The script returns true if the target object is a member of any groups except for the predefined ones. The script can be executed in a custom command, business rule or scheduled task via the If PowerShell script returns true condition.
Parameters:
- $groupDNs- Specifies distinguished names (DNs) of the groups membership in which should be ignored by the script. For information on how to get the DN of a directory object, see Get the DN of a directory object.
PowerShell
$groupDNs = @("CN=My Group1,OU=Groups,DC=domain,DC=com", "CN=My Group2,OU=Groups,DC=domain,DC=com") # TODO: modify me
$Context.ConditionIsMet = $False
# Get current group membership
$currentGroupGuids = New-Object System.Collections.Generic.Hashset[System.Guid]
$Context.TargetObject.GetEx("adm-DirectMemberOfGuid") | %%{$currentGroupGuids.Add([Guid]$_)}
# Exclude primary group
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")
$userSid = New-Object Softerra.Adaxes.Adsi.Sid @($Context.TargetObject.Get("objectSid") , 0)
$domainSid = $userSid.AccountDomainSid
$primaryGroupSid = $domainSid.ToString() + "-" + $primaryGroupId
$primaryGroup = $Context.BindToObject("Adaxes://<SID=$primaryGroupSid>")
$primaryGroupGuid = [Guid]$primaryGroup.Get("objectGuid")
$currentGroupGuids.Remove($primaryGroupGuid)
if ($currentGroupGuids.Count -eq 0)
{
return
}
if ($groupDNs.Length -lt $currentGroupGuids.Count)
{
$Context.ConditionIsMet = $True
return
}
# Exclude predefined groups
$groupGuidsToCheck = New-Object System.Collections.Generic.Hashset[System.Guid]
foreach ($groupDN in $groupDNs)
{
$group = $Context.BindToObjectByDN($groupDN)
$guid = [Guid]$group.Get("objectGuid")
$currentGroupGuids.Remove($guid)
}
if ($currentGroupGuids.Count -ne 0)
{
$Context.ConditionIsMet = $True
}