The script updates the list of values allowed for a DN syntax property by a property pattern with members of groups. To run the script, create a scheduled task configured for the Domain-DNS object type and add a managed domain to the Activity Scope. The domain will only be used to trigger execution of the scheduled task. The search criteria are specified in the script.
Parameters
- $groupDNs - Specifies distinguished names (DNs) of the groups whose members will be set as allowed property values.
- $isPropertyRequired - Specifies whether the property should be set as required in the property pattern.
- $patternName - Specifies the distinguished name (DN) of the property pattern to update.
- $propertyName - Specifies the name of the property for which the list of allowed values will be updated in a property pattern.
PowerShell
$groupDNs = @("CN=Group 1,OU=Groups,DC=domain,DC=com", "CN=Group 2,OU=Groups,DC=domain,DC=com") # TODO: modify me
$patternDN = "CN=User,CN=Builtin,CN=Property Patterns,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes" # TODO: modify me
$propertyName = "seeAlso" # TODO: modify me
$isPropertyRequired = $True # TODO: modify me
# Get member GUIDs
$allMemberGuidBytes = New-Object "System.Collections.Generic.HashSet[Byte[]]"
foreach ($groupDN in $groupDNs)
{
try
{
$group = $Context.BindToObjectByDN($groupDN)
$memberGuidsBytes = $group.GetEx("adm-DirectMembersGuid")
}
catch
{
continue
}
$memberGuidsBytes | %% { [void]$allMemberGuidBytes.Add($_) }
}
if ($allMemberGuidBytes.Count -eq 0)
{
$Context.LogMessage("Groups have no members.", "Warning")
return
}
# Search parameters
$searcher = $Context.CreateGuidBasedSearcher(@($allMemberGuidBytes))
$criteriaUser = New-AdmCriteria "user"
$searcher.AddCriteria($criteriaUser)
$searcher.SetPropertiesToLoad(@("distinguishedName"))
try
{
# Execute search
$searchResultIterator = $searcher.ExecuteSearch()
$searchResults = $searchResultIterator.FetchAll()
if ($searchResults.Length -eq 0)
{
$Context.LogMessage("Groups have no members that are users.", "Warning")
return
}
$memberDNs = New-Object System.Collections.ArrayList
foreach ($searchResult in $searchResults)
{
$memberDNs.Add($searchResult.GetPropertyByName("distinguishedName").Values[0])
}
}
finally
{
# Release resources
if ($searchResultIterator){ $searchResultIterator.Dispose() }
}
# Bind to the property pattern.
$pattern = $Context.BindToObjectByDN($patternDN)
# Delete item for property.
foreach ($item in $pattern.Items)
{
if ($item.PropertyName -ieq $propertyName)
{
$pattern.Items.Remove($item)
break
}
}
# Create a new item for property.
$item = $pattern.Items.Create()
$item.PropertyName = $propertyName
$item.IsPropertyRequired = $isPropertyRequired
$constraints = $item.GetConstraints()
$constraint = $constraints.Create("ADM_PROPERTYCONSTRAINTTYPE_VALUERANGE")
$constraint.AreValuesDenied = $False
$constraint.Values = $memberDNs.ToArray()
$constraints.Add($constraint)
$item.SetConstraints($constraints)
# Save the changes
$item.SetInfo()
$pattern.Items.Add($item)