A new Flexera Community experience is coming on November 25th. Click here for more information.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AD group member query business adapter.

I'm looking to see if anyone has a query they have used to pull in group membership through a business adapter on a beacon server.

I need to pull all members of a specific group and assign them to software entitlements.

I can't seem to get the filters correct.  

Has anyone done this in the past and if so could you share your query and attributes.

Thanks,

Gavin

(1) Solution
nrousseau1
By Level 10 Champion
Level 10 Champion

Hello Gavin,

Reading users and filtering from AD groups is pretty straight forward with the Business Adapter Studio (including the Beacon version).

This is super useful for instance if you manage your Adobe subscription through AD groups (AD integration for Adobe Portal).

You need in the filter to restrict on a group using "MemberOf", one example below. The grammar is cryptic but your AD admins should be able to help you. You filter on 1 group and multiple domains for instance. I was not able to filter on multiple groups using wildcards (Acrobat%)... so, you need as many Business Adapters as groups.

(&(objectCategory=user)(!cn=CHILD$)(memberof=CN=DG_Adobe_AcrobatPro-Users,OU=GRP,OU=Global,OU=PRD,DC=net,DC=fr,DC=ch))

BusinessAdapterForADGroup.png

One important item to note: the insert behavior will manage the type of insert... the following below will allocate each user that was reported in the AD group, and removes any user that is no longer reported.

UpdateRule.png

Hope it helps!

Nicolas

Nicolas Rousseau
Licensing Architect
https://www.nrsamconsulting.com

View solution in original post

(4) Replies
mfranz
By Level 17 Champion
Level 17 Champion

Hi,

I usually do this in PowerShell, export the results to CSV and then use the CSV file as input for my business import.

Best regards,

Markward

nrousseau1
By Level 10 Champion
Level 10 Champion

Hello Gavin,

Reading users and filtering from AD groups is pretty straight forward with the Business Adapter Studio (including the Beacon version).

This is super useful for instance if you manage your Adobe subscription through AD groups (AD integration for Adobe Portal).

You need in the filter to restrict on a group using "MemberOf", one example below. The grammar is cryptic but your AD admins should be able to help you. You filter on 1 group and multiple domains for instance. I was not able to filter on multiple groups using wildcards (Acrobat%)... so, you need as many Business Adapters as groups.

(&(objectCategory=user)(!cn=CHILD$)(memberof=CN=DG_Adobe_AcrobatPro-Users,OU=GRP,OU=Global,OU=PRD,DC=net,DC=fr,DC=ch))

BusinessAdapterForADGroup.png

One important item to note: the insert behavior will manage the type of insert... the following below will allocate each user that was reported in the AD group, and removes any user that is no longer reported.

UpdateRule.png

Hope it helps!

Nicolas

Nicolas Rousseau
Licensing Architect
https://www.nrsamconsulting.com

@nrousseau1's answer on this topic is a solid direct approach to solving the problem that will work in many cases. On the other hand, a PowerShell script approach of saving Active Directory group membership information to a CSV file as described by @mfranz is a little more flexible as it can handle more complex membership scenarios like nested group memberships or cross-domain memberships. This data could then be subsequently imported or otherwise processed using a business adapter.

I've attached a sample of such a script that may be useful for others as a starting point here.

Example use and output:

 

PS> .\DumpADGroupMembers.ps1 -GroupNamePattern "FNMS-*" | Export-Csv c:\Temp\Members.csv -NoTypeInformation
Loading domain information
        Local domain
                acme.com (ACMECORP)
        Domains trusted by the local domain's forest
        Domains trusted directly by the local domain

Finding groups in the current domain with query: (&(objectCategory=Group)(cn=FNMS-*))

Found group: FNMS-Group 1
Searching for group members
        Group: ACMECORP\FNMS-Group 1
                Group: ACMECORP\ABC Nested Group
                        User: ACMECORP\user1
                User: ACMECORP\user2

Found group: FNMS-Group 2
Searching for group members
        Group: ACMECORP\FNMS-Group 2
                User: ACMECORP\user3
                User: ACMECORP\user4

PS> Get-Content C:\Temp\Members.csv
"groupName","Member","Mail","Name"
"FNMS-Group 1","ACMECORP\user1","",""
"FNMS-Group 1","ACMECORP\user2","",""
"FNMS-Group 2","ACMECORP\user3","",""
"FNMS-Group 2","ACMECORP\user4","",""

 

 Note that this PowerShell script requires the ActiveDirectory PowerShell module to be installed.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

If you combine this with a custom field for AD groups, you can avoid template files or hard-coding group names and have license managers update group names in their licenses themselves.