AX 2012 R3 - Active Directory User Management
When I first started to implement AX 2012 R3, I had been told that I have to manage users inside AX as well as manage users within Active Directory. I was not happy about this, so found the following method to support an AD based AX authentication process. The basic process for doing so is to query all AX Security Roles and export to CSV. Create AD Groups reflecting the Roles. Create AX User Groups reflecting the AD Groups. Finally add into the AX User Groups the AD Groups which reflect the AX Security Roles. First I needed to query AX for all the built in Roles
# Importing required Modules
Import-Module "C:\Program Files\Microsoft Dynamics AX\60\ManagementUtilities\Modules\AXUtilLib.Powershell\AXUtilLib.PowerShell.dll"
Import-Module "C:\Program Files\Microsoft Dynamics AX\60\ManagementUtilities\Modules\Microsoft.Dynamics.AX.Framework.Management\Microsoft.Dynamics.AX.Framework.Management.dll"
. "C:\Program Files\Microsoft Dynamics AX\60\ManagementUtilities\Microsoft.Dynamics.ManagementUtilities.ps1"
# Query AX for Existing Sec Roles
Get-AXSecurityRoleinfo | select-object -property Name,Description,AOTName | export-csv -path C:\users\gwoolley\desktop\AX_Sec_Roles_Export.csv
Once you have the roles from within AX in CSV Format. See example :
Name AOTName ID Description
Accountant LedgerAccountant ADAXG001 Documents accounting events and responds to accounting inquiries
Accounting manager LedgerAccountingManager ADAXG002 Reviews accounting, customer invoice, supplier invoice, and payment process performance and enables those processes
Accounting supervisor LedgerAccountingSupervisor ADAXG003 Reviews accounting process performance and enables the accounting process
Applicant anonymous (external) AnonymousApplicant ADAXG004 External user application for employment
Budget clerk BudgetBudgetClerk ADAXG005 Documents budget events and responds to budget inquiries
Budget manager BudgetBudgetManager ADAXG006 Reviews budget process performance and enables the budget process
BusinessConnector Role SysBusinessConnectorRole ADAXG007 Role Used to Decide if user can logon to Business Connector or not
Buying agent TradeBuyingAgent ADAXG008 Documents purchase events and responds to purchase inquiries
Chief executive officer CompanyChiefExecutiveOfficer ADAXG009 Reviews the financial and operational performance
Chief financial officer CompanyChiefFinancialOfficer ADAXG010 Reviews the financial performance
We need to create AD Groups for our management needs. The AD Groups have to reflect AX User Groups. The AX User Groups need the AX Role assigning per group. I have created a Column called ID and populated with values from ADAXG0 - 158. (Just for consistency on the AX ID Side) Running the below code will use the CSV to create the AD Groups, AX User Groups and Role Associations. The same AX Roles are used across DEV, UAT and PROD to keep the permissions consistent.
# Importing required Modules
Import-Module "C:\Program Files\Microsoft Dynamics AX\60\ManagementUtilities\Modules\AXUtilLib.Powershell\AXUtilLib.PowerShell.dll"
Import-Module "C:\Program Files\Microsoft Dynamics AX\60\ManagementUtilities\Modules\Microsoft.Dynamics.AX.Framework.Management\Microsoft.Dynamics.AX.Framework.Management.dll"
. "C:\Program Files\Microsoft Dynamics AX\60\ManagementUtilities\Microsoft.Dynamics.ManagementUtilities.ps1"
Import-Module ActiveDirectory
# Create AD Groups, AX Users, AX Role Associations
$groups = Import-Csv "C:\Users\gwoolley\desktop\AX_Sec_Roles_Import.csv"
foreach ($group in $groups) {
$group.name = ($group.name -replace "\/|\+", "") # This is to strip out characters AD does not accept.
