Rule description
This rule modifies Active Directory users' membership in Active Directory groups.
An instance of the rule is automatically created during installation under the HOME > RULES > WebAdmin Rules (Pre-configured) folder. This instance is linked to the New User (AD), New Linked Mailbox and New User with Linked Mailbox actions as a post-action rule in the Rules to run after section. The Run add user to group post-creation tasks setting on these Web UI actions must be set to Yes for this rule to be executed automatically.
When to use this rule
You typically do not need to create an instance of this rule, as it is automatically created during installation and linked to the New User (AD) and other Web UI actions as a post-rule.
You can also create this rule from the template and use it on its own to add the specified scope of Active Directory users to Active Directory groups. The template rule name is AD Users | DynamicAttributes Add to AD Groups.
There are two scenarios when you can use this rule:
- When Active Directory users should be added to the same set of Active Directory groups. In this case, group DistingushedNames are listed statically in the AD Group (DN) setting in the Action section.
- When each Active Directory user needs to be put into a separate set of Active Directory groups based on some attribute that is populated on the New User wizard. In this case, you can specify CSV file with User Anchor attribute and Group DistinguishedNames and in the AD Group (DN) setting in the Action section select CSV column with group DistingueshedNames.
To learn more about group membership automation, please see these articles: Group Lifecycle Management Overview and Creating Dynamic Groups.
Video Tutorial
Rule Settings
Query Section
Setting name | Description |
---|---|
Limit scope to this domain or OU
|
This setting defines the search query scope. To improve query performance, limit the scope to specific OU. Note: As this rule is usually run after the user creation rule, it uses query scope from the web query of the previous rule.
|
Query Criteria |
Query criteria are sent with the query and may improve query performance. Note: As this rule is usually run after the user creation rule, by default it uses query criteria from the previous rule.
Tip: For different samples on the criteria builder, see KB20180410-1.
|
Filter |
To hide unwanted data based on criteria, not supported by Active Directory query, set the filtering conditions here. |
Other Query Settings | |
Properties to display |
This setting specifies the columns that will be displayed during Preview and in the output file. |
System properties |
List of properties required for this rule to be executed correctly. |
Sort by |
Sort result object list. |
Map Settings from File | |
Note: If no data source file is set, all settings in Map Settings from File section will be ignored.
|
|
Data source |
The […] button allows to browse for the file and the Create/Edit button allows the creation or editing of the existing file in the built-in Data Source editor. Group DNs should be separated with ";". CSV file format: GroupsDN,UserAnchor
"groupDN1;groupDN2",anchorvalue1
"GroupDN3;groupDN4",anchorvalue2
|
Separator used in file |
Specify separator used in the data source CSV file: comma or semi-colon. |
Active Directory anchor attribute |
Defines the attribute in the Active Directory to which the Data Source anchor attribute is to be compared. |
Data source anchor attribute |
Defines the column in the Data Source that will be used to find existent users in Active Directory. This value is compared to the Active Directory Anchor Attribute. |
Initialization Script | |
Script |
Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule. Due to PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria. Example: Update AD users, created in the last ten days.
{$global:DatePeriod = (Get-Date).AddDays(-10)}
|
Action Section
Setting name | Description |
---|---|
Action |
You can select one of the following actions:
|
AD Group (DN)
|
|
Output Section
This section defines the output format of this rule.
To get more information about this section, please see the Output section article.
Enforce/Schedule section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Enforce/Schedule section article.
Change History
Version | Notes |
---|---|
7.2.0 |
The rule is renamed from New User | Add user to AD group(s) to AD Users | DynamicAttributes Add to AD Groups. Map settings from file section is added. |
5.4.0 | The rule supports linking to web actions as rules to run after the web action. |
Comments
0 comments
Please sign in to leave a comment.