This script can be used to prevent adding users from a certain AD domain to groups located in other domains. To use the script with Adaxes, you need to create a business rule triggered before adding a member to a group that cancels the operation, and use the script with the If PowerShell script returns true condition.
Parameters:
- $disallowedDomain - Specifies the fully qualified name of the AD domain that a user must belong to to be affected by the script.
PowerShell
$disallowedDomain = "domain.com" # TODO: modify me
$Context.ConditionIsMet = $False
$newMember = $Context.BindToObject("Adaxes://%member%")
$newMemberPath = New-Object "Softerra.Adaxes.Adsi.AdsPath" $newMember.ADsPath
$newMemberDomainName = $Context.GetObjectDomain($newMemberPath.DN)
if ($newMemberDomainName -ine $disallowedDomain)
{
return
}
$groupDomainName = $Context.GetObjectDomain("%distinguishedName%")
if ($groupDomainName -ine $disallowedDomain)
{
$Context.ConditionIsMet = $True
}