Adaxes

Possible for Group 'Managed By' Value to Inherit Parent OU 'Managed By' Value?

0 votes

Is it possible to for security groups that are nested under an OU to inherit that OU's 'Managed By' value? I'd like to grant the OU Owner rights to the security groups within that OU but it seems like the only option is to manually edit each group one by one. Is there a script that automates this?

by (480 points)

1 Answer

0 votes
by (288k points)

Hello,

This can be done using a Scheduled task and a PowerShell script. The task should be configured for the Group object type and will look like the following: image.png Here is the script that will do the trick.

# Bind to parent OU
$parentOU = $Context.BindToObjectByDN("%adm-ParentDN%")

# Get parent OU owner
try
{
    $ouOwner = $parentOU.Get("managedBy")    
}
catch
{
    $ouOwner = $NULL
}

# Update group owner
if (-not([Softerra.Adaxes.Ldap.DN]::AreEqual($ouOwner, "%managedBy%")))
{
    $Context.TargetObject.Put("managedBy", $ouOwner)
    $Context.TargetObject.SetInfo()
}

If you want to avoid updating the managedBy property of groups with user accounts that are not owners of the OU where the groups are located, a Business Rule triggering Before updating a group should be used. The rule will check whether the managedBy property is updated with the account that owns the OU where the groups are located and cancel the operation if the accoutns do not match. The Business Rule will look like the following: image.png

Here is the script that will be used in the Business Rule condition:

# Get group owner being set
$newGroupOwner = $Context.GetModifiedPropertyValue("managedBy")

# Get parent OU owner
$parentOU = $Context.BindToObjectByDN("%adm-ParentDN%")

try
{
    $parentOUOwner = $parentOU.Get("managedBy")
}
catch
{
    $parentOUOwner = $NULL
}

$Context.ConditionIsMet = -not([Softerra.Adaxes.Ldap.DN]::AreEqual($newGroupOwner, $parentOUOwner))

Related questions

0 votes
1 answer
Allow person in 'Managed By' field to modify group members?

Hey there, We allow our staff to modify membership to certain AD groups by designating a person in the 'Managed By' field. That person then changes the group' ... to modify group membership' without any object specific configuration. Is this possible? Thanks!

asked Nov 8, 2011 by Kirk (60 points)
0 votes
1 answer
Create an LDAP filter for Parent OU Name

I'm trying to create a new command that can apply to User objects across multiple domains that are in OUs with the same 'Name' i.e. an OU called Directors that occurs in ... t seem to make it work with just contains 'OU Name' i.e. (distinguishedname=OU Name)

asked Jan 21, 2020 by richarddewis (260 points)
0 votes
2 answers
User List - export to Excel, display parent OU?

Adaxes team, I'm on version 2017.1 / 3.8.14218.0. I am exporting a list of users (~880) to an Excel file using the Admin Console. I am manually selecting the ... is not currently possible in the software, can I request this as a feature for a future release?

asked Jun 8, 2017 by bradenmcg (260 points)
0 votes
1 answer
Group Managed By

I've just been handed management of Adaxes and I'm looking for a bit of help. My first task is to allow our Admin staff using the Web Interface to Add a " ... this requires an attribute to show within the Interface. Any help would be much appreciated. Thanks

asked Sep 18, 2017 by AlanWJ (150 points)
0 votes
0 answers
Security/Distribution Group Managed By

Prior to Exchange/Outlook 2010 you could use a security group to manage these distribution groups. I am using Adaxes Administration Console 2015 ver: 3.7.12314.0 (64 ... is off a secondary person already has permissions and can make the necessary changes. Mark

asked Aug 25, 2016 by mreny (40 points)
3,541 questions
3,232 answers
8,225 comments
547,805 users