0 votes

Hi there,

i know the multiple ways of copying the user groups - or all of them within the user creation wizard.

I want to copy only a couple of groups which can be seperated by name and for that i've already customized an example. So lets say: Groups starting with "OG" where copied automatically.

And now I want to copy groups starting with "AG" but only if the Owner of the AG Group does accept this (create an approval for this).

Does Adding the groups via a custom powershell script automatically trigger a business rule, with that I could handle the approvals?

 $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
 $groupGuid = $groupGuid.ToString("B")
  $group = $Context.BindToObject("Adaxes://<GUID=$groupGuid>")    
   $group.Add($Context.TargetObject.AdsPath)

Or is it possible to create an approval operation out of an powershellscript?

Kind regards, Constantin

by (190 points)

1 Answer

0 votes
by (294k points)
selected by
Best answer

Hello Constantin,

To submit the operation for approval, you need to use a business rule triggering Before adding a member to a group. It is not possible to send the approval request right in the script copying group membership. In your case, the business rule should be assigned over the groups starting with AG. For details, have a look at the following tutorial: https://www.adaxes.com/tutorials_DelegatingPermissions_RequestApprovalForAddingMembersToGroups.htm.

For the business rule to trigger when the script is executed, you need to bind to the groups using the BindToObjectEx method with the second parameter set to $True. Finally, the corresponding line in the script should look like the following:

$group = $Context.BindToObjectEx("Adaxes://<GUID=$groupGuid>", $True)

Should you have issues writing the whole script, please, describe the desired behavior in all the possible details with live examples.

0

Thanks for the hint. That worked as expected. Here the full script which copies the groups - filered by name. Just create as meantioned the business rule for the group name. If an approval is triggered, it will be shown as warning in execution log.

$sourceUserDN = "%seeAlso%"
$Context.LogMessage("User: " + $sourceUserDN, "Information")
# Bind to the source user
try
{
    #$sourceUserDN = $Context.TargetObject.Get($source)
    $sourceUser = $Context.BindToObjectByDN($sourceUserDN)
}
catch
{
    $Context.LogMessage("The user to copy properties from is not specified", "Warning")
    return
}

# Get group memberships
try
{
    $groupGuidsInBytes = $sourceUser.GetEx("adm-DirectMemberOfGuid")
}
catch
{
    $Context.LogMessage($sourceUser.Name + " is not a member of any groups", "Information")
    return
}

# Get the ID of the target user's primary group
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

# Add target user to groups
$Context.LogMessage("Adding the user to groups:", "Information")
foreach ($groupGuidBytes in $groupGuidsInBytes)
{
    $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
    $groupGuid = $groupGuid.ToString("B")
    $group = $Context.BindToObjectEx("Adaxes://<GUID=$groupGuid>", $True) # TRUE Bedeutet dass Business Rules ziehen

    # Skip the group if it is the primary group for the user
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }

    # Kopiere OG Gruppen // Organisation
    if ($group.Get("name") -like "OG *" -or $group.Get("name") -like "OG_*") {
        # Füge OG Gruppen hinzu
        try
        {
            $Context.LogMessage("Die Gruppe: " + $group.Get("name") + " wird dem Benutzer hinzugefügt.", "Information")
            $group.Add($Context.TargetObject.AdsPath)
        }
        catch
        {
            $Context.LogMessage($group.Get("name") + ": " + $_.Exception.Message, "Warning")
        } 
    } elseif ($group.Get("name") -like "AG *" -or $group.Get("name") -like "AG_*") {
        # Füge AG Gruppen hinzu. # Business Rule triggert Approval
        try
        {
            $Context.LogMessage("Die Gruppe: " + $group.Get("name") + " wird dem Benutzer hinzugefügt.", "Information")
            $group.Add($Context.TargetObject.AdsPath)
        }
        catch
        {
            $Context.LogMessage($group.Get("name") + ": " + $_.Exception.Message, "Warning")
        } 
    } elseif ($group.Get("name") -like "SG *" -or $group.Get("name") -like "SG_*") {
        # Skippe SG Gruppen wegen Sonderberechtigungen
        $Context.LogMessage("Skipping: " + $group.Get("name") + " wegen SG...", "Information")
    } else {
        # Alle anderen Gruppen sind nicht nach Standard. Ignorieren.
        $Context.LogMessage("Skipping: " + $group.Get("name") + " - non default...", "Information")
    }
}
0

Hello Constantin,

Thank you for the confirmation. For the script not to throw exceptions, you can update it using the $Context.IsApprovalRequiredException method. Below is the updated script.

