I'm looking to see if anyone has a query they have used to pull in group membership through a business adapter on a beacon server.
I need to pull all members of a specific group and assign them to software entitlements.
I can't seem to get the filters correct.
Has anyone done this in the past and if so could you share your query and attributes.
Thanks,
Gavin
Apr 08, 2021 09:34 AM
Hello Gavin,
Reading users and filtering from AD groups is pretty straight forward with the Business Adapter Studio (including the Beacon version).
This is super useful for instance if you manage your Adobe subscription through AD groups (AD integration for Adobe Portal).
You need in the filter to restrict on a group using "MemberOf", one example below. The grammar is cryptic but your AD admins should be able to help you. You filter on 1 group and multiple domains for instance. I was not able to filter on multiple groups using wildcards (Acrobat%)... so, you need as many Business Adapters as groups.
(&(objectCategory=user)(!cn=CHILD$)(memberof=CN=DG_Adobe_AcrobatPro-Users,OU=GRP,OU=Global,OU=PRD,DC=net,DC=fr,DC=ch))
One important item to note: the insert behavior will manage the type of insert... the following below will allocate each user that was reported in the AD group, and removes any user that is no longer reported.
Hope it helps!
Nicolas
Apr 09, 2021 12:12 PM
Hi,
I usually do this in PowerShell, export the results to CSV and then use the CSV file as input for my business import.
Best regards,
Markward
Apr 08, 2021 09:51 AM
Hello Gavin,
Reading users and filtering from AD groups is pretty straight forward with the Business Adapter Studio (including the Beacon version).
This is super useful for instance if you manage your Adobe subscription through AD groups (AD integration for Adobe Portal).
You need in the filter to restrict on a group using "MemberOf", one example below. The grammar is cryptic but your AD admins should be able to help you. You filter on 1 group and multiple domains for instance. I was not able to filter on multiple groups using wildcards (Acrobat%)... so, you need as many Business Adapters as groups.
(&(objectCategory=user)(!cn=CHILD$)(memberof=CN=DG_Adobe_AcrobatPro-Users,OU=GRP,OU=Global,OU=PRD,DC=net,DC=fr,DC=ch))
One important item to note: the insert behavior will manage the type of insert... the following below will allocate each user that was reported in the AD group, and removes any user that is no longer reported.
Hope it helps!
Nicolas
Apr 09, 2021 12:12 PM
@nrousseau1's answer on this topic is a solid direct approach to solving the problem that will work in many cases. On the other hand, a PowerShell script approach of saving Active Directory group membership information to a CSV file as described by @mfranz is a little more flexible as it can handle more complex membership scenarios like nested group memberships or cross-domain memberships. This data could then be subsequently imported or otherwise processed using a business adapter.
I've attached a sample of such a script that may be useful for others as a starting point here.
Example use and output:
PS> .\DumpADGroupMembers.ps1 -GroupNamePattern "FNMS-*" | Export-Csv c:\Temp\Members.csv -NoTypeInformation
Loading domain information
Local domain
acme.com (ACMECORP)
Domains trusted by the local domain's forest
Domains trusted directly by the local domain
Finding groups in the current domain with query: (&(objectCategory=Group)(cn=FNMS-*))
Found group: FNMS-Group 1
Searching for group members
Group: ACMECORP\FNMS-Group 1
Group: ACMECORP\ABC Nested Group
User: ACMECORP\user1
User: ACMECORP\user2
Found group: FNMS-Group 2
Searching for group members
Group: ACMECORP\FNMS-Group 2
User: ACMECORP\user3
User: ACMECORP\user4
PS> Get-Content C:\Temp\Members.csv
"groupName","Member","Mail","Name"
"FNMS-Group 1","ACMECORP\user1","",""
"FNMS-Group 1","ACMECORP\user2","",""
"FNMS-Group 2","ACMECORP\user3","",""
"FNMS-Group 2","ACMECORP\user4","",""
Note that this PowerShell script requires the ActiveDirectory PowerShell module to be installed.
Jul 22, 2021 08:13 AM
If you combine this with a custom field for AD groups, you can avoid template files or hard-coding group names and have license managers update group names in their licenses themselves.
Jul 22, 2021 08:56 AM