Get-AdmUser and multiple domains

Question

I know I got this code to check for a unique email address from you guys, just can't find where

Import-Module Adaxes

if ($Context.IsPropertyModified("mail"))
{
    $value = $Context.GetModifiedPropertyValue("mail");

    if ((Get-AdmUser -filter 'mail -eq $value') -ne $NULL)
    {
        $Context.Cancel("Email address is already in use.  Please verify that account is not being duplicated");
        return;
    }

}

Copy code

Does get-AdmUser check through the multiple domains that are set up in Adaxes? When I run get-AdmUser via powershell with a filter on something that I know is in multiple domains, I only get one. If it only checks the one, is there a way to have it check all the targeted type of objects under Adaxes' purview?

Thanks again for the help!!!

Answer 1

Hello,

The Get-AdmUser cmdlet can search in one domain only. By default, this is the current domain. You can force a search in another domain that is not the current domain by specifying the -Server parameter.

If you want to perform a search in all domains managed by Adaxes, you need to use Adaxes ADSI provider, in particular, the IAdmDirectorySearcher interface. If you want, we can modify the script to search in all domains managed by Adaxes.

Comments

I would really appreciate that. We are going to be needing to use this script in our environment to check for unique email addresses and samaccountnames. Any help and advise on this is greatly appreciated

edit** Let me add one more thing. In one of the domains, we have a business rule for after the user is created that looks at the company name and creates a email address with the firstname.lastname@dependingoncompanyname.com. What will the effect of $Context.Cancel line on the business rule. I like the effect the user has via the webpage, but want to know how the rule will react and if there is some advise to that.

Thanks

---

Hello,

Here's the modified version of the script that should do the job:

if ($Context.IsPropertyModified("mail"))
{
    # Get Email address
    $mail = $Context.GetModifiedPropertyValue("mail");

    # Check whether the email address is empty
    if ([System.String]::IsNullOrEmpty($mail))
    {
        return
    }

    # Search all users 
    $searcher = New-Object "Softerra.Adaxes.Adsi.Search.DirectorySearcher" $NULL, $False
    $searcher.SearchParameters.PageSize = 500
    $searcher.SearchParameters.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.SearchParameters.Filter = "(&(objectCategory=user)(mail=$mail))"
    $searcher.VirtualRoot = $True

    $result = $searcher.ExecuteSearch()
    $users = $result.FetchAll()
    $result.Dispose()

    # Check if the Email address is unique
    if($users.Count -ne 0)
    {
        $Context.Cancel("Email address is already in use. Please verify that account is not being duplicated");
    }
}

ExpandCopy code

As to checking for unique SAMAccountNames, take a look at Example 2 in step 5 of the Validate/Modify User Input Using a Script Tutorial. It contains an example on how you can handle the task.

As to the effect of the $Context.Cancel line on a Business Rule that is triggered after user creation, the Business Rule will not be triggered. The Rule is set to be executed after user creation, and since $Context.Cancel cancels user creation, the event that should trigger the Rule will not occur.