This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
gavin_mouat
Level 4
‎Apr 08, 2021 09:34 AM

AD group member query business adapter.

Jump to solution

I'm looking to see if anyone has a query they have used to pull in group membership through a business adapter on a beacon server.

I need to pull all members of a specific group and assign them to software entitlements.

I can't seem to get the filters correct.  

Has anyone done this in the past and if so could you share your query and attributes.

Thanks,

Gavin

0 Kudos
1 Solution
nrousseau1
Flexera
Flexera
‎Apr 09, 2021 12:12 PM

Jump to solution

Hello Gavin,

Reading users and filtering from AD groups is pretty straight forward with the Business Adapter Studio (including the Beacon version).

This is super useful for instance if you manage your Adobe subscription through AD groups (AD integration for Adobe Portal).

You need in the filter to restrict on a group using "MemberOf", one example below. The grammar is cryptic but your AD admins should be able to help you. You filter on 1 group and multiple domains for instance. I was not able to filter on multiple groups using wildcards (Acrobat%)... so, you need as many Business Adapters as groups.

(&(objectCategory=user)(!cn=CHILD$)(memberof=CN=DG_Adobe_AcrobatPro-Users,OU=GRP,OU=Global,OU=PRD,DC=net,DC=fr,DC=ch))

BusinessAdapterForADGroup.png

One important item to note: the insert behavior will manage the type of insert... the following below will allocate each user that was reported in the AD group, and removes any user that is no longer reported.

UpdateRule.png

Hope it helps!

Nicolas

View solution in original post

4 Replies
mfranz
Level 15
‎Apr 08, 2021 09:51 AM

Jump to solution

Hi,

I usually do this in PowerShell, export the results to CSV and then use the CSV file as input for my business import.

Best regards,

Markward

Softline Group is Europe's leading independent expert in Software Asset Management.
0 Kudos
nrousseau1
Flexera
Flexera
‎Apr 09, 2021 12:12 PM

Jump to solution

Hello Gavin,

Reading users and filtering from AD groups is pretty straight forward with the Business Adapter Studio (including the Beacon version).

This is super useful for instance if you manage your Adobe subscription through AD groups (AD integration for Adobe Portal).

You need in the filter to restrict on a group using "MemberOf", one example below. The grammar is cryptic but your AD admins should be able to help you. You filter on 1 group and multiple domains for instance. I was not able to filter on multiple groups using wildcards (Acrobat%)... so, you need as many Business Adapters as groups.

(&(objectCategory=user)(!cn=CHILD$)(memberof=CN=DG_Adobe_AcrobatPro-Users,OU=GRP,OU=Global,OU=PRD,DC=net,DC=fr,DC=ch))

BusinessAdapterForADGroup.png

One important item to note: the insert behavior will manage the type of insert... the following below will allocate each user that was reported in the AD group, and removes any user that is no longer reported.

UpdateRule.png

Hope it helps!

Nicolas

View solution in original post

ChrisG
Community Manager Community Manager
Community Manager
In response to nrousseau1
‎Jul 22, 2021 08:13 AM

Jump to solution

@nrousseau1's answer on this topic is a solid direct approach to solving the problem that will work in many cases. On the other hand, a PowerShell script approach of saving Active Directory group membership information to a CSV file as described by @mfranz is a little more flexible as it can handle more complex membership scenarios like nested group memberships or cross-domain memberships. This data could then be subsequently imported or otherwise processed using a business adapter.

I've attached a sample of such a script that may be useful for others as a starting point here.

Example use and output:

 

PS> .\DumpADGroupMembers.ps1 -GroupNamePattern "FNMS-*" | Export-Csv c:\Temp\Members.csv -NoTypeInformation
Loading domain information
        Local domain
                acme.com (ACMECORP)
        Domains trusted by the local domain's forest
        Domains trusted directly by the local domain

Finding groups in the current domain with query: (&(objectCategory=Group)(cn=FNMS-*))

Found group: FNMS-Group 1
Searching for group members
        Group: ACMECORP\FNMS-Group 1
                Group: ACMECORP\ABC Nested Group
                        User: ACMECORP\user1
                User: ACMECORP\user2

Found group: FNMS-Group 2
Searching for group members
        Group: ACMECORP\FNMS-Group 2
                User: ACMECORP\user3
                User: ACMECORP\user4

PS> Get-Content C:\Temp\Members.csv
"groupName","Member","Mail","Name"
"FNMS-Group 1","ACMECORP\user1","",""
"FNMS-Group 1","ACMECORP\user2","",""
"FNMS-Group 2","ACMECORP\user3","",""
"FNMS-Group 2","ACMECORP\user4","",""

 

 Note that this PowerShell script requires the ActiveDirectory PowerShell module to be installed.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)
DumpADGroupMembers.zip
mfranz
Level 15
In response to ChrisG
‎Jul 22, 2021 08:56 AM

Jump to solution

If you combine this with a custom field for AD groups, you can avoid template files or hard-coding group names and have license managers update group names in their licenses themselves.

Softline Group is Europe's leading independent expert in Software Asset Management.