Adaxes

Report to audit rule-based group query attributes

0 votes

We would like to be able to, possibly through a script or report, search for attributes that equal specific values and find all rule-based groups that used those rules.

An example would be providing the name of a company (e.g. Company = Contoso) and being able to list all rule-based groups that use that in their query set.

by (20 points)
0

Hello,

Do we understand correctly that you want to select a property and a value for it which will result in providing the list of rule-based groups that use both to filter members? If that is correct, the report will look like the following: image.png Does this meet your needs?

by (288k points)
0

Hi,

We were actually able to determine the needed script to pull in the group filter data which resulted in a similar report to what you mentioned so this should be resolved.

For context, the below is what we used behind our report to successfully pull the correct groups when given a property name and value:

$membershipTypeProperty = "adm-GroupMembershipType"
$distinguishedNameProperty = "distinguishedName"
$filter = "(%param-PropertyName%=%param-PropertyValue%)"
try
{
    $Context.DirectorySearcher.SearchParameters.Filter = "(objectCategory=group)"

    # Add property necessary to generate the report
    $Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add($membershipTypeProperty)
    $Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add($distinguishedNameProperty)

    $searchResultIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchResultIterator))
    {
        $searchResult = $searchResultIterator.Current
        $membershipType = [int]$searchResult.Properties[$membershipTypeProperty].Value
        if ($membershipType -eq 1)

        {
            [Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

            # Connect to the Adaxes service
            $admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
            $admService = $admNS.GetServiceDirectly("localhost")

            # Bind to the group
            $groupDN = $searchResult.GetPropertyByName("distinguishedName").Values[0]
            $group = $admService.OpenObject("Adaxes://$groupDN", $NULL, $NULL, 0)
            $rules = $group.MembershipRules

            foreach ($rule in $rules) {    
                if($rule.Type -eq "ADM_BUSINESSUNITMEMBERSHIPTYPE_QUERY") {
                    if($rule.Filter -match $filter) {
                       $Context.Items.Add($searchResult)
                       $Continue
                    } 
                }
            }
        }
    }
}
finally
{
    if ($searchResultIterator) 
    { 
        $searchResultIterator.Dispose()
    }
}
by (20 points)
edited by
0

Update here - this method seems to no longer work with the 2023 change to criteria for rule-based groups.

Is there a way to still access the individual rules/criteria to allow for filtering to groups with a specific query parameter?

by (20 points)

1 Answer

0 votes
by (288k points)

Hello,

Yes, below is the updated script.

$propertyName = "%param-PropertyName%"
$propertyValue = "%param-PropertyValue%"

try
{
    $groupCriteria = New-AdmCriteria -Type "group" -Expression {membershipType -eq "rule-based"}
    $Context.DirectorySearcher.AddCriteria($groupCriteria)

    $criteriaToCompare = New-AdmCriteria -Expression {$propertyName -eq $propertyValue}    
    $criteriaJsonToCompare = $criteriaToCompare.Item("*").Items.ToJson($null)
    $searchResultIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchResultIterator))
    {
        $searchResult = $searchResultIterator.Current
        $group = $Context.BindToObjectBySearchResult($searchResult)

        foreach ($rule in $group.MembershipRules) 
        {
            if ($rule.Type -ne "ADM_BUSINESSUNITMEMBERSHIPTYPE_QUERY")
            {
                continue
            }

            $criteria = $rule.GetCriteria()
            if ($criteria.ToJson($NULL) | Select-String -Pattern $criteriaJsonToCompare -SimpleMatch)
            {
                $Context.Items.Add($searchResult)
                break
            }
        }
    }
}
finally
{
    if ($searchResultIterator) 
    { 
        $searchResultIterator.Dispose()
    }
}
0

Hi,

is it possible to execute this search also directly in PowerShell on the Adaxes server?

by (1.5k points)
+1

Hello,

No, the script can only be used to generate a report in Adaxes and cannot be modified to generate the same report in Windows PowerShell.

by (288k points)
0

Ok, I tried to setup this report but no results are shown - I must have missed something^^

image.png image.png image.png

Under script I pasted the script above Then I tried this search image.png

But not result is shown ... I would expect at least this group to be shown image.png

by (1.5k points)
0

Hello,

The behavior is expected as your parameter configuration is incorrect. The PropertyName parameter must be of the Property name picker type, not the Edit box one.

by (288k points)
0

Woooooow ... yeah working now - THANKS!

by (1.5k points)

Related questions

0 votes
1 answer
Is there a way to add group managed service accounts, GMSA, to rule based groups?

When setting up a rule based group, GMSA objects are not visible. Is there a setting or view I need to add to make these availabe to rule based groups, or is it simply not an option?

asked Sep 16 by ajmilic (100 points)
0 votes
1 answer
Business rule to forbid changing group membership to rule-based?

Hi, I need business rule that will forbid changing group membership type to rule-based for selected groups. Additionally I need PowerShell script for adding more groups to be watched by this rule. Thanks in advance!

asked Mar 9, 2023 by KIT (960 points)
0 votes
1 answer
Is it possible to have rule-based Azure group?

Hi, I need same functionality as is rule-base membership for AD groups, but for AAD groups. To be more specific, I want to have AAD group that contains all user members from all selected groups (even nested ones!)

asked Mar 6, 2023 by KIT (960 points)
0 votes
1 answer
Rule based groups based on users attributes

Hi, would it be possible to achieve the following idea: Creating and updating rule based groups, based on user attributes like company? For each company value in AD, ... get all unique company values, then create a group with this company value as filter.

asked Mar 7 by wintec01 (1.5k points)
0 votes
1 answer
PowerShell update rule-based group criteria

I have the need to run a scheduled task that executes a PowerShell script to update the user criteria item on a rule-based group. I have a good start on the script, but ... "Seasonal" -or employeeType -eq "Elected" -or employeeType -eq "State"}). #> }

asked Sep 27 by emeisner (100 points)
3,538 questions
3,229 answers
8,224 comments
547,748 users