I`ve been searching all day so i thought i try here.
what i want to do is check AD if a user is a member of a security/application group, if yes than send me a email.
I tried normal query`s but can`t get my head around this.
Nick is added to security group "usb access" 4 years ago
My nintex workflow checks if nick is a member of this group and sends me an email that nick is a member of this specific group ( could be any group).
This than becomes an action of someone to remove him from this group.
I want to make different checks but if i get one the rest is easy i guess....
We have SharePoint 2010 and a license for Nintex Workflow.
Solved! Go to Solution.
Hello Bas Leerschool -
You can do this with a few actions, but the trick is setting up the LDAP Query.
Here is how I did it -
1. Query LDAP - Your query will be something like this:
or if there is a comma in the name
***Sorry the queries are screenshots. Would not allow me to post the code. Assuming some keyword violation ***
Once you have your query, you will want to grab the sAMAccountName and store it in a collection variable. Be sure to test your query with results you know are accurate (using Run Now).
Results will be something like:
2. Loop through the data - Now the easy part, just loop through the collection and evaluate each on to determine if it matches what you are seeking.
3. Log History - I did this so I can see the exact spelling of the group names (to match on easier).
4. Run If - If there is a match
5. Email - Send the email!
In order to make this dynamic, you will need to get the user's CN. Let me take a whack at how we can do that within the workflow based on userID or something easily accessible!
I hope this helps you to get started!
This helps me alot, the only thing i want to do is make it dynamic.
Because i only know the name or emailadres not the user.
Is this possible?
Could you add a screenshot of the " for each/Run if" and the "query ldap"? your help is REALLY appreciated!
I have the idea that i miss the "output" field where you put the sAMAccountName...
We should be able to get the same results if you have the user's email address.
Let me put it together and test a few things, but I am thinking we can call a web service (UserGroup > GetUserLoginFromEmail) and then parse the results to get the login, which we can then use to get the Distinguished Name (from user profile) which will contain everything you need for the LDAP Query.
It sounds like a lot of steps, but this will automate everything so all you need to provide is an email address!
Once I have it working, I'll post it.
So here it is (lets start with the "Start Form")
This form is used to feed the workflow and you can easily plug this into any existing workflow. I simply created a site workflow as it was the easiest for me to mock up quickly.
The form is looking for 3 variables:
1. email of the user you want to lookup (firstname.lastname@example.org)
2. User to send the notification email to (this is a people picker field)
3. Name of the group to match against (match exact)
Once you have that filled in, click start and let it go!
I setup a simple email to notify me if the user is a part of the group.
Also (mostly because why not), I created an email that notifies me if the user is NOT a part of the group.
So how do we do all of this, let's dive into the details!
First of let's go over the workflow variables:
Notice that there are a few that are required and on the Start Form (need those to run this!)
First action is to call a web service (GetUserLoginFromEmail) to get the user's login:
Take note of the emailXML input syntax (casued a bit of a hiccup to get it right). At this point, I would "Run Now" with your email address to ensure you are getting results. Your results will look something like this:
Once we have that in place, it is time to pick apart the results and get the User Login. We can do that using a Query XML action:
Now we have the user's login based on their email address. We can use this to get their CN by looking up their Distinguished Name is in User Profile. Using a Set variable action like so:
This will provide you with a string like so:
Store that in the variable userCN, and then you can plug that into your LDAP query.
Again, I would run this with predictable data to check that it is working. Once that is setup and working, all that is left is to loop through the groups and check to see if any of them match the target group name.
Here is how I did that:
-Target collection: groups
-Store result in: groupName
2. Run If
- groupName = targetGroupName
- Send Notification saying they are in the group
- add one to counter (I do this so if they are not in any group, counter = 0 and I can send an email)
Once out of the loop, the last thing I do is check counter. If it equal to 0, that means the user was not in the group that was provided. Using a Run If action, if counter = 0, send an email saying they are not in the group.
I attached the .nwf file for you so that you can easily upload this and test it out. Keep in mind that you will need to provide credentials for the web service and query LDAP actions. Also, you will need to update the LDAP path to reflect your environment.
Hope this helps!
Let me know how things work out for you!
Wow jesse, your a hero!
Thanks for all your detailed work.
Iam going to test/make this in our environment en will let you know the outcome.
Update: so i tested it but cannot get it to work.
The thing is i already know the loginname from the form thats being filled in. So i have a variable where the login name is in (called VLVariable).
Could you check my workflow (i added it) your help is REALLY appreciated.
What i get in the mail if i mail the "VLVariable" is:
but when i query this to ldap to get the groups in the result (like in the picture you added before) i get "no result"
I did another test, i imported your workflow, as "userCN" i added my login name (samAcountName) Runned the "tes new configuration"and again "no result returned" in the picture you added before you could see the groups in my case nothing what am i doing wrong?
When i try a different query again no results returned when i try "test connection" it says connection succesfull.
Hello Bas Leerschool -
Sorry to hear you can't get it working
In your LDAP query, try doing this:
Use a group name that you know you are in.
It should result in a list of all users in the group and provide you with the exact syntax. Find yourself in the list and then go back and plug it into the original query:
Also, I thought you did not know the user login, that was my mistake. If you know the user's login, then you can skip the first 2 actions, and jump right to setting the Distinguished Name.
Let me know how you make out with this.
Hope this helps!
I got it to work, what iam doing now is search for a specific group.
Than check the users inside, if a specific user is in this group >> send a email.
This helps me alot thanks!!