Adaxes

Amending needed for this script

0 votes

We are using the following script to track group membership changes and need the %username% field to amend if it already exists in the file location. Example: We make change to the same account three times in one week we want to see three separate entries at this file location with different names. %username%, %username%2 and %username%3 for example. Today it errors out and says it already exists.

$filePath = "\\OURSERVER\D$\Group Membership Files\%username%.txt" # TODO: modify me

# Get all groups user is a direct member of
$groupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")
# Get the Primary Group ID
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")
# Create a plain text report
$report = New-Object "System.Text.StringBuilder"
$report.Append("The user was removed from the following groups:")
foreach ($groupGuidBytes in $groupGuids)
{
    # Bind to the group
    $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
    $groupGuid = $groupGuid.ToString("B")
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)

    # Skip the group if it is the user's Primary Group
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }
# Remove user from the group
    $group.Remove($Context.TargetObject.AdsPath)

    # Add the group to the report
    $report.AppendLine()
    $report.Append($group.Get("name"))
}
# Create a new text
$file = New-Item -Path $filePath -ItemType File
# Save the report to the file
Add-Content $file $report.ToString()
by (3.2k points)

1 Answer

0 votes
by (289k points)
selected by
Best answer

Hello,

We've made the changes you requested. However, the script not only tracks group membership of a user, but also removes them from all groups except for the primary one. Is this the desired behavior?

Modified script:

$fileName = "%username%" # TODO: modify me
$filePathTemplate = "\\OURSERVER\D$\Group Membership Files\{0}.txt" # TODO: modify me

# Get all groups user is a direct member of
$groupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Get the Primary Group ID
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

# Create a plain text report
$report = New-Object "System.Text.StringBuilder"
$report.Append("The user was removed from the following groups:")
foreach ($groupGuidBytes in $groupGuids)
{
    # Bind to the group
    $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
    $groupGuid = $groupGuid.ToString("B")
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)

    # Skip the group if it is the user's Primary Group
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }

    # Remove user from the group
    $group.Remove($Context.TargetObject.AdsPath)

    # Add the group to the report
    $report.AppendLine()
    $report.Append($group.Get("name"))
}

# Create a new text
$filePath = [System.String]::Format($filePathTemplate, $fileName)
if (-not (Test-Path -Path $filePath))
{
    $file = New-Item -Path $filePath -ItemType File
}
else
{
    # Create new group name for file
    for ($i = 1; $True; $i++)
    {
        $uniquefileName = $fileName + $i
        $filePath = [System.String]::Format($filePathTemplate, $uniquefileName)

        if (Test-Path -Path $filePath)
        {
            continue
        }
        break
    }

    $file = New-Item -Path $filePath -ItemType File
}

# Save the report to the file
Add-Content $file $report.ToString()
0

yes that is the desired result for this script. We are deciding that when a user changes jobTypes all previous groups will be removed and the new ones added. We are hoping this will keep AD cleaner than before with people having access they no longer need.

by (3.2k points)
0

Hello,

OK, we just wanted to make sure that you understand the consequences :)

by (216k points)
0

Can i get this script modified so it sets the Primary Group ID to Domain Users? We are having trouble when we remove all groups that if the primary group is not Domain users it will delete it and thus;ly deny the user access to the domain.

by (3.2k points)
0

Hello,

Sure, find the updated script below:

$fileName = "%username%" # TODO: modify me
$filePathTemplate = "\\OURSERVER\D$\Group Membership Files\{0}.txt" # TODO: modify me

# Check Primary Group
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")
if ($primaryGroupId -ne 513)
{
    # Add user to Domain users group
    $domainName = $Context.GetObjectDomain("%distinguishedName%")
    $domain = $Context.BindToObject("Adaxes://$domainName")
    $domainSidBytes = $domain.Get("objectSid")
    $domainSid = New-Object "System.Security.Principal.SecurityIdentifier" `
        @($domainSidBytes, 0)
    $domainUsersGroupSid = New-Object "System.Security.Principal.SecurityIdentifier" `
        @([System.Security.Principal.WellKnownSidType]::AccountDomainUsersSid, $domainSid)
    $domainUsersGroup = $Context.BindToObject("Adaxes://<SID=$domainUsersGroupSid>")

    try
    {
        $domainUsersGroup.Add($Context.TargetObject.AdsPath)
    }
    catch [System.Runtime.InteropServices.COMException]
    {
        if ($_.Exception.ErrorCode -ne 0x80071392)
        {
            $Context.LogMessage("An error occured when adding user to 'Domain users' group. Error: " + $_.Exception.Message, "Warning")
            return
        }
    }

    # Set Domain users as primary group 
    $Context.TargetObject.Put("primaryGroupID", 513)
    $Context.TargetObject.SetInfo()
}

# Get all groups user is a direct member of
$groupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Create a plain text report
$report = New-Object "System.Text.StringBuilder"
$report.Append("The user was removed from the following groups:")
foreach ($groupGuidBytes in $groupGuids)
{
    # Bind to the group
    $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
    $groupGuid = $groupGuid.ToString("B")
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)

    # Skip the group if it is the user's Primary Group
    if ($group.Get("primaryGroupToken") -eq 513)
    {
        continue
    }

    # Remove user from the group
    $group.Remove($Context.TargetObject.AdsPath)

    # Add the group to the report
    $report.AppendLine()
    $report.Append($group.Get("name"))
}

# Create a new text
$filePath = [System.String]::Format($filePathTemplate, $fileName)
if (-not (Test-Path -Path $filePath))
{
    $file = New-Item -Path $filePath -ItemType File
}
else
{
    # Create unique name for file
    for ($i = 1; $True; $i++)
    {
        $uniquefileName = $fileName + $i
        $filePath = [System.String]::Format($filePathTemplate, $uniquefileName)

        if (Test-Path -Path $filePath)
        {
            continue
        }
        break
    }

    $file = New-Item -Path $filePath -ItemType File
}

# Save the report to the file
Add-Content $file $report.ToString()
by (289k points)

Related questions

0 votes
1 answer
Amending User Creation Script

Hi Support, We are looking to add a few things to one of the username creation scripts If the upn/username is not unique, add a character of the first name to the last name until ... ("The name has been changed to " + $objectName ` + ".", "Information") }

asked Apr 19, 2017 by vick04 (50 points)
0 votes
1 answer
Skype for Business On-Prem Permissions needed

Currently getting this error when enabling a user for Skype for Business: No cmdlets have been authorized for use by the RBAC role that the user belongs ... minimum required permissions that the Adaxes account needs to manage Skype for Business functionality?

asked Dec 16, 2021 by thedoo (60 points)
0 votes
1 answer
What Active Directory rights are needed for the Adaxes service user?

We originally installed Adaxes and assigned the Adaxes Service user to the Domain Admins group. We are now locking down that group and have removed the Adaxes Serivce from ... to do things. What rights does Adaxes Service need in order to administer users?

asked Jul 23, 2021 by cobaltcu (20 points)
0 votes
1 answer
What are the access rights needed in O365 / Azure for the Adaxes tenant user?

I have been searching your site, but could not find a list of access rights needed. --- Morten A. Steien

asked Feb 23, 2021 by Morten A. Steien (300 points)
0 votes
1 answer
Send for approval when O365 license purchase is needed

Hello, I'm looking for a way to receive a notification/approval request when a new user is created and the business rule attempts to assign O365 licensing, however ... dependent on the license being assigned. Looking for any suggestions! Thanks so much!

asked Jul 1, 2019 by ryan_breneman (920 points)
3,552 questions
3,242 answers
8,243 comments
547,828 users