We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script repository

Update group membership based on property value

February 25, 2021 Views: 1290

Update group membership of all users

The script makes sure that only users with a specific property value are members of the corresponding groups. If the property value does not match groups the user is currently a member of, the user will be removed from the groups. To run the script, create a scheduled task configured for the Domain-DNS object type.

Parameters:

  • $propertyName - Specifies the LDAP name of the property whose value will be used to determine groups a user should be a member of.
  • $valuesToGroupDNs - Maps property values with distinguished names (DNs) of groups.
Edit Remove
PowerShell
$propertyName = "title" # TODO: modify me
$valuesToGroupDNs = @{
    "Value1" = @("CN=MyGroup1,OU=Groups,DC=domain,DC=com", "CN=MyGroup2,OU=Groups,DC=domain,DC=com")
    "Value2" = @("CN=MyGroup3,OU=Groups,DC=domain,DC=com")
} # TODO: modify me

function SearchObjects($filter)
{
    $searcher = $Context.BindToObject("Adaxes://rootDSE")
    $searcher.SearchFilter = $filter
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.PageSize = 500
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.VirtualRoot = $True
    
    try
    {
        # Execute search
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()
        
        return ,$searchResults
    }
    finally
    {
        # Release resources
        if ($searchResultIterator){ $searchResultIterator.Dispose() }
    }
}

foreach ($value in $valuesToGroupDNs.Keys)
{
    # Build filter
    $filter = "(&(sAMAccountType=805306368)($propertyName=$value))"
    
    # Search users
    $searchResults = SearchObjects $filter
    
    # Get user DNs
    $userDNs = $searchResults | %%{$_.Properties["distinguishedName"].Value}
    
    # Update group members
    foreach ($dn in $valuesToGroupDNs[$value])
    {
        $group = $Context.BindToObjectByDN($dn)
        $group.Put("member", $userDNs)
        $group.SetInfo()
    }
}

Update group membership of only the target user

The script makes sure that the target user is a member of only the groups that correspond to the specified property value. If the property value does not match groups the user is currently a member of, the user will be removed from the groups. To run the script, for example, you can create a custom command configured for the User object type or a business rule triggering After updating a user.

Parameters:

  • $propertyName - Specifies the LDAP name of the property whose value will be used to determine groups a user should be a member of.
  • $valuesToGroupDNs - Maps property values with distinguished names (DNs) of groups.

Edit Remove
PowerShell
$propertyName = "title" # TODO: modify me
$valuesToGroupDNs = @{
    "Value1" = @("CN=MyGroup1,OU=Groups,DC=domain,DC=com", "CN=MyGroup2,OU=Groups,DC=domain,DC=com")
    "Value2" = @("CN=MyGroup3,OU=Groups,DC=domain,DC=com")
} # TODO: modify me

function UpdateGroupMembership ($memberPath, $groupDNs, $addToGroup)
{
    foreach ($dn in $groupDNs)
    {
        $group = $Context.BindToObjectByDN($dn)
        if ($addToGroup)
        {
            try
            {
                $group.Add($memberPath)
            }
            catch
            {
                $Context.LogMessage("An error occurred when adding the user to group '$groupName'. Error: " + $_.Exception.Message, "Warning")
            }
        }
        else
        {
            try
            {
                $group.Remove($memberPath)
            }
            catch
            {
                $Context.LogMessage("An error occurred when removing the user from group '$groupName'. Error: " + $_.Exception.Message, "Warning")
            }
        }
    }
}

try
{
    $propertyValue = $Context.TargetObject.Get($propertyName)
}
catch
{
    $propertyValue = $NULL
}

foreach ($value in $valuesToGroupDNs.Keys)
{
    $addToGroup = $propertyValue -eq $value
    UpdateGroupMembership $Context.TargetObject.AdsPath $valuesToGroupDNs[$value] $addToGroup
}
Comments 0
Leave a comment
Loading...

Got questions?

Support Questions & Answers