Write-Host $group.name
New-ADGroup -Name "AX Role - $($group.name)" -Path “OU=AX Roles,OU=Security Groups,OU=Users,OU=Groups,DC=[YOURDOMAIN],DC=co,DC=uk” -Description "$($group.description)" -GroupCategory Security -GroupScope Global -Server AX-DC-01
New-AXUser -AccountType WindowsGroup -AXUserId $group.ID -UserName "AX Role - $($group.name)" -UserDomain [YOURDOMAIN] -Company CDS
Add-AXSecurityRoleMember -AOTName $group.AOTName -AxUserID $group.ID
}
This process will have queried AX for all existing Security Roles, Created an AD Group, Created an AX User Group, Associated the AX Role with the AX Group.
You may have noticed I did not create any SysAdmin users in the previous step, the following will create a separate SysAdmin per environment i.e for DEV, UAT and PROD.
# Importing required Modules
Import-Module "C:\Program Files\Microsoft Dynamics AX\60\ManagementUtilities\Modules\AXUtilLib.Powershell\AXUtilLib.PowerShell.dll"
Import-Module "C:\Program Files\Microsoft Dynamics AX\60\ManagementUtilities\Modules\Microsoft.Dynamics.AX.Framework.Management\Microsoft.Dynamics.AX.Framework.Management.dll"
. "C:\Program Files\Microsoft Dynamics AX\60\ManagementUtilities\Microsoft.Dynamics.ManagementUtilities.ps1"
Import-Module ActiveDirectory
# Add PROD SysAdmin - Run manually per environment - Check your AOS Server with GET-AXAOS Cmd, if pointing to wrong ENV change local AX Configuration
#PROD SysAdmin
New-ADGroup -Name "AX PROD - SysAdmins" -Path “OU=AX Groups,OU=AX Roles,OU=Security Groups,OU=Users,OU=Groups,DC=[YOURDOMAIN],DC=co,DC=uk” -Description "AX PROD System Administrators" -GroupCategory Security -GroupScope Global -Server AX-DC-01
New-AXUser -AccountType WindowsGroup -AXUserId PROADM -UserName "AX PROD - SysAdmins" -UserDomain [YOURDOMAIN] -Company CDS
Add-AXSecurityRoleMember -AOTName "-SYSADMIN-" -AxUserID PROADM
# Add UAT SysAdmin - Run manually per environment - Check your AOS Server with GET-AXAOS Cmd
#UAT SysAdmin
New-ADGroup -Name "AX UAT - SysAdmins" -Path “OU=AX Groups,OU=AX Roles,OU=Security Groups,OU=Users,OU=Groups,DC=[YOURDOMAIN],DC=co,DC=uk” -Description "AX UAT System Administrators" -GroupCategory Security -GroupScope Global -Server AX-DC-01
New-AXUser -AccountType WindowsGroup -AXUserId UATADM -UserName "AX UAT - SysAdmins" -UserDomain [YOURDOMAIN] -Company CDS
Add-AXSecurityRoleMember -AOTName "-SYSADMIN-" -AxUserID UATADM
# Add DEV SysAdmin - Run manually per environment - Check your AOS Server with GET-AXAOS Cmd
#DEV SysAdmin
New-ADGroup -Name "AX DEV - SysAdmins" -Path “OU=AX Groups,OU=AX Roles,OU=Security Groups,OU=Users,OU=Groups,DC=[YOURDOMAIN],DC=co,DC=uk” -Description "AX DEV System Administrators" -GroupCategory Security -GroupScope Global -Server AX-DC-01
New-AXUser -AccountType WindowsGroup -AXUserId DEVADM -UserName "AX DEV - SysAdmins" -UserDomain [YOURDOMAIN] -Company CDS
Add-AXSecurityRoleMember -AOTName "-SYSADMIN-" -AxUserID
Now you have all the above set up you can either create some additional parent groups to combine some of the Security Roles together, i.e on a departmental or functional basis.
Or just put some users into the new AD Groups, when they login to AX for the first time it will create the user a record in SQL but throw a warning that it could not set the SysSQM settings(which is the Customer Experience Improvement Program) Flag. The users will have the appropriate permissions according to the new group memberships. On the second login, the SysSQM flag will be set successfully if the users decide to Opt Out of the CEIP.
Now User Management within AX is a simple as adding or removing Users from Groups within AD. And if they are members of no groups, they will of course have no access.