Question

Adding / Removing users from an AD Group


Userlevel 3
Badge +13

Hi,

 

Happy new Year everyone!!!!

 

I'm trying to get a system where Departmental Administrators manage their own Departmental Authorisors.

 

My forms use AD Groups in the Workflow to send the Authorisation Emails for requests.

 

The AD Groups are hard-fixed into my Workflow, but i'd like the Departmental Administrators to manage the membership of the said AD Group.

 

I've done a K2 Smartform which allows the Departmental Administrators to login, they then pick the FORM which they want to change the membership for.

 

The next part is where I am stuck, how do i Display the existing members of the AD group, and then go on to let the Departmental Admins change the membership of the AD group? (Obviously I have assigned EDIT AD permissions to the group for the Departmental Admins.

 

Thanks,


21 replies

Badge +5

Hi,

 

There are two Service Instances you can make use of for this.

To display the members of a group, make use of the AD Service 2 Service type. Register a new Service Instance (if there isn't one already), and then create a smartobject off the Group methods.

There is a method which can list the members of a group sent in as an input property.

 

To edit the membership, use the Account Management Service Type.

Register an instance for this if one does not already exist and then create a smartobject from the AD Group method.

There are two methods called AddMembers and RemoveMembers which will do what you require.

 

Once you have the smartobjects, they can be used in a SmartForm as per usual.

 

Hope this helps!

Regards,

JohanL

Userlevel 3
Badge +13

Can this be done in K2 Designer?

Badge +5

Register the Service Instances using the SmartObject Service Tester, but the rest can be done from K2 Designer.

Although it is probably simpler to generate the SmartObjects from the Tester as well.

Userlevel 3
Badge +13

Any chance of bit of hand holding here, I haven't got a clue how to do this? Are you able to upload an example for me to import to see how it works?

 

On my form, the Administrator picks the form which they want to edit the Group membership for...

 

I then have a Rule on my Form which on double-click I want to then go and load the associated AD Group (not sure how to do this bit) via Designer

Hi Sharpharp1,

 

The Smartobject service tester can be found at C:Program Files (X86)K2 blackpearlBinSmartObject Service Tester.exe

 

To register a new service instance, expand the ServiceObject Explorer Group, and locate the relavent service

 

 

Then you can create your smartobjects directly from the tester

 

 

So once we have our smartobject based on the appropriate service instance, we can use the service tester to "play around" and figure out what methods should be used in the form

 

;

 

Now, I'll go to the SmartObject Explorer section, and mess around with my newly created smartobject

 

 

So, looking around, I started taking a peek at the different methods.  GetGroupDetails seemed attractive...

 

 

But not quite what we are looking for... Doesn't give membership...

 

GetGroupsByUser.... not quite...

 

So GetGroupsByUser is not quite what we need.  GetOrganizationalUnitGroups doesn't quite do what we need either, but i'll spare you the screenshot there.

 

I went ahead and moved over to the "Account Management Service", registered a new instance, and created a SO based off of the AD group object, however, looking at the methods it's trying to create, I don't see a list method that will do quite what we need to do...

 

 

So then I started messing around a bit further, and went out of the AD Group smartobject over to the AD User side...  This is back on the AD service 2 SO, and behold!  The glorious method that returns a list of users when given the name of a group!

 

 

Now, as far as the form side of things goes, it should be a fairly straightforward affair once you've got the right objects behind it.

 

Regards,

 

Mike

Userlevel 3
Badge +13

Hi mike,

 

Thanks for the guide.

I already appear to have AD USER and AD Group Registered, and using the Smartobject Tester tool can use the Execute Method to retrieve the the users of a named group. e.g. In Group A, there were 2 users details returned.

 

However if i try this as an ACTION from my rule, it only returns one entry to a View

 

Rule here:

 

I click on Configure: Then in Input Mappings. I enter the name of the group

For Output Mappings, i grab two return properties (Name and Email for example) and add them to an AD Editable List (see here)

 

When i run my form, the editable list is empty, but when i click on add a row, it automatically displays ONE of the users details....

 

Any ideas why only one user is returned here?

 

Hi Sharpharp1,

 

Here's my quick and dirty implementation.

 

Made a view and connected it to the AD User smartobject we created previously, setup is below.  List view with GetUsersByGroup

 

 

I figured it might want us to set a group, so I added a picker and a button and configured that to hook up to the AD group smartobject's GetGroups method

 

 

Configuration of picker control:

 

 

Made a rule on the button to call GetUsersByGroup when clicked.

Pretty basic overview of that rule

 

 

Pass the name from picker to GetUsersByGroup

 

 

Small problem, the view doesn't know what group to load initially... probably should implement something there, or perhaps just not call the method on initialize.

 

 

Picker control in action, click search and I can see all groups in AD

 

 

Selected admin group and the button threw it all back into a beautiful list view based on the parameters I had selected when configuring the list.

