Adaxes

Feature Request: Wildcard Based Group Modifications

0 votes

As part of business rules etc we are able to add\remove accounts to groups.

It would be nice if this feature could be extended to allow for wildcard type matching (starts with, contains etc) so that this automated action can process multiple groups that meet the matching condition (without resorting to PowerShell script actions).

Thanks

by (1.6k points)
0

Hello,

Thanks for the suggestion, but currently we are not planning to implement something like that. If you want, we can show you an example on how to implement this using PowerShell scripts.

by (216k points)
0

OK - I have a script, but considering your are always better written then mine it would be nice to see how to do it properly!

by (1.6k points)

1 Answer

0 votes
by (216k points)

Hello,

The following code sample adds the user on which the operation is performed to the groups that match the template specified by $groupNameTemplate:

Import-Module Adaxes

$groupNameTemplate = "*Managers*" # TODO: modify me

# Search groups
$domainName = $Context.GetObjectDomain("%distinguishedName%")
$groups = Get-AdmGroup -Filter {name -like $groupNameTemplate} -Server $domainName -AdaxesService localhost

$groupNames = ""
foreach ($group in $groups)
{
    $groupName = $group.Name
    # Add the user to the group
    try
    {
        Add-AdmGroupMember -Identity $group -Members @("%distinguishedName%") `
            -Server $domainName -AdaxesService localhost -ErrorAction Stop
    }
    catch
    {        
        $Context.LogMessage("Failed to add the user to group '$groupName'. The following error has occurred: " + $_.Exception.Message, "Warning") # TODO: modify me
        continue
    }

    $groupNames += "$groupName;"
}

if ($groupNames.Length -ne 0)
{
    $Context.LogMessage("The user has been added to the following groups: $groupNames .", "Information") # TODO: modify me
}
else
{
    $Context.LogMessage("Failed to add the user to any of the groups matching the '$groupNameTemplate' template.", "Information") # TODO: modify me
}
0

...better than mine!

Can I be cheeky and ask for one more bit?

I have extended so that I have two scripts - one that adds and another that removes. I have also tweaked the output so that each membership change is shown on a line.

It works well in both scenarios, but if the member is already a member (or not) we get a lot of 'warnings'. How would we best put an additional step in so that it checks to see if the user is\isn't a member already before trying the add\remove task?

I have my code below, and where I think we can put a 'check if user is in group' step. I think using the 'Get-AdmGroupMember' CmdLet at this point should work and was wondering if there is a clever way of doing it to return a simple TRUE\FALSE to trigger or escape the subsequent modification?

Import-Module Adaxes

$groupNameTemplate = "Test Group *" # TODO: modify me

# Search groups
$domainName = $Context.GetObjectDomain("%distinguishedName%")
$groups = Get-AdmGroup -Filter {name -like $groupNameTemplate} -Server $domainName -AdaxesService localhost

$groupNames = ""
foreach ($group in $groups)
{
    $groupName = $group.Name
    # Check if the user is a member of the group

    # Is this the best place to perform the initial check?

    # Remove the user from the group
    try
    {
        Remove-AdmGroupMember -Identity $group -Members @("%distinguishedName%") `
            -Server $domainName -AdaxesService localhost -Confirm:$False -ErrorAction:Stop

        $Context.LogMessage("User removed from: $group.Name", "Information")
    }
    catch
    {        
        $Context.LogMessage("Failed to remove the user from group '$groupName'. Cause: " + $_.Exception.Message, "Warning") # TODO: modify me
        continue
    }

    $groupNames += "$groupName;"
}

if ($groupNames.Length -ne 0)
{
    $Context.LogMessage("Group membership processed", "Information") # TODO: modify me
}
else
{
    $Context.LogMessage("Failed to remove the user from any of the groups matching the '$groupNameTemplate' template.", "Information") # TODO: modify me
}
by (1.6k points)
0

Hello,

We've modified both the scripts so that they first check whether a user is/is not a member of a group before trying to add/remove the user from the group.

Script for adding a user to groups by template:

Import-Module Adaxes

$groupNameTemplate = "*Managers*" # TODO: modify me

# Get guids of the group the user is already a member of
$targetGroupGuidsInBytes = $Context.TargetObject.DirectMemberOf
$targetGroupGuids = New-Object "System.Collections.Generic.HashSet[System.Guid]"
if ($targetGroupGuidsInBytes -ne $NULL)
{
    foreach ($targetGroupGuidInBytes in $targetGroupGuidsInBytes)
    {
        $guid = [Guid]$targetGroupGuidInBytes

        $targetGroupGuids.Add($guid) | Out-Null
    }
}

# Search groups by template
$domainName = $Context.GetObjectDomain("%distinguishedName%")
$groups = Get-AdmGroup -Filter {name -like $groupNameTemplate} -Server $domainName -AdaxesService localhost

