown role-based provisioning platform (would rather not!).

asked Dec 24, 2019 by Bernie (310 points)
3,589 questions
3,278 answers
8,303 comments
548,105 users