 

 

Hope that helps a little bit.  Make sure you're using the "right" objects, as it does get a little confusing having the built-in objects there.

 

Regards,

 

Mike

Userlevel 3
Badge +13

Mike,

 

Thanks for the steps.

 

I did these, but my returned list in empty when clicking the button

 

I have configured the view exactly the same as yours.

Then i type in the Group name in the picker tool, it then underlines it correcly. I then click on the button and the list is empty....

 

Is this picker config correct?

 

It should return two members....

 

Userlevel 3
Badge +13

Mike,

 

I managed to get the list to display the users, the issue was with the wrong fields being used in the List view.

 

But now i;m working on Adding/Removing Users from the AD Group, but i get an LDAP error when trying to add a user, have you come across this error?

 

 

I have full AD permissions to add and remove users from that AD Group, but it won't let me do this via K2

Hi Sharpharp1,

 

When you click details, there should be either a stack trace or a more descriptive error that might help us.

 

That being said, have you made sure your K2 service account is in the Account Operators group in AD, as this is generally a permissions problem with either K2's interaction with AD, or a specific field in AD, which the error details may surface.  If you're using "Impersonate" on that service instance, make sure the user that's interacting with that workflow has similar permissions.

 

I'd also suggest trying this in the service tester as well, and see if it behaves the same over there.

 

Regards,

 

Mike

Userlevel 3
Badge +13

Hi Mike,

 

The addmembers method works fine using the Tester Tool, the addmembers method doesn't work through a view.

 

Here are the details of that LDAP error:

 

An Active Directory error has occurred. Details: LDAP Message LDAP_OPERATIONS_ERROR Description Operation error occurred.
 
  • Type:
    SourceCode.SmartObjects.Client.SmartObjectException
  • Source:
    SourceCode.SmartObjects.Client
  • Method Base
    • Member Type:
      Method
    • Name:
      ExecuteScalar
    • Module
      • Scope Name:
        SourceCode.SmartObjects.Client.dll
    • Declaring Type
      • Full Name:
        SourceCode.SmartObjects.Client.SmartObjectClientServer
  • Stack Trace:

    at SourceCode.SmartObjects.Client.SmartObjectClientServer.ExecuteScalar(SmartObject smartObject, DataTable inputTable)

    at SourceCode.Forms.AppFramework.FormRuntime.SmartObjectExecution(XPathNavigator nav, Boolean outputDependencies, SmartObjectClientServer svr)

    at SourceCode.Forms.AppFramework.FormRuntime.WorkXmlToApi(String xml)

    at SourceCode.Forms.Runtime.AJAXCall.ProcessRequest(HttpContext context)
Userlevel 3
Badge +13

Hi Mike,

 

When we added the Service Account to the AD Account Operators the View works!!!!! When we remove the Service Account from the AD Account Operators Group, it stops working and you get a Kerberos error.

 

But we can't do this, because our org does not allow generic accounts to add members to groups.

How do we make it so that it uses the logged in users credentials to do this?

 

But why does it work with the Tester tool? Does the tester tool use the logged in users credentials or the Service Account?

 

Also, can you explain how I check the instance for inpersonation that you mentioned?

 

Thanks

Userlevel 3
Badge +13

Also...

 

Noticed that there is a 5-15 second delay between the user being add to the AD Group and it appearing in a K2 List.

The refresh list method is done in the rule immediately after the AddtoGroup Method, but I find that u have to refresh the page until it appears.

 

Is there anyway of putting in a countdown timer after the AddtoGroup rule and then do a refresh list about 15 seconds later?

This will help stop the user thinking that the user was not added and trying to re-add the user several times.

Wow, lots of questions.

 

1. As per https://www.k2.com/onlinehelp/k2blackpearl/userguide/current/webframe.html#npd01.html, Account operator permissions are required for it to work.

You can try setting the service instance to use Impersonate instead of ServiceAccount in the SO Tester, then regenerate your smartobjects, but then you're going to have to add each and every one of those users to Account Operators.

 

The big "security" risk with that group, is the ability for those users to log into domain controllers and shut them down via shutdown.exe or similar.  You could give the K2 service account AO status, and then use a local security policy to restrict login for that account on the domain controllers themselves.  All the other permissions are sort of nessacary evils, as K2 needs to be able to add/create/delete/modify AD accounts in order to... well.. add/create/delete/modify AD accounts.  I've tested it, it works.  Granular permissions aren't supported, and I couldn't figure them out despite extensive testing.

 

2.  It runs in whatever context the service instance is set to.. See below for how to change that.

 

 

3. I think you might be running into more of a delay with LDAP than anything else.  Need more details.

 

Regards,


Mike

Userlevel 3
Badge +13

Sorry about all the questions Mike 🙂 its just I have faith in using K2 to achieve the many things asked for.

