The script creates a Google Apps group based on an AD group. The 1st script performs the task using the GAM tool, and the 2nd one updates Google groups memberships using a set of PowerShell cmdlets called gShell.
To create a Google group once a new AD group is created, you can create a Business Rule triggered After creating a group that runs the script. Additionally, you can create a scheduled task for Group objects that runs it. Using a task allows you to track AD group membership changes performed outside of Adaxes, for example, using ADUC or Exchange.
GAM Script
Note: Before using the script, install and configure the GAM Tool on the computer where Adaxes service runs. For details, see GAM Wiki.
Parameters:
- $gamPath - Specifies a path to the GAM executable file.
- $waitTimeMilliseconds - Specifies the time to wait for GAM response. It is recommended not to set a time exceeding the 10 minutes' limit applied by Adaxes to scripts executed by business rules, custom commands and scheduled tasks. If a script runs for more time than you specify, it will be completed, but the errors, warnings and other messages will not be added to the Execution Log.
- $groupIdAttribute - Specifies an AD property that will store the group identifier in Google Apps.
- $groupIdentity - Specifies a value reference for the AD property that will serve to create the group identifier in Google Apps. For example, if you specify %sAMAccountName%, the identifier of the Google group will be the same as the Group Name (pre-Windows 200) of the AD group.
- $groupName - Specifies a value reference for the AD property that will serve as the name of the group in Google Apps. For example, if you specify %name%, the name of the Google group will be the same as the Group Name of the AD group.
- $groupDescription - Specifies a value reference for the AD property that will serve as the description of a group in Google Apps. For example, if you specify %description%, the description of the Google group will be the same as the Description of the AD group.
PowerShell
$gamPath = "C:\Scripts\Gam\gam.exe" # TODO: modify me
$waitTimeMilliseconds = 8 * 60 * 1000 # TODO: modify me
$groupIdAttribute = "adm-CustomAttributeText1" # TODO: modify me
$groupIdentity = "%sAMAccountName%" # TODO: modify me
$groupName = "%name%" # TODO: modify me
$groupDescription = "%description%" # TODO: modify me
$argumentTemplate = 'create group {0} name "{1}" description "{2}"'
function StartProcess ($arguments)
{
# Start GAM process
$processInfo = New-Object System.Diagnostics.ProcessStartInfo
$processInfo.FileName = $gamPath
$processInfo.RedirectStandardOutput = $true
$processInfo.RedirectStandardError = $true
$processInfo.UseShellExecute = $false
$processInfo.CreateNoWindow = $true
$processInfo.Arguments = $arguments
$process = New-Object System.Diagnostics.Process
$process.StartInfo = $processInfo
[void]$process.Start()
$processCompleted = $process.WaitForExit($waitTimeMilliseconds)
if (!$processCompleted)
{
$process.Kill()
Write-Error "The process timeout."
return $null
}
$resultErrors = $process.StandardError.ReadToEnd()
$resultOutput = $process.StandardOutput.ReadToEnd()
return @{
"Output" = $resultOutput;
"Error" = $resultErrors;
}
}
# Check whether the group already has a Google group ID
try
{
$groupID = $Context.TargetObject.Get($groupIdAttribute)
}
catch
{
$groupID = $NULL
}
if (-not([System.String]::IsNullOrEmpty($groupID)))
{
return
}
# Create group in Google Apps
$arguments = [System.String]::Format($argumentTemplate, @($groupIdentity, $groupName, $groupDescription))
$result = StartProcess $arguments
if (-not([System.String]::IsNullOrEmpty($result.Error)))
{
$Context.LogMessage($result.Output, "Warning")
$Context.LogMessage("An error occurred when creating a Google group. Error: " + $result.Error, "Error")
return
}
elseif (!($result.Output.StartsWith("Creating group")))
{
$Context.LogMessage($result.Output, "Warning")
return
}
# Get group ID
$request = 'info group "' + $groupIdentity + '"'
$result = StartProcess $request
if (-not([System.String]::IsNullOrEmpty($result.Error)))
{
$Context.LogMessage($result.Output, "Warning")
$Context.LogMessage("An error occurred when getting Google group information. Error: " + $result.Error, "Error")
return
}
$matchInfo = $result.Output | Select-String -Pattern "id:\s[\d\w]+"
if ($matchInfo -eq $NULL)
{
$Context.LogMessage("Group ID not found. Output: " + $result.Output, "Warning")
}
else
{
$groupID = $matchInfo.Matches[0].Value.Replace("id: ", "")
}
# Update the AD group
$Context.TargetObject.Put($groupIdAttribute, $groupID)
$Context.TargetObject.SetInfo()
gShell Script
Note: Before using the script, you need to perform the steps listed in gShell's Getting Started document. Step Enter the Client ID and Secret must be performed on the computer where Adaxes Service is installed using the credentials of the Adaxes service account you specified when installing the service.
Parameters:
- $waitTimeSeconds - Specifies the time to wait for Google Apps response. It is recommended not to set a time exceeding the 10 minutes' limit applied by Adaxes to scripts executed by business rules, custom commands and scheduled tasks. If a script runs for more time than you specify, it will be completed, but the errors, warnings and other messages will not be added to the Execution Log.
- $name - Specifies a value reference for the AD property that serves as the group name in Google Apps. The script will search Google Apps groups by the specified property. For example, if you specify %name%, group names in Google Apps must correspond to the Name property of the corresponding AD groups.
- $description - Specifies a value reference for the AD property that will serve as the description of groups in Google Apps. For example, if you specify %description%, the description of the Google group will be the same as the Description of the AD group.
- $mail - Specifies a value reference for the AD property that contains the email address of groups in Google Apps. For example, if you specify %description%, the description of the Google group will be the same as the email address of the AD group specified in the Email property.
PowerShell
$waitTimeSeconds = 8 * 60 # TODO: modify me
$scriptBlock = {
Import-Module gShell
$name = "%name%" # TODO: modify me
$description = "%description%" # TODO: modify me
$mail = "%mail%" # TODO: modify me
# Check whether Google group already exists
try
{
$group = Get-GAGroup -GroupKey $mail -ErrorAction Stop
}
catch
{
if ($_.Exception.Message -notmatch "Resource Not Found: groupKey \[404\]")
{
$message = "An error occurred when searching a Google group. Error: " + $_.Exception.Message
Write-Error $message
return
}
}
if ($group -ne $null)
{
return # Google group already exists
}
# Create new Google group
try
{
New-GAGroup -Email $mail -Name $name -Description $description -ErrorAction Stop
}
catch
{
$message = "An error occurred when creating a Google group. Error: " + $_.Exception.Message
Write-Error $message
}
}
# Start a separate PowerShell process to execute the script block
$job = Invoke-Command -ComputerName localhost -ScriptBlock $scriptBlock -ArgumentList $googleGroupIds, $reportFilePath, $removeReportFile -AsJob
$job | Wait-Job -Timeout $waitTimeSeconds
if ($job.State -ne "Completed")
{
$Context.LogMessage("The operation did not complete within the allowed timeout of $waitTimeSeconds seconds. " +
"It will be completed asynchronously on the background.", "Warning")
return
}
# Get output from the separate PowerShell process if completed within $waitTimeSeconds
Receive-Job -Job $job