Osirium Logo

Add a User to Security Groups

Add a User to Security Groups Playbook IconAdd a User to Security Groups Playbook Icon

This is an interactive task that allows the user to add an Active Directory user to one or more Security Groups.

Playbook Files

This playbook was built for PPA version 3.0.x

Running this Playbook

  • Click download playbook
  • Import the playbook on the Playbooks page in PPA
  • Build the playbook from the Edit & Build tab
  • Run the playbook from the Preview & Deploy tab


Auditing Active Directory Groups

By default this task will audit all groups in Active Directory before asking the user to choose.

This can take a long time on large domains, & you may want to narrow down the search for operational & security reasons.

You can target the search at a specific Container or Organizational Unit by supplying a distinguishedName on line 10.

Required Vault Details

Active Directory

  • IP/DNS address of a Domain Controller
  • Domain FQDN
  • Username
  • Password

As this is a privileged task, the Active Directory credentials require the permission to add a user to one or more groups.

Vault Configuration Wizard

The first time you run a task built from this playbook, PPA will check the required Vault details exist.

If they don't exist, PPA will ask you to supply the details at the start of the task.

Below you can see a user providing details the first time they run an Active Directory task.


Once the details are added to Vault, the task won't ask for them again.

If you don't know the required details, ask an administrator to run the task or configure Vault manually.

Email Configuration

This task contains an email approval step that requires SMTP to be configured in the PPA appliance.

What the Task Does

Once started, this task allows the operator to:

  • Search for and select an Active Directory user
  • Choose one or more Security Groups to add the user to
  • Confirm the selection
  • Prompt for an approval email address (see below for more information)
  • Add the selected user to the chosen groups if the request was approved

Approval Request

This task requires email approval before the chosen group memberships are applied.

For demo purposes the task will ask the user for an email address to send the approval request to.

In production this should be changed to an alternative method, such as…

  • Configuring a list of approvers in the playbook
  • Looking up the user's manager in Active Directory (via the manager attribute)
  • Sending the approval email to members of an Active Directory security group
  • Using a private Slack channel

… or many others.

Product Boot Screen

Get PPA for free!

Start automating your estate with a free 30 day trial today. No signup required!

Get PPA Express


Theale Court
11-13 High Street, Theale
Reading, Berkshire, RG7 5AH
United Kingdom
+44 (0) 118 324 2444

Osirium Logo

Copyright 2020 Osirium Ltd.