Update group membership of all users
The script makes sure that only users with a specific property value are members of the corresponding groups. If the property value does not match groups the user is currently a member of, the user will be removed from the groups. To run the script, create a scheduled task configured for the Domain-DNS object type.
Parameters:
- $propertyName - Specifies the LDAP name of the property whose value will be used to determine groups a user should be a member of.
- $valuesToGroupDNs - Maps property values with distinguished names (DNs) of groups.
PowerShell
$propertyName = "title" # TODO: modify me
$valuesToGroupDNs = @{
"Value1" = @("CN=MyGroup1,OU=Groups,DC=domain,DC=com", "CN=MyGroup2,OU=Groups,DC=domain,DC=com")
"Value2" = @("CN=MyGroup3,OU=Groups,DC=domain,DC=com")
} # TODO: modify me
function SearchObjects($filter)
{
$searcher = $Context.BindToObject("Adaxes://rootDSE")
$searcher.SearchFilter = $filter
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.PageSize = 500
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.VirtualRoot = $True
try
{
# Execute search
$searchResultIterator = $searcher.ExecuteSearch()
$searchResults = $searchResultIterator.FetchAll()
return ,$searchResults
}
finally
{
# Release resources
if ($searchResultIterator){ $searchResultIterator.Dispose() }
}
}
foreach ($value in $valuesToGroupDNs.Keys)
{
# Build filter
$filter = "(&(sAMAccountType=805306368)($propertyName=$value))"
# Search users
$searchResults = SearchObjects $filter
# Get user DNs
$userDNs = $searchResults | %%{$_.Properties["distinguishedName"].Value}
# Update group members
foreach ($dn in $valuesToGroupDNs[$value])
{
$group = $Context.BindToObjectByDN($dn)
$group.Put("member", $userDNs)
$group.SetInfo()
}
}Update group membership of only the target user
The script makes sure that the target user is a member of only the groups that correspond to the specified property value. If the property value does not match groups the user is currently a member of, the user will be removed from the groups. To run the script, for example, you can create a custom command configured for the User object type or a business rule triggering After updating a user.
Parameters:
- $propertyName - Specifies the LDAP name of the property whose value will be used to determine groups a user should be a member of.
- $valuesToGroupDNs - Maps property values with distinguished names (DNs) of groups.
PowerShell
$propertyName = "title" # TODO: modify me
$valuesToGroupDNs = @{
"Value1" = @("CN=MyGroup1,OU=Groups,DC=domain,DC=com", "CN=MyGroup2,OU=Groups,DC=domain,DC=com")
"Value2" = @("CN=MyGroup3,OU=Groups,DC=domain,DC=com")
} # TODO: modify me
function UpdateGroupMembership ($memberPath, $groupDNs, $addToGroup)
{
foreach ($dn in $groupDNs)
{
$group = $Context.BindToObjectByDN($dn)
if ($addToGroup)
{
try
{
$group.Add($memberPath)
}
catch
{
$Context.LogMessage("An error occurred when adding the user to group '$groupName'. Error: " + $_.Exception.Message, "Warning")
}
}
else
{
try
{
$group.Remove($memberPath)
}
catch
{
$Context.LogMessage("An error occurred when removing the user from group '$groupName'. Error: " + $_.Exception.Message, "Warning")
}
}
}
}
try
{
$propertyValue = $Context.TargetObject.Get($propertyName)
}
catch
{
$propertyValue = $NULL
}
foreach ($value in $valuesToGroupDNs.Keys)
{
$addToGroup = $propertyValue -eq $value
UpdateGroupMembership $Context.TargetObject.AdsPath $valuesToGroupDNs[$value] $addToGroup
}