Articles in this section

See more
Print

New User | DynamicAttributes Add to AD Groups rule

Avatar
Tatiana Golubovich
  • Updated
Follow

 

Rule description

This rule modifies Active Directory users' membership in Active Directory groups. 

An instance of the rule is automatically created during installation under the HOME > RULES > WebAdmin Rules (Pre-configured) folder. This instance is linked to the New User (AD), New Linked Mailbox and New User with Linked Mailbox actions as a post-action rule in the Rules to run after section. The Run add user to group post-creation tasks setting on these Web UI actions must be set to Yes for this rule to be executed automatically.

 

When to use this rule

You typically do not need to create an instance of this rule, as it is automatically created during installation and linked to the New User (AD) and other Web UI actions as a post-rule.

You can also create this rule from the template and use it on its own to add the specified scope of Active Directory users to Active Directory groups. The template rule name is AD Users | DynamicAttributes Add to AD Groups.

There are two scenarios when you can use this rule:

  1. When Active Directory users should be added to the same set of Active Directory groups. In this case, group DistingushedNames are listed statically in the AD Group (DN) setting in the Action section.
  2. When each Active Directory user needs to be put into a separate set of Active Directory groups based on some attribute that is populated on the New User wizard. In this case, you can specify CSV file with User Anchor attribute and Group DistinguishedNames and in the AD Group (DN) setting in the Action section select CSV column with group DistingueshedNames.

To learn more about group membership automation, please see these articles: Group Lifecycle Management Overview and Creating Dynamic Groups.

 

Video Tutorial

 

Rule Settings

Query Section

Setting name Description

Limit scope to this domain or OU

 

This setting defines the search query scope.

To improve query performance, limit the scope to specific OU.

Note: As this rule is usually run after the user creation rule, it uses query scope from the web query of the previous rule. 

Query Criteria

Query criteria are sent with the query and may improve query performance.

Note: As this rule is usually run after the user creation rule, by default it uses query criteria from the previous rule. 
Tip: For different samples on the criteria builder, see KB20180410-1.

Filter

To hide unwanted data based on criteria, not supported by Active Directory query, set the filtering conditions here.
Other Query Settings  

Properties to display

This setting specifies the columns that will be displayed during Preview and in the output file.

System properties

List of properties required for this rule to be executed correctly.

Sort by

Sort result object list.
Map Settings from File  
Note: If no data source file is set, all settings in Map Settings from File section will be ignored.

Data source

The […] button allows to browse for the file and the Create/Edit button allows the creation or editing of the existing file in the built-in Data Source editor.

Group DNs should be separated with ";".

CSV file format:

GroupsDN,UserAnchor
"groupDN1;groupDN2",anchorvalue1
"GroupDN3;groupDN4",anchorvalue2

Separator used in file 

Specify separator used in the data source CSV file: comma or semi-colon.

Active Directory anchor attribute

Defines the attribute in the Active Directory to which the Data Source anchor attribute is to be compared.

Data source anchor attribute

Defines the column in the Data Source that will be used to find existent users in Active Directory. This value is compared to the Active Directory Anchor Attribute.
Initialization Script   

Script

Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule.

Due to PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria. 

Example: Update AD users, created in the last ten days.

  1. Add this initialization script:
{$global:DatePeriod = (Get-Date).AddDays(-10)}
  1. Use $DatePeriod variable in query criteria builder:

 

Action Section

Setting name Description

Action

You can select one of the following actions:

  1. Add to groups and preserve the previous user membership
  2. Add to groups and clear user membership in other groups 
  3. Remove from groups and preserve user membership in other groups

AD Group (DN)

 
  1. If Active Directory users should be added to the same set of Active Directory groups, specify AD Group Distinguished Names, split by ";"
  2. If each Active Directory user needs to be put into a separate set of Active Directory groups based on some attribute, first fill in the Map Settings from File settings, then click the column selector icon and select the CSV column with group DNs.

 

Output Section

This section defines the output format of this rule.

To get more information about this section, please see the Output section article.

 

Enforce/Schedule section

This section defines the schedule for how often to run the rule.

To get more information about this section, please see the Enforce/Schedule section article.

 

 Change History

Version Notes
7.2.0 

The rule is renamed from New User | Add user to AD group(s) to AD Users | DynamicAttributes Add to AD Groups.

Map settings from file section is added.
5.4.0 The rule supports linking to web actions as rules to run after the web action.

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.