$sourceUserDN = "%seeAlso%"
$Context.LogMessage("User: " + $sourceUserDN, "Information")
# Bind to the source user
try
{
    #$sourceUserDN = $Context.TargetObject.Get($source)
    $sourceUser = $Context.BindToObjectByDN($sourceUserDN)
}
catch
{
    $Context.LogMessage("The user to copy properties from is not specified", "Warning")
    return
}

# Get group memberships
try
{
    $groupGuidsInBytes = $sourceUser.GetEx("adm-DirectMemberOfGuid")
}
catch
{
    $Context.LogMessage($sourceUser.Name + " is not a member of any groups", "Information")
    return
}

# Get the ID of the target user's primary group
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

# Add target user to groups
$Context.LogMessage("Adding the user to groups:", "Information")
foreach ($groupGuidBytes in $groupGuidsInBytes)
{
    $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
    $groupGuid = $groupGuid.ToString("B")
    $group = $Context.BindToObjectEx("Adaxes://<GUID=$groupGuid>", $True) # TRUE Bedeutet dass Business Rules ziehen

    # Skip the group if it is the primary group for the user
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }

    # Kopiere OG Gruppen // Organisation
    if ($group.Get("name") -like "OG *" -or $group.Get("name") -like "OG_*") {
        # Füge OG Gruppen hinzu
        try
        {
            $Context.LogMessage("Die Gruppe: " + $group.Get("name") + " wird dem Benutzer hinzugefügt.", "Information")
            $group.Add($Context.TargetObject.AdsPath)
        }
        catch
        {
            if (!$Context.IsApprovalRequiredException($_.Exception))
            {
                $Context.LogMessage($group.Get("name") + ": " + $_.Exception.Message, "Warning")
            }
        } 
    } elseif ($group.Get("name") -like "AG *" -or $group.Get("name") -like "AG_*") {
        # Füge AG Gruppen hinzu. # Business Rule triggert Approval
        try
        {
            $Context.LogMessage("Die Gruppe: " + $group.Get("name") + " wird dem Benutzer hinzugefügt.", "Information")
            $group.Add($Context.TargetObject.AdsPath)
        }
        catch
        {
            if (!$Context.IsApprovalRequiredException($_.Exception))
            {
                $Context.LogMessage($group.Get("name") + ": " + $_.Exception.Message, "Warning")
            }
        } 
    } elseif ($group.Get("name") -like "SG *" -or $group.Get("name") -like "SG_*") {
        # Skippe SG Gruppen wegen Sonderberechtigungen
        $Context.LogMessage("Skipping: " + $group.Get("name") + " wegen SG...", "Information")
    } else {
        # Alle anderen Gruppen sind nicht nach Standard. Ignorieren.
        $Context.LogMessage("Skipping: " + $group.Get("name") + " - non default...", "Information")
    }
}

Related questions

0 votes
1 answer

Hi, Group memberships are kept when using "User Copy" function. Is it possible to do the same thing between two existing users ? (custom commands or else) Thanks for your response, Yoann

asked Oct 4, 2012 by yoann.hamon (180 points)
0 votes
1 answer

Our Help Desk currently 'mirrors' the group membership of a new user based on another existing user in our AD. I'd like to be able to automate this so that the initiator ... and 'paste' it on the new user being created. Any help on this would be appreciated!

asked Apr 21, 2020 by RayBilyk (240 points)
0 votes
1 answer

goal is to copy groups from one user to another during the crete user process. I created a variable on the create user form to input the UPN of the ... primaryGroupToken") -eq $primaryGroupId) { continue } $group.Remove($Context.TargetObject.AdsPath) } }

asked Nov 30, 2021 by Derek.Axe (480 points)
0 votes
1 answer

Hello I am trying to set up a script to copy the 'Members Of' from specific accounts to a new user account after creating the user. Something very similar to this: https:/ ... to the ever changing nature of the business. Is someone able to help me with this?

asked May 28, 2020 by adantona (40 points)
0 votes
1 answer

We have several contractors that come and go, it would be helpful to have a custom command that will copy only the member of groups from one user to another. We have done this previously with ... ; write-warning "I'm sorry, Jay. I'm afraid I can't do that." }

asked Jan 9, 2017 by willy-wally (3.2k points)
3,588 questions
3,277 answers
8,303 comments
548,085 users