Adaxes

Report to see in which rule a group was used

0 votes

Hello,

Is it possible to adapt the script so that all groups are output where another group is used as a rule? For example: All members of the group "ABCD" are added to the group "Test". Now we need a report that outputs all groups to which the members of "ABCD" are added. In Adaxes the rule looks like this: image.png Is this possible?

Thx a lot

related to an answer for: Report to audit rule-based group query attributes
by (340 points)

1 Answer

0 votes
by (299k points)

Hello,

Yes, it is possible. You can use the below script. in the script, the $groupDNString variable references a Directory object picker parameter used to select the group to check membership rules against.

$groupDNString = "%param-Group%"
$groupDN = New-Object "Softerra.Adaxes.LDAP.DN" $groupDNString

try
{
    $groupCriteria = New-AdmCriteria -Type "group" -Expression {membershipType -eq "rule-based"}
    $Context.DirectorySearcher.AddCriteria($groupCriteria)

    $searchResultIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchResultIterator))
    {
        $searchResult = $searchResultIterator.Current
        $group = $Context.BindToObjectBySearchResult($searchResult)

        foreach ($rule in $group.MembershipRules) 
        {
            if ($rule.Type -ne "ADM_BUSINESSUNITMEMBERSHIPTYPE_GROUP")
            {
                continue
            }

            $ruleGroupDNString = $rule.Group.Get("distinguishedName")
            $ruleGroupDN = New-Object "Softerra.Adaxes.LDAP.DN" $ruleGroupDNString

            if ($groupDN -eq $ruleGroupDN)
            {
                $Context.Items.Add($searchResult)
                break
            }
        }
    }
}
finally
{
    if ($searchResultIterator) 
    { 
        $searchResultIterator.Dispose()
    }
}
0

Thank you for the script, it seems to work. Now the groups are displayed where the ‘Member of group’ function was used. However, I have another rule which is a query and in the rule the group is also used, but it is not displayed in the report. Is it possible to extend the script so that all groups are displayed in which the specific group was used in a rule, whether as a query or ‘Member of’ or ....?

by (340 points)
0

Hello,

Sorry for the confusion, but we are not sure what exactly you mean. How are you using a group as scope for a query membership rule? Please, post here or send us (support@adaxes.com) a screenshot.

by (299k points)

Related questions

0 votes
1 answer
Export a list of groups in which a security group belongs to a CSV file

Hello, Similar to exporting the members of a group to a csv file: https://www.adaxes.com/script-repository/export-group-members-to-csv-file-s184.htm I am looking to ... would like to include the memberof csv report in the email as well. Thanks in advance!

asked Feb 7, 2023 by JonnyBGood (20 points)
0 votes
1 answer
Users don't see Actions in web interfaces which are based on Custom Command targeted to domaindns object

Hi, I had to create Custom Command for distribution group creation. Default group creation wizard cannot be used, because we need some of parameters to be mandatory etc. Anyway I ... which shouldn't be targeted to any particular AD object. How do I do it?

asked Jan 20, 2020 by KIT (1.0k points)
+1 vote
1 answer
Best approach to see how long someone has been in a group?

I would like to possibly add a timestamp to a user custom attribute when added to a specific group. The reason for this is because I'd like to display the value of days spent ... must be done by script or if there is another way I am not thinking of. Thanks!

asked Jan 28 by msheppard (740 points)
0 votes
1 answer
Can I create a rule to count members in a group and send an email if the number approaches a set point?

We have a 3rd party vendor that we are able to add users based on AD security groups. What I need to do is set a parameter for the number of available licenses and whenever ... the group is 495 I would like an email to trigger telling me to add more licenses.

asked Oct 12, 2022 by A_Pastor (70 points)
0 votes
1 answer
How to create report which shows the last logon date of every disabled user in the last 30 days?

The report criteria would be as follows, Name/Last Logon Date of any user that was disabled in the last 30 days. Furthermore, if possible, how would I publish this to the user ... run a report and/or choose which dates to run the report, on his own? TIA

asked Nov 26, 2024 by Milan.Pathak (20 points)
3,649 questions
3,337 answers
8,433 comments
548,987 users