0 votes

Is it possible to for security groups that are nested under an OU to inherit that OU's 'Managed By' value? I'd like to grant the OU Owner rights to the security groups within that OU but it seems like the only option is to manually edit each group one by one. Is there a script that automates this?

by (480 points)

1 Answer

0 votes
by (294k points)

Hello,

This can be done using a Scheduled task and a PowerShell script. The task should be configured for the Group object type and will look like the following: image.png Here is the script that will do the trick.

# Bind to parent OU
$parentOU = $Context.BindToObjectByDN("%adm-ParentDN%")

# Get parent OU owner
try
{
    $ouOwner = $parentOU.Get("managedBy")    
}
catch
{
    $ouOwner = $NULL
}

# Update group owner
if (-not([Softerra.Adaxes.Ldap.DN]::AreEqual($ouOwner, "%managedBy%")))
{
    $Context.TargetObject.Put("managedBy", $ouOwner)
    $Context.TargetObject.SetInfo()
}

If you want to avoid updating the managedBy property of groups with user accounts that are not owners of the OU where the groups are located, a Business Rule triggering Before updating a group should be used. The rule will check whether the managedBy property is updated with the account that owns the OU where the groups are located and cancel the operation if the accoutns do not match. The Business Rule will look like the following: image.png

Here is the script that will be used in the Business Rule condition:

# Get group owner being set
$newGroupOwner = $Context.GetModifiedPropertyValue("managedBy")

# Get parent OU owner
$parentOU = $Context.BindToObjectByDN("%adm-ParentDN%")

try
{
    $parentOUOwner = $parentOU.Get("managedBy")
}
catch
{
    $parentOUOwner = $NULL
}

$Context.ConditionIsMet = -not([Softerra.Adaxes.Ldap.DN]::AreEqual($newGroupOwner, $parentOUOwner))

Related questions

0 votes
1 answer

Hey there, We allow our staff to modify membership to certain AD groups by designating a person in the 'Managed By' field. That person then changes the group' ... to modify group membership' without any object specific configuration. Is this possible? Thanks!

asked Nov 8, 2011 by Kirk (60 points)
0 votes
1 answer

I'm trying to create a new command that can apply to User objects across multiple domains that are in OUs with the same 'Name' i.e. an OU called Directors that occurs in ... t seem to make it work with just contains 'OU Name' i.e. (distinguishedname=OU Name)

asked Jan 21, 2020 by richarddewis (260 points)
0 votes
2 answers

Adaxes team, I'm on version 2017.1 / 3.8.14218.0. I am exporting a list of users (~880) to an Excel file using the Admin Console. I am manually selecting the ... is not currently possible in the software, can I request this as a feature for a future release?

asked Jun 8, 2017 by bradenmcg (260 points)
0 votes
1 answer

I've just been handed management of Adaxes and I'm looking for a bit of help. My first task is to allow our Admin staff using the Web Interface to Add a " ... this requires an attribute to show within the Interface. Any help would be much appreciated. Thanks

asked Sep 18, 2017 by AlanWJ (150 points)
0 votes
0 answers

Prior to Exchange/Outlook 2010 you could use a security group to manage these distribution groups. I am using Adaxes Administration Console 2015 ver: 3.7.12314.0 (64 ... is off a secondary person already has permissions and can make the necessary changes. Mark

asked Aug 25, 2016 by mreny (40 points)
3,588 questions
3,277 answers
8,303 comments
548,090 users