0 votes

Hello,

In this specific example, we have 3 different groups. 1 for Access, 1 for resource, then one for authentication. Each company has a Resource and Access Group.

image.png

I already setup paramaters for the end user to select the resource and access group: image.png

The selected user will be added to the access group and authentication group using normal commands: image.png

Only trouble I am having with the script is that I cannot seem to figure out how to bind to the found Secondary Account, and then add the selected Resource Group to that secondary account only. I could not find specific documentation that described how to properly call for the variable. Specifially the issue is in the code where I try to bind to the object by DN for the PAM Resource Group. I have tried many different options then what I posted.

# Obtain User's Primary SAM Account Name and DN and Write it to the Execution Log
$userSAMAccountName = $Context.TargetObject.Get("sAMAccountName")
$userDN = $Context.TargetObject.Get("distinguishedName")
$Context.LogMessage("Selected User's Primary SAM Account Username is $userSAMAccountName", "Information")
$Context.LogMessage("Selected User's Primary DN is $userDN", "Information")

# Obtain Selected PAM Access Group
$PAMAccessGroupDN = "%param-PAMAccessGroup%"
$PAMResourceGroupDN = "%param-PAMResourceGroup%"

$Context.LogMessage("Selected PAM Access Group is $PAMAccessGroupDN", "Information")
$Context.LogMessage("Selected PAM Resource Group is $PAMResourceGroupDN", "Information")

# Search If Each Selected User has a Secondary Account
$searcher = $Context.TargetObject
$searcher.Criteria = New-AdmCriteria "user" -Expression {sAMAccountName -eq "A.%sAMAccountName%"}
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.VirtualRoot = $True
$searcher.SizeLimit = 1

try
{
    # Execute search
    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()

    if ($searchResults.Length -eq 0)
    {
        $Context.LogMessage("Selected User's Secondary SAM Account Username DOES NOT Exist......No Resource Group will be Assigned. HINT: This Command MUST be ran under the user's PRIMARY Account", "Information")
        return
    }
    else
    {
        $SecondaryAccount = $Context.BindToObjectBySearchResult($searchResults[0])
        $SecondaryAccountSAM = $SecondaryAccount.Get("sAMAccountName")
        $SecondaryAccountDN = $SecondaryAccount.Get("distinguishedName")
        $Context.LogMessage("User Found with Correlating Admin Account ($SecondaryAccountSAM)......Continuing Operation.", "Information")
        $Context.LogMessage("User's Found Secondary Account DN is $SecondaryAccountDN", "Information")
        # Bind to Selected Resource group using Variable $PAMResourceGroupDN
        $PAMAccessGroup = $context.BindToObjectByDN("$PAMResourceGroupDN")
        $group.Add("Adaxes://$SecondaryAccountDN")
    }
}
finally
{
    # Release resources
    if ($searchResultIterator){ $searchResultIterator.Dispose() }
}

Script seems to be logging the expected information. User I am running the script under does have a secondary account. It finds it just find, but I cannot seem to understand the simple script I need to add for it to add the secondary account to the selected resource group (If Found.) If not, I already have a log message included to state one was not found.

image.png

Can you please help?

by (490 points)

1 Answer

0 votes
by (292k points)
selected by
Best answer

Hello,

If you need to just add a user to groups, there is no binding to the account and so on. You can directly get the AdsPath from the search result. Also, you need to use proper variables when calling the Add method. In your script, the $group variable is not defined anywhere else. Below is the properly updated script that does exactly what you need.

# Obtain User's Primary SAM Account Name and DN and Write it to the Execution Log
$userSAMAccountName = $Context.TargetObject.Get("sAMAccountName")
$userDN = $Context.TargetObject.Get("distinguishedName")
$Context.LogMessage("Selected User's Primary SAM Account Username is $userSAMAccountName", "Information")
$Context.LogMessage("Selected User's Primary DN is $userDN", "Information")

# Obtain Selected PAM Access Group
$PAMAccessGroupDN = "%param-PAMAccessGroup%"
$PAMResourceGroupDN = "%param-PAMResourceGroup%"

$Context.LogMessage("Selected PAM Access Group is $PAMAccessGroupDN", "Information")
$Context.LogMessage("Selected PAM Resource Group is $PAMResourceGroupDN", "Information")

# Search If Each Selected User has a Secondary Account
$searcher = $Context.TargetObject
$searcher.Criteria = New-AdmCriteria "user" -Expression {sAMAccountName -eq "A.%sAMAccountName%"}
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.VirtualRoot = $True
$searcher.SizeLimit = 1

try
{
    # Execute search
    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()

    if ($searchResults.Length -eq 0)
    {
        $Context.LogMessage("Selected User's Secondary SAM Account Username DOES NOT Exist......No Resource Group will be Assigned. HINT: This Command MUST be ran under the user's PRIMARY Account", "Information")
        return
    }
    else
    {
        # bind to groups
        $PAMAccessGroup = $context.BindToObjectByDN($PAMAccessGroupDN)
        $PAMResourceGroup = $context.BindToObjectByDN($PAMResourceGroupDN)

