The script can be used to check whether an operation is performed by a user who manages the OU where the target object is located. It can be used in the If PowerShell returns true condition. The condition is met, when the user does not manage the OU.
PowerShell
# Bind to the OU where the target object is located
$parent = $Context.BindToObject($Context.TargetObject.Parent)
# Get parent OU owner
$Context.ConditionIsMet = $True
try
{
$ownerDN = $parent.Get("managedBy")
}
catch
{
return
}
# Check whether initiator is the owner
if ($ownerDN -eq "%adm-InitiatorDN%")
{
$Context.ConditionIsMet = $False
return
}
# Check whether owner is a group
$owner = $Context.BindToObjectByDN($ownerDN)
if ($owner.Class -ne "Group")
{
return
}
# Get group members
try
{
$memberGuidsBytes = $owner.GetEx("adm-MembersGuid")
}
catch
{
return # The group has no members
}
# Check whether initiator is a member of the group
$initiatorGuid = [Guid]"%adm-InitiatorGuid%"
foreach ($guidBytes in $memberGuidsBytes)
{
$guid = [Guid]$guidBytes
if ($guid -ne $initiatorGuid)
{
continue
}
# Initiator is a member of the group that owns the OU
$Context.ConditionIsMet = $False
return
}