Cálculo de medias

Function

Makes an Active Directory user account a member of specified Active Directory universal, domain global or domain local groups. The groups can be either security or distribution groups.

Deployment

This action is typically used in a script that is intended to create new users in Active Directory, after creation of the actual user

account with Script Action: Create User (AD) on page 3. It can also be used for modifying existing accounts.

The groups can be specified by two properties using LDAP names (property: Group names (LDAP)) and pre-Windows 2000 names (property: Group names (Pre-W2K name)). For both properties, the LDAP name is used to add the user account to the group. For property Group names (Pre-W2K name) the LDAP name is searched for in Active Directory. If the group names are known in advance and there is no need to use variables in the specification of the group names, it is recommended to use property

Group names (LDAP) to specify the names of the groups. In case you want to use pre- Windows 2000 names and variables, it is

more convenient to use property Group names (Pre-W2K name). This property contains a list with the pre-Windows 2000 names of the groups. The entries of the list can be a single group name or a variable containing one or more group names specified as a text list. When the action is executed, the application will search in Active Directory to find the LDAP name of the group. The method used to access Active Directory is determined by the syntax used to specify the group name:

Syntax Example Description

GroupName Administrators The Active Directory path of the %UserObject% property is used to access Active Directory.

32

Domain\GroupName SEASONS\Administrators The application accesses Active Directory through the domain: LDAP://Domain

\\Server\GroupName \\SPRING\Administrators The application accesses Active Directory by accessing the server: LDAP://Server

Note that for each item of the list a different syntax can be used.

A common scenario to specify a number of groups using variables is as follows:

1. A number of Set Variable on page 311 script actions are used to initialize multiple variables, each containing a number of

groups: %GroupSetA%, %GroupSetB%, %GroupSetC% etc.

2. The Map variable on page 339 script actions copies the content of one of these variables into the resulting variable %GroupSet%. The mapping is somehow determined by the content of the input data.

3. The Group names (Pre-W2K name) property contains a single entry: %GroupSet%

The mapping performed in step 2 determines the groups of which the user account becomes a member.

Properties

Property Name Description Typical setting Remarks

User Object Internal application object representing the user account that must be made a member of specified groups.

%UserObject% The User Object must always be specified as a variable. This variable must have been set by a previous script action, e.g. the Script Action: Create User (AD) on page 3 will by default fill the variable %UserObject% with the User Object of the newly created user. Group names

(LDAP) The names of the groups of which the user account must become a member. Each group name is specified by 2 text strings: A display name and the LDAP name. The display string has the easy readable format Domain/GroupName, for instance:

TOOLS4EVER/Users. The LDAP name is the name of the group in Active Directory. The LDAP name is used by the

application to add the user to the group.

LDAP group names specified by means of a special dialog

The property is list with text pairs. Each pair represents a single group. The pair items are the display name and the LDAP name of the group,

Group names (Pre-

W2K name) The names of the groups of which the user account must become a member. Each group name is specified by its pre- Windows 2000 name. This name corresponds with the Windows NT naming style. The application will first search for the full LDAP-name of the group. See the on- line help for more information.

Pre- Windows 2000 group names

The property is a list. The list contains the pre-Windows 2000 names of the groups. The name can be specified using the following syntax: DOMAIN\GroupName,

\\SERVER\GroupName, GroupName. See the Deployment section for more information.

33

Multiple domain controllers

In a scenario where there are multiple domain controllers in a network, the LDAP group name may have to be specified somewhat differently. After the LDAP names of the groups have been specified, edit the LDAP names of the groups manually and specify the same server for the binding as the one which was used to create the user. This needs to be done for each group of which the user should become a member.

If this procedure is not followed, an error may occur in a situation where this script action is used for a user which has just been created. This is because the Set User Group Memberships (AD) action may be executed on a different domain controller than the one on which the user has just been created. This is inherent to the way in which in the script action operates:

1. It retrieves the full LDAP user name from the user object.

2. Then it connects to a given domain controller using the specified AD group.

3. Finally, the script actions tells the AD group to make the user a member of the group.

This is where it can go wrong, since this user may not be known yet on any other domain controller than the one on which it has just been created.

34