$groupNames = ""
foreach ($group in $groups)
{
    # Skip the group if the user is already a member
    $groupGuid = [Guid]$group.ObjectGUID
    if ($targetGroupGuids.Contains($groupGuid))
    {
        continue
    }

    # Get group name
    $groupName = $group.Name

    # Add the user to the group
    try
    {
        Add-AdmGroupMember -Identity $group -Members @("%distinguishedName%") `
            -Server $domainName -AdaxesService localhost -ErrorAction Stop
    }
    catch
    {       
        $Context.LogMessage("Failed to add the user to group '$groupName'. The following error has occurred: " + $_.Exception.Message, "Warning") # TODO: modify me
        continue
    }

    $groupNames += "$groupName;"
}

if ($groupNames.Length -ne 0)
{
    $Context.LogMessage("The user has been added to the following groups: $groupNames .", "Information") # TODO: modify me
}
else
{
    $Context.LogMessage("Failed to add the user to any of the groups matching the '$groupNameTemplate' template.", "Information") # TODO: modify me
}

Script for removing a user from groups by template: 

Import-Module Adaxes

$groupNameTemplate = "Test Group *" # TODO: modify me

# Get guids of the group the user is already a member of
$targetGroupGuidsInBytes = $Context.TargetObject.DirectMemberOf
$targetGroupGuids = New-Object "System.Collections.Generic.HashSet[System.Guid]"
if ($targetGroupGuidsInBytes -ne $NULL)
{
    foreach ($targetGroupGuidInBytes in $targetGroupGuidsInBytes)
    {
        $guid = [Guid]$targetGroupGuidInBytes

        $targetGroupGuids.Add($guid) | Out-Null
    }
}

# Search groups by template
$domainName = $Context.GetObjectDomain("%distinguishedName%")
$groups = Get-AdmGroup -Filter {name -like $groupNameTemplate} -Server $domainName -AdaxesService localhost

$removedGroupCount = 0
foreach ($group in $groups)
{
    # Skip the group if the user is not a member
    $groupGuid = [Guid]$group.ObjectGUID
    if (!($targetGroupGuids.Contains($groupGuid)))
    {
        continue
    }

    # Remove the user from the group
    try
    {
        Remove-AdmGroupMember -Identity $group -Members @("%distinguishedName%") `
            -Server $domainName -AdaxesService localhost -Confirm:$False -ErrorAction:Stop

        $Context.LogMessage("User removed from: " + $group.Name, "Information")
    }
    catch
    {       
        $Context.LogMessage("Failed to remove the user from group '$groupName'. Cause: " + $_.Exception.Message, "Warning") # TODO: modify me
        continue
    }

    $removedGroupCount++
}

if ($removedGroupCount -ne 0)
{
    $Context.LogMessage("Group membership processed", "Information") # TODO: modify me
}
else
{
    $Context.LogMessage("Failed to remove the user from any of the groups matching the '$groupNameTemplate' template.", "Information") # TODO: modify me
}
by (216k points)
0

Many thanks - again - still the best supported product we own!

These would be good little scripts to add to the Script Repository that's linked off the SDK site when that comes online.

Regards

by (1.6k points)
0

Hello,

Thank you for your good words, we really appreciate it! :)

These would be good little scripts to add to the Script Repository that's linked off the SDK site when that comes online.

Definitely. We've passed them to the guys who are working on the repository.

by (216k points)

Related questions

0 votes
1 answer
Feature request - Time limited group membership

Dear support, Active Directory on Windows 2016 will support this much anticipated feature. It will be possible to assign a user to a group for a limited time frame I ... you could investigate about this new possibility and support it in a near futur. Cheers

asked Sep 3, 2015 by Pierre (750 points)
0 votes
1 answer
Group Modifications Report

Good Day I am looking for assistance in creating a Group Modifications report that shows who added/removed users from a specific group in AD between the first day of ... date and time stamp as it is for Monthly Access review purposes. Kind Regards Danilo

asked Mar 1, 2023 by dtorannini (80 points)
0 votes
1 answer
Restrict group membership modifications to only certain OUs

I am trying to restrict which users can be added to groups. In the web configurator how can I add a criteria to restrict the users available to select are only from a ... account has to be enabled but restricting to certain OUs is what I cannot figure out.

asked Jan 19, 2023 by techg (320 points)
0 votes
1 answer
Feature Request: Script repo examples in both powershell and ADSI

the script repo examples are almost entirely written in ADSI, however powershell is now far more widely used, is it possible to have all scripts written in both ADSI and powershell.

asked Jan 5 by i*windows (260 points)
0 votes
1 answer
feature request: Separate view for Shared Mailboxes

Shared mailboxes are treated as standard users, however they really should have a separate view. I would like to request that a new view is made avaiilable for Shared ... office location, data from HR systems, windows profile, etc are not really relevant.

asked Jun 23, 2023 by i*windows (260 points)
3,348 questions
3,049 answers
7,789 comments
545,046 users