It's possible to automate group membership (adding/removing) of user accounts based on the OU they reside in. When moved to another OU, they can be added to or removed from the appropriate groups automatically.
This is possible using the Group Membership AutoProvisioning policy and a simple filter condition.
Create a new policy object and configure the following two Group Membership AutoProvisioning policies for each OU you wish to automate group memberships on.
Policy 1
Object Type: User (user)
Conditions: edsvaParentDN (edsvaParentDN) equals '<DN of OU>'
Action: Add object to groups if object satisfies policy conditions
Groups: <Any groups you want the users to be added to when moved to this OU>
Policy 2
Object Type: User (user)
Conditions: edsvaParentDN (edsvaParentDN) does not equal '<DN of OU>'
Action: Remove object from groups if object satisfies policy conditions
Groups: <Any groups you want the users to be removed from when moved from this OU>
You can add as many of the above pair of policies as necessary to cover all the OU's you wish to automate group memberships on. Apply the policy to the top level of the domain for easy propagation to all affected OU's or apply directly to each of the affected OU's.
Note: Provisioning policies do not apply to existing objects in the OU. If you wish to have them take affect on all previous user objects, as a working, move all the users out of the OU to a temporary OU then back in. This will cause the provisioning policy to kick in and make the necessary group membership adjustments on the user objects.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Conditions d’utilisation Confidentialité Cookie Preference Center