Skip to main content

Articles in this section

Print

New User | DynamicAttributes Add to AD Groups

  • Updated

New User | DynamicAttributes Add to AD Groups

Rule description

This rule modifies Active Directory user membership in Active Directory groups. An instance of the rule is created in the Web Admin Rules (Pre-configured) folder by default. The New User (AD), New Linked Mailbox and New User with Linked Mailbox web actions link the instance as a post-action rule. To execute the post-rule automatically, web actions must have the AccountRun add user to group post-creation tasks setting set to Yes.

When to use this rule

An instance of the rule is automatically created during installation and linked to the New User (AD) and other Web Portal actions as a post-rule. You can create a copy of the rule to add a specific scope of Active Directory users to Active Directory groups by copying it from Rules > Web Admin Rules (Pre-configured) > New User | DynamicAttributes Add to AD Groups.

There are two scenarios when you can use this rule:

  1. When Active Directory users should be added to the same set of Active Directory groups. In this case, group DistingushedNames are listed statically in the AD Group (DN) setting in the Action section.

  2. When each Active Directory user needs to be put into a separate set of Active Directory groups based on some attribute that is populated on the New User wizard. In this case, you can specify CSV file with User Anchor attribute and Group DistinguishedNames and in the AD Group (DN) setting in the Action section select the CSV column with group DistingueshedNames.

To learn more about group membership automation, please see these articles: Group Lifecycle Management and Creating Dynamic Groups.

Rule settings

Query section

Setting name Description

Limit scope to this domain or OU

 

This setting defines the search query scope. To improve query performance, limit the scope to a specific OU.

IMPORTANT: To test the rule configuration, limit the rule scope to an OU that contains test accounts or objects and use the Preview feature.

Query Criteria

Query criteria are sent with the query and may improve query performance.

TIP: For additional information on the criteria builder, see the How to use Query Builder dialog for Query Criteria and Filter rule settings.

Filter

Set the filtering conditions to hide unwanted data based on criteria not supported in the Query criteria setting.

Example: filter by the found object Distinguished Name.

TIP: For optimal performance, use the Query criteria setting above to filter objects whenever possible.
Other Query Settings

Properties to display

Define the object properties to display in the output file.

System properties

List of properties required for this rule to be executed correctly.

Sort by

Sort result object list.
Map Settings from File

NOTE: If no data source file is set, all settings in the Map Settings from File section will be ignored.

Data source

The […] button allows to browse for the file and the Create/Edit button allows the creation or editing of the existing file in the built-in Data Source editor.

Group DNs should be separated with ";".

CSV file format:

GroupsDN,UserAnchor"groupDN1;groupDN2",anchorvalue1

"GroupDN3;groupDN4",anchorvalue2

Separator used in file 

Specify the separator used in the source CSV file.

Active Directory anchor attribute

Defines the attribute in the Active Directory to which the Data Source anchor attribute is to be compared.

Data source anchor attribute

Select a column in the data source that contains the attribute value for identifying and mapping a computer.
Initialization Script 

Script

Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule.

Due to the PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria.

IMPORTANT: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.

Example: Update AD users, created in the last ten days.

  1. Add this initialization script

    Copy
    {$global:DatePeriod = (Get-Date).AddDays(-10)}

  2. Use the $DatePeriod variable in the query criteria builder:
More options
Write Change History

Define logging behavior when you use the rule:

  • Always. Log changes to objects every time you run the rule.

  • For post-action scenarios only. Log changes to objects every time the rule is used as a post-action rule.

  • Never. Do not log changes to objects made using the rule.

The default behavior is defined in Configuration > Settings > Change History.

Action section

Setting name Description

Action

You can select one of the following actions:

  • Add to groups and preserve the previous user membership

  • Add to groups and clear user membership in other groups 

  • Remove from groups and preserve user membership in other groups

AD Group (DN)

 

  1. If Active Directory users should be added to the same set of Active Directory groups, specify AD Group Distinguished Names, split by ";"

  2. If each Active Directory user needs to be put into a separate set of Active Directory groups based on some attribute, first fill in the Map Settings from File settings, then click the column selector icon and select the CSV column with group DNs.

Output section

This section defines the output format of this rule.

To get more information about this section, please see the Rule Output section article.

Enforce/Schedule section

This section defines the schedule for how often to run the rule.

To get more information about this section, please see the Rule Enforce/Schedule section article.

Change history

Version Notes
13.1 The Write Change History setting has been added.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.