Script repository

Remove invalid business unit membership rules

March 17, 2021 Views: 2213
Business Units

The script can be used in business rules, custom commands and scheduled tasks to remove deleted Active Directory objects from business unit membership rules.

Note: The script will not check membership rules defined using templates.

To clean up invalid membership rules from a business unit on a regular basis, you can configure a scheduled task for the Domain-DNS object type that executes the script.

Parameter:

  • $unitPath - Specifies the ADS path of the business unit that you want the script to check.
How to get the ADS path of a business unit:
  1. Launch Adaxes Administration console.
  2. Expand the service node.
  3. Expand the Business Units node.
  4. Right-click the business unit you need.
  5. In the context menu, open the submenu of the Copy item.
  6. Click Copy ADS Path. The ADS Path of the business unit will be copied to the clipboard.
Edit Remove
PowerShell
$unitPath = "Adaxes://adaxesserver.example.com:12345/CN=My Unit,CN=Business Units,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes" # TODO: modify me

$unit = $Context.BindToObject($unitPath)
$rules = $unit.GetMembershipRules()
$rulesToRemove = @()

# Find membership rules with references to non-existing objects
foreach ($rule in $rules)
{
    $ruleType = $rule.Type
    
    switch ($ruleType)
    {
       "ADM_BUSINESSUNITMEMBERSHIPTYPE_QUERY"
       {
          
          if (-not([System.String]::IsNullOrEmpty($rule.BaseObjectPath)))
          {
             try
             {
                 $baseObject = $Context.BindToObject($rule.BaseObjectPath)
             }
             catch
             {
                $rulesToRemove += $rule
             }
          }
       }
       "ADM_BUSINESSUNITMEMBERSHIPTYPE_CONTAINER"
       {
          if ([System.String]::IsNullOrEmpty($rule.ContainerDnTemplate) -and 
             ($rule.Container -eq $NULL))
          {
             $rulesToRemove += $rule
          }
       }
       "ADM_BUSINESSUNITMEMBERSHIPTYPE_GROUP"
       {
          if ([System.String]::IsNullOrEmpty($rule.GroupDnTemplate) -and 
             ($rule.Group -eq $NULL))
          {
             $rulesToRemove += $rule
          }
       }
       "ADM_BUSINESSUNITMEMBERSHIPTYPE_SPECIFIC"
       {
          if ([System.String]::IsNullOrEmpty($rule.ObjectDnTemplate) -and 
             ($rule.Object -eq $NULL))
          {
             $rulesToRemove += $rule
          }
       }
    }
}

# Remove invalid membership rules
foreach ($invalidRule in $rulesToRemove)
{
    $rules.Remove($invalidRule)
}

$unit.SetMembershipRules($rules)

# Save changes
$unit.SetInfo()

Comments 0
Leave a comment
Related Scripts

Got questions?

Support Questions & Answers