Update 2019
Starting with version 2019.1, you can create multiple directory objects in a single operation. For details, have a look at the following tutorial: https://www.adaxes.com/tutorials_ActiveDirectoryManagement_CreateReport.htm.
Original
Hello,
This can be done very easily with the help of a PowerShell script that will be run by a Business Rule triggered after creating an Organizational Unit in Active Directory. To create such a Business Rule:
-
Create a new Business Rule.
-
On step 2 of the Create Business Rule Wizard, select Organizational-Unit and After Creating a Organizational-Unit.
-
On step 3, add the Run a program or PowerShell script action and paste the below PowerShell script in the Script field:
$groupNameProperty = "adm-CustomAttributeText1" # TODO: modify me
$groupNameTemplate = "{0} Group" # TODO: modify me
[Softerra.Adaxes.Interop.Adsi.ADS_GROUP_TYPE_ENUM]$groupType =
"ADS_GROUP_TYPE_GLOBAL_GROUP, ADS_GROUP_TYPE_SECURITY_ENABLED" # TODO: modify me
$userName = "%name%-admin" # TODO: modify me
$userPassword = "secret" # TODO: modify me
# Create Group
try
{
$groupNamePart = $Context.TargetObject.Get($groupNameProperty)
}
catch
{
$groupNamePart = $NULL
$Context.LogMessage("Group name is not specified", "Warning")
}
if ($groupNamePart -ne $NULL)
{
$groupName = [System.String]::Format($groupNameTemplate, $groupNamePart)
$group = $Context.TargetObject.Create("group","CN=$groupName")
$group.Put("groupType", [Int32]$groupType)
try
{
$group.SetInfo()
}
catch
{
$group = $NULL
$Context.LogMessage($_.Exception.Message, "Warning")
}
}
# Create User
$user = $Context.TargetObject.Create("user", "CN=$userName")
# User Logon Name (pre-Windows 2000)
$user.Put("sAMAccountName", "$userName")
# User Logon Name
$domainName = $Context.GetObjectDomain("%distinguishedName%")
$user.Put("userPrincipalName", "$userName@$domainName")
# Password
$user.Put("unicodePwd", $userPassword)
# Must change password at first logon
$user.Put("pwdLastSet", 0)
# Enable the user account
$user.AccountDisabled = $False
try
{
# Save the user account to the directory
$user.SetInfo()
}
catch
{
$user = $NULL
$Context.LogMessage($_.Exception.Message, "Warning")
}
# Add user to group
if (($user) -and ($group))
{
$group.Add($user.AdsPath)
}
-
In the script, modify the following to meet your requirements:
- $groupNameProperty - specifies the Adaxes custom property that will be appended to the group name;
- $groupNameTemplate - specifies a template for the group name. In the template, {0} will be replaced with the value of $groupNameProperty;
- $groupType - specifies the group type. For a list of possible values, see ADS_GROUP_TYPE_ENUM;
- $userName - specifies a template for the user name;
- $userPassword - specifies the initial password of the user.
-
Enter a short description for the script and click OK.
-
Finish creation of the Business Rule.