 

I hear what you're saying about the reasons for and against using the Account Operators group vs Users and having to assign rights.

At least I know that currently it is using the Service Account to add the users to the group, irrespective of who is using the form to carry out this task.

 

What details can i provide you on the LDAP delay?

 

I can add the user to the AD group via a K2 form, but there is a big 5-15 second delay between adding the user and it appearing in the group.

So if I add the user in my K2 rule and add a LIST REFRESH straight after, my list show no change..

I then refresh it MANUALLY a dozen times and Voila, the user is there.

 

So i had the bright idea of wanting something visual on the screen to prevent the FORM USER from re-adding the user multiple times (because they might think it wasn't added). I was thinking along the lines of if its possible to put a delay in a RULE, or whether I could freeze the form/view and have a countdown time from 15-1 and then refresh the list -hope that makes sense.

 

Is any of this possible??? (fingers crossed it is)

 

Thanks as always..

Hi Sharpharp1,

 

The only "problem" you're going to run into is that an account operator will be able to modify any user in the domain, not just the users underneath them.  I'd say handing out AO permission to several users accounts is a bit more "risky" than giving it to the service account.  Either way, K2 provides quite a bit of tools that can be used for auditing in this situation, so I'd probably leave well enough alone and set the service instance to "Service Account".  If you do assign AO rights to those users, you can switch it to impersonate.  Whatever peels your bannana.

 

This might help narrow down your LDAP delay:  https://www.novell.com/coolsolutions/tools/14046.html  If it turns out it's on the K2 side, let me know and I'll do some digging, but the size/latency of active directory can cause those delays your seeing.

As a possible solution to preventing the user from being added twice, perhaps as part of your "on button click" rule, you could hide the button?

I'll have to play around and figure out how to list the users.  I'll give it a go and let you know where I get.  There's probably a SmO for it somewhere.

 

Regards,

 

Mike

Userlevel 3
Badge +13

Thanks Mike,

 

The Service Account works fine for adding users now, dont need Account operator rights, managed to get this working using direct AD permissions to the service account.

 

So the only issue remaining is the delay in adding the users and them appearing in the list.

I checked with our server guys and they said it does take that long to update because their is a delay in the updated ad group being read by the k2 server via ldap.

 

I am fine with their being a delay, but i'm NOT fine with the list refresh not showing the users until it has been hit at least 20 times....

I don't want to hide/disable the button because the User may want to add more members to the group.

 

What I need is a DELAY/Timer between adding the member(s) to the group and the LIST refresh.

 

It was suggested I use a Custom Control called "Time Control" its on the market here: http://community.k2.com/t5/K2-blackpearl/Timer-Control/ba-p/1055

I've installed it, but no clue how it works.

 

Have you used it, or is their any way to make the add mmebers/refresh part look more professional while it updates the LIST via LDAP?

 

Thanks!!!

Hi Sharpharp1,


I haven't used the timer control personally, but to my understanding it will raise an "event" at whatever time interval is specified, which you then catch with a rule such as...

When a control (timer control) on a view/form raises an event... do (xyz).

I'll download it in a second or two and play around with it, but that's what I'm "expecting".

 

Regards,

 

Mike

Userlevel 3
Badge +13

In the most current Smartforms, the Timer Control does not work.

I've disabled the Timer on the view and done a rule ON TICK to do a list refresh.

But when the view runs, the Timer control is enabled and starts doing the list refresh before it is even required...

 

Forgetting the Timer control completely, Is there any way or doing the list refresh with an ADVANCED CONDITION? Such as this...

 

1. When a user is added to the group via the k2 form

2. Then while this user is slowly being added via LDAP, Count the number of rows in the LIST

3. Then Do a list refresh repeatedly until the number of rows changes (until the user which has been removed or added appears in the list)

3. Exit List refresh loop?

 

Is it possible to do a loop with an Advanced condition?

 

At the moment, i've got it to Add the User, and then done "30" Yes 30.... List Refreshes to get the user to appear in the list.

If I could use a loop, this would make the Rule way less messy...

 

 

Sharpharp1,

 

You can certainly use an advanced condition to trigger a refresh of a list.  I did see the L-word in your suggested path though.  I know from the workflow side, looping is a bad idea, I can't speak on the smartforms end of things, but querying AD once every X seconds is definatley going to slow down any action involving AD to a crawl.


Regards,


Mike

Userlevel 3
Badge +13

Managed to get this working. For the past two days the LIST Refresh would not work (i wanted this to be my LOOP condition). I used a count row method to catch when the change in rows (i.e. a  user is added or removed and then doa  exit of the list refresh.

 

It's working spot on, i'm off to backup this project onto several hard drives now :-)

 

Thanks for your help!!!!

Reply