        # Add user to groups
        $PAMAccessGroup.Add($searchResults[0].Adspath)
        $PAMResourceGroup.Add($searchResults[0].Adspath)
    }
}
finally
{
    # Release resources
    if ($searchResultIterator){ $searchResultIterator.Dispose() }
}
0

Thank You, I was only looking to add the found secondary account only to the resource gorup. Not to the access group as well. However I was able to adjust your script to include my requirements. Even though the PAM Access Group is not used to add a user to, I still have it listed in the script for the log message just to verify and write what was selected.

# Obtain User's Primary SAM Account Name and DN and Write it to the Execution Log
$userSAMAccountName = $Context.TargetObject.Get("sAMAccountName")
$userDN = $Context.TargetObject.Get("distinguishedName")
$Context.LogMessage("Selected User's Primary SAM Account Username is $userSAMAccountName", "Information")
$Context.LogMessage("Selected User's Primary DN is $userDN", "Information")

# Obtain Selected PAM Groups
$PAMAccessGroupDN = "%param-PAMAccessGroup%"
$PAMResourceGroupDN = "%param-PAMResourceGroup%"

$Context.LogMessage("Selected PAM Access Group is $PAMAccessGroupDN", "Information")
$Context.LogMessage("Selected PAM Resource Group is $PAMResourceGroupDN", "Information")

# Search If Each Selected User has a Secondary Account
$searcher = $Context.TargetObject
$searcher.Criteria = New-AdmCriteria "user" -Expression {sAMAccountName -eq "A.%sAMAccountName%"}
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.VirtualRoot = $True
$searcher.SizeLimit = 1

try
{
    # Execute search
    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()

    if ($searchResults.Length -eq 0)
    {
        $Context.LogMessage("Selected User's Secondary SAM Account Username DOES NOT Exist......No Resource Group will be Assigned. HINT: This Command MUST be ran under the user's PRIMARY Account", "Information")
        return
    }
    else
    {
        $SecondaryAccount = $Context.BindToObjectBySearchResult($searchResults[0])
        $SecondaryAccountSAM = $SecondaryAccount.Get("sAMAccountName")
        $SecondaryAccountDN = $SecondaryAccount.Get("distinguishedName")
        $Context.LogMessage("User Found with Correlating Admin Account ($SecondaryAccountSAM)......Continuing Operation and adding Secondary Account to PAM Resource Group.", "Information")
        $Context.LogMessage("User's Found Secondary Account DN is $SecondaryAccountDN", "Information")
        # Bind to Selected Resource group using Variable $PAMResourceGroupDN
        $PAMResourceGroup = $context.BindToObjectByDN($PAMResourceGroupDN)
        $PAMResourceGroup.Add($searchResults[0].Adspath)
    }
}
finally
{
    # Release resources
    if ($searchResultIterator){ $searchResultIterator.Dispose() }
}

Thank you for the really quick response!

Related questions

0 votes
1 answer

I've read this article; https://www.adaxes.com/tutorials_WebInterfaceCustomization_CustomizeHelpAndSupportLinks.htm?appView=1 However, it doesn't tell me how to add or remove columns from ... by the Quick Search. I'd like to add EmployeeId. thanks, Nate

asked Apr 10, 2022 by nate2 (90 points)
0 votes
1 answer

I added the Password last set field to the Admin view but when I click on edit it allows the admin user to change the value. Adaxes correclty handel Bad Password time and Bad password ... last set, so I guest there is a way but I can not find it. Thanks you

asked Dec 19, 2019 by tomlaf (60 points)
0 votes
1 answer

I gone throught Adaxes License is based and its based on user. I wanted to understand, does the license user count is on technical assistance user or AD objects?

asked Jan 23, 2020 by subbu (20 points)
0 votes
1 answer

I have tried it using the Custom Commands Action "Add the user to a group", which only allows me to add the user to one group at a time, and can't use the multiple DNs that the ... I can't get it to work. Could you assist me in finding the best way to do this?

asked Jan 16 by dominik.stawny (280 points)
0 votes
1 answer

I would like to add "Configuration > Scheduled Tasks" to the Adaxes Web UI. I canĀ“t find an option to impelement this. Any hints?

asked Feb 9, 2021 by MatthiasP (40 points)
3,569 questions
3,259 answers
8,275 comments
547,954 users