Active Directory - Modify group

Declaration

<AMACTIVEDIRECTORY ACTIVITY="modify_group" GROUP="text" ACTION="text (options)" LDAPPATH="text"><USER LDAP="text" /></AMACTIVEDIRECTORY>

Related Topics    

Description

Allows an administrator to rename or delete an existing Active Directory group, as well as add users to, or delete users from a specific Active Directory group.

IMPORTANT: Automate's Active Directory activities require a basic understanding of Active Directory and related components (for example, Domain Controllers, Trust Relationships, Forests, LDAPs, etc.). Also, to ensure that these activities function appropriately, the target system must be part of a domain.

Practical Usage

Can be used as a batch Active Directory administration tool to add multiple users to, or remove multiple users from an existing AD group. Also ideal for renaming or deleting an AD group.

Parameters

Group

Property Type Required Default Markup Description
Path Text Yes (Empty) LDAPPATH="LDAP://
DC=netauto,DC=com" 		The Lightweight Directory Access Protocol (LDAP) path of the Active Directory group to modify.

Clicking Select Group launches a standard Windows Active Directory dialog box that allows for the selection of a group.
Action Text (Options) Yes Add User ACTION="rename" The action to perform on the Active Directory group. The available options are:
  • Add Users (Default) - Adds one or more users to the specified Active Directory group.
  • Remove Users - Removes one or more users from the specified Active Directory group.
  • Rename - Rename the Active Directory group.
  • Delete - Delete an existing Active Directory group.
New Name Text Yes (Empty) NEWGROUPNAME="printer" The new name of the Active Directory group. This parameter is only available if the Rename option is selected in the Action drop-down.
User's LDAP Path Text Yes (Empty) LDAPPATH="LDAP://
DC=netauto,DC=com" 		Specifies the LDAP path of the Active Directory users to add/remove. Add a user by clicking the Add Users button. You can also add a user manually by entering the user's CN (Common Name) in the provided field and clicking theAddbutton.
New user name Text Yes User NEWUSERNAME=Ronald Specifies the name of the new Active Directory user to be created. This parameter is only available if the Rename option is selected from the Action drop-down.

Credentials

Property Type Required Default Markup Description
Authentication type Text (options) No Default
  • AUTHTYPE="Secure"
  • AUTHTYPE="Encryption"
  • AUTHTYPE="SecureSocketLayer"
  • AUTHTYPE="ReadonlyServer"
  • AUTHTYPE="Anonymous"
  • AUTHTYPE="FastBin
  • AUTHTYPE="Signing"
  • AUTHTYPE="Sealing"
  • AUTHTYPE="Delegation"
  • AUTHTYPE="ServerBind"
 Specifies the types of authentication used. The available options are:
  • Default - Use default authentication type.
  • None - Equates to zero, which means to use basic authentication (simple bind) in the LDAP provider.
  • Secure - Requests secure authentication. When this flag is set, the WinNT provider uses NTLM to authenticate the client.
  • Encryption - Attaches a cryptographic signature to the message that both identifies the sender and ensures that the message has not been modified in transit.
  • SecureSocketLayer - Attaches a cryptographic signature to the message that both identifies the sender and ensures that the message has not been modified in transit.
  • ReadonlyServer - For a WinNT provider, ADSI tries to connect to a domain controller. For Active Directory Domain Services, this flag indicates that a writable server is not required for a serverless binding.
  • Anonymous - No authentication is performed.
  • FastBind - Specifies that ADSI will not attempt to query the Active Directory Domain Services objectClass property. Therefore, only the base interfaces that are supported by all ADSI objects will be exposed. Other interfaces that the object supports will not be available.
  • Signing - Verifies data integrity to ensure that the data received is the same as the data sent. The Secure flag must also be set to use signing.
  • Sealing - Encrypts data using Kerberos. The Secure flag must also be set to use sealing.
  • Delegation - Enables Active Directory Services Interface (ADSI) to delegate the user's security context, which is necessary for moving objects across domains.
  • ServerBind - If your ADsPath includes a server name, specify this flag when using the LDAP provider. Do not use this flag for paths that include a domain name or for serverless paths. Specifying a server name without also specifying this flag results in unnecessary network traffic.
Username Text No (Empty) USERNAME="username" The username context that this activity will execute under. Leave the Username and Password parameters blank in order to use the logon user's credentials
NOTE: A Domain User has permission to access Active Directory information. However, only a Domain Administrator has permission to perform Active Directory modifications.
Password Text No (Empty) PASSWORD="password" The password associated to the Username context that this activity will execute under. Leave the Username and Password parameters blank in order to use the logon user's credentials.

Description

Error Causes

On Error

Examples

NOTE:
  • The sample AML code below can be copied and pasted directly into the Steps Panel of the Task Builder.
  • Parameters containing user credentials, files, file paths, and/or other information specific to the task must be customized before the sample code can run successfully.

Example 1

Rename Active Directory group at "LDAP://mycompany.com/CN=Guests,CN=Builtin,DC=mycompany,DC=com" to "GuestOne.'

Copy 
<AMACTIVEDIRECTORY ACTIVITY="modify_group" AUTHTYPE="Secure" USERNAME="Administrator" PASSWORD="AM5UhSI/y/jhYSekvjxqgdOIcKnplDFimJ0AFHUJm4Kn50=aME" GROUP="LDAP://mycompany.com/CN=Guests,CN=Builtin,DC=mycompany,DC=com" ACTION="reanme" NEWGROUPNAME="GuestOne" />

Example 2

Delete Active Directory group at path "LDAP://mycompany.com/CN=Managers,CN=Users,DC=mycompany,DC=com."

Copy 
<AMACTIVEDIRECTORY ACTIVITY="modify_group" AUTHTYPE="Secure" USERNAME="Administrator" PASSWORD="AM5FNus7PZ8YcidYT7Wbor+mQ7R3GbrGTBPxCsZfgdv3t8=aME" GROUP="LDAP://mycompany.com/CN=Managers,CN=Users,DC=mycompany,DC=com" ACTION="delete" />