Function
Adds, removes or synchronizes an Active Directory account (user, contact, group etc.) with a number of Active Directory groups. An update of multiple group membership can take place. Multiple groups can be specified for the Active Directory account. Both the Active Directory account and groups must exist.
Deployment
The action can execute one of three main tasks. For each of these tasks, multiple groups can be specified. The account can be any Active Directory object that can become a member of Active Directory groups, including user accounts, groups account etc. The three main tasks are:
1. Add an account to a number of specified Active Directory groups. The account can already be a member of the
specified groups or other groups. The account is only added to the specified groups if the account is not already a member of the group. The account is not removed from any group;
2. Remove an account from a number of specified Active Directory groups. For each specified group, the action checks
if the account is a member of the group. If this is the case, the account is removed from the group. No other updates take place;
3. Synchronize an account with a number of Active Directory groups. On completion, the account only is a member of
the specified groups. To accomplish the synchronization, group memberships can be removed and/or added.
In Active Directory, a user account always is a member of a primary group. Also, an account cannot be removed from its primary group unless another group is assigned as the primary group. By default, the primary group is Domain Users. With this action, the primary group is ignored. When using this action, do not remove an account from its primary group and when synchronizing, do not include the primary group in the synchronization list. Even when the the synchronization list does not contain the primary group, the action will not remove the account from the primary group. If the synchronization list does contain the primary group, an error is generated when the action is executed.
Properties
Property
Name Description Typical setting Remarks
Active Directory
account object An Active Directory object for which the group
memberships are updated.
%ActiveDirectoryObject% The value of this variable should be obtained from an other action. This value can be obtained from script actions: Create user (AD), Create contact (AD), Get User (AD) or Get object (AD) etc. You should make sure the export variable of these actions is the same as the import variable of the property (default: %ActiveDirectoryObject%)
Add list If the account must be added to a number of groups, specify this property. See the Remarks section for more
information.
Note: specify only one of the properties 'Add list', 'Remove list' and 'Sync list'.
78
Remove list If the account must be removed from a number of groups, specify this property. See the Remarks section for more
information.
Note: specify only one of the properties 'Add list', 'Remove list' and 'Sync list'.
Sync list If the account group
memberships must be synchronized with a number of groups, specify this property. See the Remarks section for more
information.
Note: specify only one of the properties 'Add list', 'Remove list' and 'Sync list'.
Binding
information Optionally: The binding information used to access the specified groups and Active
Directory account. See the Remarks section for more information.
If this property is not specified, the action uses the binding information specified for each group, or LDAP:// if the group specification does not include binding information. If the property is specified, the binding information is used unless a group is specified with its own binding information.
Remarks
Specify only one of the properties 'Add list', 'Remove list' and 'Sync list'. The task executed by the action depends on which property is specified: Add, Remove or Sync. Multiple groups can be specified in different ways as described below. The groups must be specified using the distinguished names, optionally including binding information. Valid specifications are:
cn=grp_a,ou=org_a,dc=domain,dc=com LDAP://cn=grp_a,ou=org_a,dc=domain,dc=com
LDAP://dc.domain.com/cn=grp_a,ou=org_a,dc=domain,dc=com
Note that if a group is specified with binding information, the binding information overrides the value of optional property Binding
information. So to use the value of property Binding information for all groups, specify each group with its distinguished
name: cn=Group...
For each of the lists, the corresponding properties can be specified as follows:
1. Normal text, specifying a single group. Example: cn=GroupA,dc=domain,dc=com;
2. Normal text, specifying multiple groups, each group quoted with double quotes and individual group entries separated by
comma's: "cn=GroupA,dc=domain,dc=com","cn=GroupB, dc=domain,dc=com";
3. Normal text, specified as a text variable. The value of the text variable can be specified as described in options 1 and 2.
Example: %GroupNames%;
4. Text list (specified as a variable): The variable contains a text list value, each list entry specifying a single group. Example:
%GroupList%
5. Table (specified as a variable): The table should contain a least a single column, with the first column specifying a single
79