2

Is there a way that, upon first successful sync via ActiveSync, a user could be added to an Active Directory group?

NaOH
  • 411
  • 2
  • 10
  • 19
  • 1
    Do the users already exist on the domain prior to syncing, I'd assume they would have to be unless you have some custom code you wrote? – Brent Pabst Dec 03 '12 at 23:53
  • Yes, we can assume that they do. – NaOH Dec 04 '12 at 03:22
  • What is the goal of this btw? – Brent Pabst Dec 04 '12 at 14:39
  • To be able to communicate with all ActiveSync users without missing any. The ActiveSync info isn't a secret here, and we allow users to connect their personal devices, but if changes are made and I need to communicate them with these users, often I'm finding that I'm not reaching everyone as people have connected their personal devices without letting me know. – NaOH Dec 04 '12 at 16:28
  • This may be better managed through a non-technical solution such as a broadcast e-mail group or something. Alternatively you can always pull reports from Exchange that show the ActiveSync devices for each user, just run a PS script that dumps all users who have AS devices. – Brent Pabst Dec 04 '12 at 17:27

3 Answers3

2

Cant be too sure about the answer but To my knowledge there is no way of websense automatically adding/removing users from directory groups as this is solely controlled in the directory itself. I'm not 100% with V7 yet but with V6.x.x if the user is not a member of a group the default policy automatically applies, therefore if you want to change the standard policy that applies to all users (unless in another policy group) then simply amend the default policy.Please refer this link hope you will get your answer.

http://www.activedirectorytutorial.net/

Richard Wilson
  • 262
  • 1
  • 2
0

I'm not 100% sure that this would work or not but you would have to approach this from one of two direction.

  1. Active Directory

Theoretically you could build a custom AD filter that is fired whenever a specific condition is met. For instance, many people run password change filters to capture the password and when it was changed. You could build a logon filter and then try to decipher the additional information that is provided to then execute some other logic to add the user to a group.

Not exactly confident that this would be easy or even doable

  1. Exchange

Let Exchange handle this logic. Build some add-on to Exchange that handles the ActiveSync connection and then performs the same logic as above to add the user to the group.

Obviously this is all theoretical and may or may not work properly, it will certainly be a custom solution.

Brent Pabst
  • 6,069
  • 2
  • 24
  • 36
0

Not 'automatic', but a PowerShell script or equivalent scheduled task could query for objectCategory=person objects that are Exchange users (such as homeMDB=*), and have child objects located under ExchangeActiveSyncDevices, then refresh a distribution group membership with the results.

Objects with a parent DN that includes user object and a child CN=ExchangeActiveSyncDevices are a reasonably accurate indication of an ActiveSync device.

The objectCategory would be 'msExchActiveSyncDevice'.

You may also want to refine the query by specifying that the whenChanged attribute is recent. Stale devices tend to stay in AD and are not removed.

Here is a sample ldifde output of an ActiveSync device: 

dn: CN=iPhone5§3939303030323037383031353037,CN=ExchangeActiveSyncDevices,CN=jSmith,OU=Users,OU=HQ,DC=acme,DC=com
changetype: add
objectClass: top
objectClass: msExchActiveSyncDevice
cn:: aVlkjb25llkjnMzkzOTMlkjMDMyMzAzNzM4MzAzMTM1MzAzNw==
distinguishedName:: 
 Q049alk25lNcKnMzkzOTMwMzAzMDMyMzAzNzM4MzAzMTM1MzAzNyxDTj1FeGNoYW5nZUFjdGl2ZV
 N5bmNEZXZpYlkjNOPWdhc2tlMlkjLE9VPVVzZXJzLE9VPUhEUVJLLERDPW1paGRxLERDPW1hcnJj
 b3JwLERDPW1hcnJpb3R0LERDPWNvbQ==
instanceType: 4
whenCreated: 20121204031102.0Z
whenChanged: 20121206035828.0Z
uSNCreated: 64647685
uSNChanged: 64888478
name:: aVBokjrweNcKnMzkzOTMwhjgdfAzMDMyMzAzNzM4MzAzMTM1MzAzNw==
objectGUID:: odtO+OEUg0aae4kVkQOjRg==
systemFlags: 1073741824
objectCategory: CN=ms-Exch-Active-Sync-Device,CN=Schema,CN=Configuration,DC=acme,DC=com
dSCorePropagationData: 16010101000000.0Z
msExchDeviceAccessState: 1
msExchDeviceFriendlyName: Android_hq_jSmith
msExchUserDisplayName: acme.com/HQ/Users/jSmith
msExchDeviceEASVersion: 14.1
msExchDeviceOS: Android 4.1.1
msExchDeviceType: iPhone5
msExchDeviceID: 3939303030323037383031353037
msExchDeviceModel: SCH-I605
msExchFirstSyncTime: 20121204031102.0Z
msExchDeviceUserAgent: TouchDown(MSRPC)/7.3.00052/
msExchDeviceTelephoneNumber: ******7887
msExchDeviceOSLanguage: English
msExchDeviceAccessStateReason: 1
msExchVersion: 44220983382016
msExchDeviceIMEI: 99000207801507
Greg Askew
  • 35,880
  • 5
  • 54
  • 82