Adaxes

Copy all groups of a user, create a new group add the groups copied in this group

0 votes

How can I create a script that does these things

For internal audit. objective

Even removing all groups of a disconnected user, we will still know which groups the user was in because the (audit)-sAMAccountName-access group that contains all other groups still exist identifying the user by sAMAccountName

  1. copy all groups in memberOf user (user)-sAMAccountName

  2. create new group (audit)-sAMAccountName-access add all groups copied in memberOf

  3. in the created group (audit)-sAMAccountName-access add the (user)-sAMAccountName in members

by (40 points)
0

Hello Alan,

For us to help you with the script, please, specify the following:

  • Do we understand correctly that the target user should be removed from all the current groups?
  • What should the type and scope of the new group created by the script be?
  • What should be done in case if a group with the name following your template already exists?
  • How should the location for the new group be determined? Will it be predefined in the script?

Any additional details will be much appreciated.

by (301k points)
0

Do we understand correctly that the target user should be removed from all the current groups?

  • The revocation script for all groups is already in production and working.

What should the type and scope of the new group created by the script be?

  • Security Group Type Scope

What should be done in case if a group with the name following your template already exists?

  • if there is the same name, just add the target user's groups.

How should the location for the new group be determined? Will it be predefined in the script?

  • Yes, all groups created by the script, or already existing, must be in one, OR predefined in the script.
by (40 points)
0

Hello Alan,

The revocation script for all groups is already in production and working.

Please, post the script here or send it to us (support@adaxes.com) in TXT format. The best way to achieve the desired behaviour is to update the existing script.

Yes, all groups created by the script, or already existing, must be in one, OR predefined in the script

Sorry for the confusion, but we need to know how the location for new group should be determined. In which OU should it be? Will the OU always be the same?

by (301k points)
0

Script

$groupGuidsBytes = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")
$primaryGroupId =    $Context.TargetObject.Get("primaryGroupID")
foreach ($guidBytes in $groupGuidsBytes)
{

$groupGuid = [Guid]$guidBytes
$groupPath = "Adaxes://<GUID=$groupGuid>"
$group = $Context.BindToObject($groupPath)
if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
{
    continue
}
$group.Remove($Context.TargetObject.AdsPath)
}

Or location of created groups

OU=ACCESS-AUDIT,OU=GROUP,OU=DEV,OU=CONTOSO,DC=company,DC=internal

DC TREE

  • DC
    • CONTOSO
      • DEV
        • GROUP
          • ACCESS-AUDIT
by (40 points)

1 Answer

0 votes
by (301k points)

Hello Alan,

Thank you for the provided details. Please, find the updated script below. In the script:

  • $groupNameTemplate – Specifies a template for the group all user groups will be added to. You can use value references (e.g. %sAMAccountName%) in the template.
  • $ouDN – Specifies the distinguished name (DN) of the OU where the group for user groups will be created. For information on how to get an object DN, see https://adaxes.com/sdk/HowDoI.GetDnOfObject.
$groupNameTemplate = "(audit)-%sAMAccountName%" # TODO: modify me
$ouDN = "OU=ACCESS-AUDIT,OU=GROUP,OU=DEV,OU=CONTOSO,DC=company,DC=internal" # TODO: modify me

# Bind to the group
$groupDN = "CN=" + $groupNameTemplate + "," + $ouDN
try
{
    $auditGroup = $Context.BindToObjectByDN($groupDN)
}
catch
{
    # Bind to the group OU
    $groupOU = $Context.BindToObjectByDN($ouDN)

    # Create group
    [Softerra.Adaxes.Interop.Adsi.ADS_GROUP_TYPE_ENUM]$groupType =
        "ADS_GROUP_TYPE_GLOBAL_GROUP, ADS_GROUP_TYPE_SECURITY_ENABLED"

    $auditGroup = $groupOU.Create("group","CN=$groupNameTemplate")
    $auditGroup.Put("groupType", [Int32]$groupType)
    $auditGroup.SetInfo()
}

$groupGuidsBytes = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")
$primaryGroupId =    $Context.TargetObject.Get("primaryGroupID")

foreach ($guidBytes in $groupGuidsBytes)
{
    $groupGuid = [Guid]$guidBytes
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)

    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }
    $group.Remove($Context.TargetObject.AdsPath)
    $auditGroup.Add($groupPath)
}

Related questions

0 votes
1 answer
Is there a way to copy group membership of selected user and make a new user a member of those same groups?

Our Help Desk currently 'mirrors' the group membership of a new user based on another existing user in our AD. I'd like to be able to automate this so that the initiator ... and 'paste' it on the new user being created. Any help on this would be appreciated!

asked Apr 21, 2020 by RayBilyk (240 points)
0 votes
1 answer
How can I create a scheduled task to remove all group memberships of a user after the account is disabled?

Currently, when I disable a user account in Adaxes, the group memberships of the user remain intact. I'd like to automate the removal of group memberships such as distribution ... a list of groups/DL that the user was previously in and removed from. Thanks!

asked Nov 3, 2021 by jayden.ang (20 points)
0 votes
1 answer
Copy and Paste all user's groups by storing GUIDs in one of the user's binary attributes

I'm trying to combine these two scripts to effectively store a user's group memberships in customattributebinary5 and then be able to copy and paste those memberships to a ... ) $Context.LogMessage("Added the user to group '$groupName'", "Information") }

asked Jan 24, 2020 by yourpp (540 points)
0 votes
1 answer
Copy group membership from already existing user except for a couple of groups

Is it possible using PowerShell to copy group memberships from an already existing user without copying 2 specific groups named for example test and test 1 ? We are currently ... groups are not included. I can share the PowerShell script if needed. KR, Cas

asked Oct 30, 2023 by Cas (200 points)
0 votes
1 answer
Copy groups from existing user to new user excluding all distribution groups

I've looked at https://www.adaxes.com/script-repository/copy-group-membership-from-specified-user-s590.htm. is there away to change from group names to a group type? Like exclude all distribution groups?

asked Dec 4, 2023 by Derek.Axe (480 points)
3,679 questions
3,361 answers
8,504 comments
549,366 users