Adaxes

copy groups from one user to another

0 votes

goal is to copy groups from one user to another during the crete user process.

I created a variable on the create user form to input the UPN of the source user

image.png

i refernce that in the script to get the groups this source user is a member of here is the script. below is also they error.

$sourceUserDNParamName =  "%adm-CustomAttributeText36%" # TODO: modify me
$replaceGroups = $True # TODO: modify me

# Bind to the source user
#$sourceUserDN = $Context.GetParameterValue($sourceUserDNParamName)
$sourceUser =  $Context.BindToObjectByDNEx("$sourceUserDNParamName", $True)

# Get groups to add
$groupGuidsToAdd = New-Object "System.Collections.Generic.HashSet[System.Guid]"
$sourceUser.GetEx("adm-DirectMemberOfGuid") | %%{[void]$groupGuidsToAdd.Add([Guid]$_)}

# Get current groups
$currentGroupGuids = New-Object "System.Collections.Generic.HashSet[System.Guid]"
$Context.TargetObject.GetEx("adm-DirectMemberOfGuid") | %%{[void]$currentGroupGuids.Add([Guid]$_)}

# Update groups
foreach ($guidBytes in $groupGuidsToAdd)
{
    $guid = [Guid]$guidBytes
    if ($currentGroupGuids.Remove($guid))
    {
        continue
    }

    $group = $Context.BindToObjectEx("Adaxes://<GUID=$guid>", $True)
    $group.Add($Context.TargetObject.AdsPath)
}

if ($replaceGroups)
{
    # Get the primary group ID
    $primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

    foreach ($guidBytes in $currentGroupGuids)
    {
        $guid = [Guid]$guidBytes
        $group = $Context.BindToObjectEx("Adaxes://<GUID=$guid>", $True)

        # Skip the group if it is the user's Primary Group
        if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
        {
            continue
        }

        $group.Remove($Context.TargetObject.AdsPath)
    }
}

image.png

by (480 points)
edited by

1 Answer

0 votes
by (3.6k points)

Hello Derek,

Do we understand correctly that you are creating a user via a custom command? If this is the case, you need to use an AD object picker parameter in the custom command and specify the name of the parameter in the $sourceUserDNParamName variable in the script. For more details about configuring custom commands, please see this tutorial. Please, pay attention to the How to use parameters section on step 4.

0

No i am using a business rule after the user is created

by (480 points)
0

Thank you for clarifying. In this case, you need to use the second script from this article (the one labelled Using a DN syntax property). The script must be executed directly in a Run a program or PowerShell script action in a business rule triggering After creating a user. image.png You can update the script to perform the membership update via the Adaxes pipeline just like you did with your current script - by using the BindToObjectByDNEx method and setting the Pipelined parameter to $True instead of simply using BindToObjectByDN.

Also, the user creation form must have a DN syntax property (e.g. the Assistant property) for source user selection, instead of a text property. This is actually what is causing the error right now. The script attempts to bind to the source user by their UPN specified in the text field, while it is possible to bind to an object only using a DN, GUID, or SID.

by (3.6k points)
0

how do i do this?

Also, the user creation form must have a DN syntax property (e.g. the Assistant property) for source user selection, instead of a text property. This is actually what is causing the error right now

by (480 points)
0

For details on how to customize forms for user creation, please see this tutorial. You need to add one of the following DN syntax properties to the form:

  • Assistant
  • Secretary
  • See also

Pick one that you don't use for other purposes. You can also change the display name of the property to something more friendly, e.g. Source user. For details, see this help article.

During user creation, you will be able to use this field to select a user in your AD to copy group membership from.

by (3.6k points)
0

Ok i figured that out, but i get this error:

Run PowerShell script 'Copy Groups' for the user Cannot find an overload for "BindToObjectByDNEx" and the argument count: "1". Stack trace: at <ScriptBlock>, <No file>: line 6 You cannot call a method on a null-valued expression. Stack trace: at <ScriptBlock>, <No file>: line 10

by (480 points)
0

It looks like you replaced the BindToObjectByDN method in the script with the BindToObjectByDNEx method, but didn't add the second parameter which controls whether Adaxes will bind to the object using the pipeline or not.

If you need to bind to the source user via the Adaxes pipeline, the line 6 in the script should look like this:

$sourceUser = $Context.BindToObjectByDNEx($sourceUserDN, $True)

For more details about using the BindToObjectByDNEx method, please see this article in our SDK.

by (3.6k points)
0

That solved that error, but i know getr this error:

Run PowerShell script 'Copy Groups' for the user Exception calling "Add" with "1" argument(s): "This operation requires approval." Stack trace: at <ScriptBlock>, <No file>: line 26

Line 26: $group.Add($Context.TargetObject.AdsPath)

the groups are added though

by (480 points)
0

This message occurs because the operation that adds a new group member is sent for approval, probably by a business rule that triggers Before adding a member to a group. You can safely ignore this message.

If you want to git rid of it in the execution log, you can modify the script to catch the exception and suppress it. To do this, replace the $group.Add($Context.TargetObject.AdsPath) line with the following code:

try
{
    $group.Add($Context.TargetObject.AdsPath)
}
catch
{
    if ($Context.IsApprovalRequiredException($_.Exception))
    {
        continue
    }
    else
    {
        throw
    }
}
by (3.6k points)
0

That worked! Thanks!

by (480 points)

Related questions

0 votes
1 answer
Copy of groups membership from one user to another

Hi, Group memberships are kept when using "User Copy" function. Is it possible to do the same thing between two existing users ? (custom commands or else) Thanks for your response, Yoann

asked Oct 4, 2012 by yoann.hamon (180 points)
0 votes
1 answer
Copy member of from one user to another

We have several contractors that come and go, it would be helpful to have a custom command that will copy only the member of groups from one user to another. We have done this previously with ... ; write-warning "I'm sorry, Jay. I'm afraid I can't do that." }

asked Jan 9, 2017 by willy-wally (3.2k points)
0 votes
1 answer
Script to copy group membership from one user to another

Hello Back when we first started using Adaxes you created a couple of great scripts which worked together really well, the first one copied one users group membership and put in ... an addition to what groups the second user is already a member of? Thank you.

asked Aug 4, 2015 by CBurn (700 points)
0 votes
1 answer
Copy only specific Groups of a user to another user - some with approval

Hi there, i know the multiple ways of copying the user groups - or all of them within the user creation wizard. I want to copy only a couple of groups ... is it possible to create an approval operation out of an powershellscript? Kind regards, Constantin

asked May 27, 2021 by Constey (190 points)
0 votes
1 answer
Powershell: Removing a user from one group and adding to another via Scheduled Task

I have a scheduled task that runs a Powershell script against an AD group, "Group 1". I need to get all of the members of Group 1, and add them to Group 2. The ... identity in the error message start with 'user;'? What is the correct way to accomplish this?

asked Aug 27, 2019 by ngb (290 points)
3,541 questions
3,232 answers
8,225 comments
547,802 users