Script repository

Create groups based on departments of users

March 17, 2021 Views: 3554
Group Membership Provisioning

The script adds a user to a group with the same name as the user's department. If a group with the necessary name does not exist it will be created.

To use the script, you need to create a business rule triggered automatically once a user is created or updated. For more information on how to automatically run a script once a new user is created, see Run PowerShell Script after Creating a User. Alternatively, you can schedule adding users to groups.

Parameters:

  • $groupOuDn - Specifies the distinguished name (DN) of the Organizational Unit where to search for groups matching departments.
  • $groupType - Specifies what types of groups to create if there isn't a group for a user's department. For a complete list of possible values, see ADS_GROUP_TYPE_ENUM.
Edit Remove
PowerShell
$groupName = "Group-%department%" # TODO: modify me
$groupOuDn = "OU=Departments,DC=example,DC=com" # TODO: modify me
[Softerra.Adaxes.Interop.Adsi.ADS_GROUP_TYPE_ENUM]$groupType =
 "ADS_GROUP_TYPE_GLOBAL_GROUP, ADS_GROUP_TYPE_SECURITY_ENABLED" # TODO: modify me

if ([System.String]::IsNullOrEmpty("%department%"))
{
    return # Department not specified
}

# Get GUIDs of groups user is a direct member of
try
{
    $groupGuidsBytes = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")
}
catch
{
    $groupGuidsBytes = @()
}

$groupGuids = New-Object "System.Collections.Generic.HashSet[System.Guid]"
$groupGuidsBytes | %%{[void]$groupGuids.Add([Guid]$_)}

# Search group for department
$domainName = $Context.GetObjectDomain("%distinguishedName%")
$searcher = $Context.BindToObject("Adaxes://$domainName/RootDSE")
$searcher.SearchFilter = "(&(objectClass=group)(name=$groupName))"
$searcher.SetPropertiesToLoad(@("ObjectGuid"))

try
{
    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()
    
    if ($searchResults.Length -ge 1)
    {
        foreach ($searchResult in $searchResults)
        {
            $guid = [Guid]$searchResult.Properties["ObjectGuid"].Value
            if ($groupGuids.Contains($guid))
            {
                continue # The user is already a member of an appropriate group
            }
            
            # Group found, add user
            $departmentGroup = $Context.BindToObject($searchResult.AdsPath)
            $departmentGroup.Add($Context.TargetObject.AdsPath)
        }
    }
    else
    {
        # Group not found, create one
        $targetContainer = $Context.BindToObjectByDN($groupOuDn)
        $departmentGroup = $targetContainer.Create("group","CN=$groupName")
        $departmentGroup.Put("groupType", [Int32]$groupType)
        $departmentGroup.Put("sAMAccountName", $groupName)
        $departmentGroup.SetInfo()
        
        # Add user
        $departmentGroup.Add($Context.TargetObject.AdsPath)
    }
}
catch
{
    $Context.LogMessage("An error occurred when adding the user to group '$groupName'. Error: " + $_.Exception.Message, "Warning")
}
finally
{
    $searchResultIterator.Dispose()
}
Comments 0
Leave a comment
Related Scripts

Got questions?

Support Questions & Answers