Script repository

Copy group memberships from template based on property values

October 12, 2020 Views: 2967
Copying and Moving Group Membership

The script copies group memberships from a template user to the current user. The template is selected based on the value of the specified property. Original memberships of the user that existed before copying are removed.

Script 1: Template is determined based on a single property value

Parameters:

  • $propertyName - Specifies the LDAP name of the property whose value will be used to determine the template user to copy group membership from. You can use a multi-valued property in the variable (e.g. CustomAttributeTextMultiValue1). In this case, group membership will be copied from each template user that corresponds to each property value.
  • $propertyToTemplateMap - Maps property values with distinguished names (DNs) of the corresponding template users.
Edit Remove
PowerShell
$propertyName = "adm-CustomAttributeTextMultiValue1" # TODO: modify me
$propertyToTemplateMap = @{
    "Administration" = "CN=_Administration_Department_Template,CN=Users,DC=example,DC=com"
    "IT" = "CN=_IT_Department_Template,CN=Users,DC=example,DC=com"
    "Sales" = "CN=_Sales_Department_Template,CN=Users,DC=example,DC=com"
} # TODO: modify me.
# E.g. if Property value is 'Administration', copy group memberships from user '_Administration_Department_Template'.

# Get all groups user is a direct member of
$groupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Get the Primary Group ID
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

foreach ($groupGuidBytes in $groupGuids)
{
    # Bind to the group
    $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
    $groupGuid = $groupGuid.ToString("B")
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)
   
    # Skip the group if it is the user's Primary Group
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }

    # Remove user from the group
    $group.Remove($Context.TargetObject.AdsPath)
    $groupName = $group.Get("cn")
    $Context.LogMessage("Removed the user from group '$groupName'", "Information")
}

# Get property value
try
{
    $values = $Context.TargetObject.GetEx($propertyName)
}
catch
{
    $Context.LogMessage("Could not add the user to any groups, because the '$propertyName' property is empty", "Warning")
    return
}

$groupsToAdd = New-Object "System.Collections.Generic.HashSet[System.Guid]"
foreach ($value in $values)
{
    # Bind to the template user
    $templateUser = $Context.BindToObjectByDn($propertyToTemplateMap[$value])
    
    # Get all groups the template user is a direct member of
    $templateUser.GetEx("adm-DirectMemberOfGuid") | %%{[void]$groupsToAdd.Add([Guid]$_)}
}

foreach ($guid in $groupsToAdd)
{
    # Bind to the group
    $group = $Context.BindToObject("Adaxes://<GUID=$guid>")
    
    # Skip the group if it is the user's Primary Group
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }
   
    $group.Add($Context.TargetObject.AdsPath)
    $groupName = $group.Get("cn")
    $Context.LogMessage("Added the user to group '$groupName'", "Information")
}

Script 2: Template is determined based on a two property values

Parameters:

  • $firstPropertyName - Specifies the LDAP name of the first property whose value will be used to determine the template user to copy group membership from.
  • $secondPropertyName - Specifies the LDAP name of the second property whose value will be used to determine the template user to copy group membership from.
  • $templateUsersInfo - Maps property values with distinguished names (DNs) of the corresponding template users.
  • $groupDNsToKept - Specifies distinguished names (DNs) of groups the target user will not be removed from even if the template user is not a member of the groups. Set the variable to an empty arrray for the entire group membership to be updated.
Edit Remove
PowerShell
$firstPropertyName = "l" # TODO: modify me
$secondPropertyName = "employeeType" # TODO: modify me
$templateUsersInfo = @{
    "New York;Sales" = "CN=TemplateUser1,CN=Users,DC=example,DC=com"
    "Washington;IT" = "CN=TemplateUser2,CN=Users,DC=example,DC=com"
} # TODO: modify me
$groupDNsToKept = @("CN=MyGroup1,OU=Groups,DC=example,DC=com", "CN=MyGroup2,OU=Groups,DC=example,DC=com") # TODO: modify me

# Get the first property value of the user
try
{
    $firstValue = $Context.TargetObject.Get($firstPropertyName)
}
catch
{
    $Context.LogMessage("Property $firstPropertyName is empty. Group membership of user %fullname% will not be updated.", "Warning")
    return
}

# Get the second property value of the user
try
{
    $secondValue = $Context.TargetObject.Get($secondPropertyName)
}
catch
{
    $Context.LogMessage("Property $secondPropertyName is empty. Group membership of user %fullname% will not be updated.", "Warning")
    return
}

# Get template user DN
$templateUserDN = $templateUsersInfo["$firstValue;$secondValue"]
if ([System.String]::IsNullOrEmpty($templateUserDN))
{
    $Context.LogMessage("No source user is specified for combination property $firstPropertyName equals $firstValue and property $secondPropertyName equals $secondValue. Group membership of user %fullname% will not be updated.", "Warning")
    return
}

$groupGuidsToKept = New-Object System.Collections.Generic.HashSet[System.Guid]
foreach ($dn in $groupDNsToKept)
{
    $group = $Context.BindToObjectByDN($dn)
    $guid = $group.Get("objectGUID")
    $groupGuidsToKept.Add($guid)
}

# Get all groups user is a direct member of
$groupGuidsBytes = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Get the Primary Group ID
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

foreach ($guidBytes in $groupGuidsBytes)
{
    $groupGuid = [Guid]$guidBytes
    if ($groupGuidsToKept.Contains($groupGuid))
    {
        continue
    }
    
    # Bind to the group
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)
    $groupDN = $group.Get("distinguishedName")
   
    # Skip the group if it is the user's Primary Group
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }

    # Remove user from the group
    $group.Remove($Context.TargetObject.AdsPath)
    $groupName = $group.Get("cn")
    $Context.LogMessage("Removed the user from group '$groupName'", "Information")
}

# Bind to the template user
$templateUser = $Context.BindToObjectByDn($templateUserDN)

# Get all groups the template user is a direct member of
$groupGuidsBytes = $templateUser.GetEx("adm-DirectMemberOfGuid")

foreach ($guidBytes in $groupGuidsBytes)
{
    # Bind to the group
    $groupGuid = [Guid]$guidBytes
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)
    
    # Skip the group if it is the user's Primary Group
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }
   
    $group.Add($Context.TargetObject.AdsPath)
    $groupName = $group.Get("cn")
    $Context.LogMessage("Added the user to group '$groupName'", "Information")
}
Comments 0
Leave a comment
Related Scripts

Got questions?

Support Questions & Answers