Script Repository

Copy group membership from specified user

February 28, 2023 Views: 1840
Group Membership

The script copies group membership from the user specified to the target user.

Using a custom command parameter

The script copies group membership from the user specified in an AD object picker parameter of a custom command to the target user.

Parameters:

  • $sourceUserDNParamName - Specifies the name of the parameter used to select the source user with the param- prefix.
  • $replaceGroups - If set to $True, the script will replace all the target user group membership with that of the source user. If set to $False, the target user will retain its group membership and will be added to the groups the source user is a member of.
  • $groupNamesToSkip - Specifies sAMAccountNames of the groups that should be skipped by the script.
Edit Remove
PowerShell
$sourceUserDNParamName = "param-User" # TODO: modify me
$replaceGroups = $False # TODO: modify me
$groupNamesToSkip = @("Group1", "Group2", "Group3*") # TODO: modify me

function SkipGroup($patterns, $sAMAccountName)
{
    foreach ($pattern in $patterns)
    {
        if ($sAMAccountName -like $pattern)
        {
            return $True
        }
    }
    
    return $False
}

# Bind to the source user
$sourceUserDN = $Context.GetParameterValue($sourceUserDNParamName)
$sourceUser = $Context.BindToObjectByDN($sourceUserDN)

# Get groups to add
$groupGuidsToAdd = New-Object "System.Collections.Generic.HashSet[System.Guid]"
$sourceUser.GetEx("adm-DirectMemberOfGuid") | %%{[void]$groupGuidsToAdd.Add([Guid]$_)}

# Get current groups
$currentGroupGuids = New-Object "System.Collections.Generic.HashSet[System.Guid]"
$Context.TargetObject.GetEx("adm-DirectMemberOfGuid") | %%{[void]$currentGroupGuids.Add([Guid]$_)}

# Update groups
foreach ($guidBytes in $groupGuidsToAdd)
{
    $guid = [Guid]$guidBytes
    if ($currentGroupGuids.Remove($guid))
    {
        continue
    }
    
    # Skip special groups
    $group = $Context.BindToObjectEx("Adaxes://<GUID=$guid>", $True)
    $sAMAccountName = $group.Get("sAMAccountName")
    if (($NULL -ne $groupNamesToSkip) -and 
    (SkipGroup $groupNamesToSkip $sAMAccountName))
    {
        continue
    }

    $group.Add($Context.TargetObject.AdsPath)
}

if ($replaceGroups)
{
    # Get the primary group ID
    $primaryGroupId = $Context.TargetObject.Get("primaryGroupID")
    
    foreach ($guidBytes in $currentGroupGuids)
    {
        $guid = [Guid]$guidBytes
        $group = $Context.BindToObjectEx("Adaxes://<GUID=$guid>", $True)

        # Skip the group if it is the user's Primary Group
        if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
        {
            continue
        }
        
        $group.Remove($Context.TargetObject.AdsPath)
    }
}

Using a DN syntax property

The script copies group membership from the user specified in a DN syntax property (e.g. Assistant) of the target user.

Parameters:

  • $sourceUserDNPropertyName - Specifies the LDAP name of the DN syntax property storing the user to copy membership from.
  • $replaceGroups - If set to $True, the script will replace all the target user group membership with that of the source user. If set to $False, the target user will retain its group membership and will be added to the groups the source user is a member of.
Edit Remove
PowerShell
$sourceUserDNPropertyName = "assistant" # TODO: modify me
$replaceGroups = $True # TODO: modify me

# Bind to the source user
$sourceUserDN = $Context.TargetObject.Get($sourceUserDNPropertyName)
$sourceUser = $Context.BindToObjectByDN($sourceUserDN)

# Get groups to add
$groupGuidsToAdd = New-Object "System.Collections.Generic.HashSet[System.Guid]"
$sourceUser.GetEx("adm-DirectMemberOfGuid") | %%{[void]$groupGuidsToAdd.Add([Guid]$_)}

# Get current groups
$currentGroupGuids = New-Object "System.Collections.Generic.HashSet[System.Guid]"
$Context.TargetObject.GetEx("adm-DirectMemberOfGuid") | %%{[void]$currentGroupGuids.Add([Guid]$_)}

# Update groups
foreach ($guidBytes in $groupGuidsToAdd)
{
    $guid = [Guid]$guidBytes
    if ($currentGroupGuids.Remove($guid))
    {
        continue
    }
    
    $group = $Context.BindToObjectEx("Adaxes://<GUID=$guid>", $True)
    $group.Add($Context.TargetObject.AdsPath)
}

if ($replaceGroups)
{
    # Get the primary group ID
    $primaryGroupId = $Context.TargetObject.Get("primaryGroupID")
    
    foreach ($guidBytes in $currentGroupGuids)
    {
        $guid = [Guid]$guidBytes
        $group = $Context.BindToObjectEx("Adaxes://<GUID=$guid>", $True)

        # Skip the group if it is the user's Primary Group
        if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
        {
            continue
        }
        
        $group.Remove($Context.TargetObject.AdsPath)
    }
}

Only copy Azure AD groups

The script copies group membership only in Azure AD from the user specified in an AD object picker parameter of a custom command to the target user.

Parameters:

  • $sourceUserDNParamName - Specifies the name of the parameter used to select the source user with the param- prefix.
  • $replaceGroups - If set to $True, the script will replace all the target user group membership with that of the source user. If set to $False, the target user will retain its group membership and will be added to the groups the source user is a member of.
  • $groupNamesToSkip - Specifies names of the groups that should be skipped by the script.
Edit Remove
PowerShell
$sourceUserDNParamName = "param-User" # TODO: modify me
$replaceGroups = $False # TODO: modify me
$groupNamesToSkip = @("Group1", "Group2", "Group3*") # TODO: modify me

function SkipGroup($patterns, $sAMAccountName)
{
    foreach ($pattern in $patterns)
    {
        if ($sAMAccountName -like $pattern)
        {
            return $True
        }
    }
    
    return $False
}

# Bind to the source user
$sourceUserDN = $Context.GetParameterValue($sourceUserDNParamName)
$sourceUser = $Context.BindToObjectByDN($sourceUserDN)

# Get groups to add
$groupGuidsToAdd = New-Object "System.Collections.Generic.HashSet[System.Guid]"
try
{
    $sourceGroupGuidsBytes = $sourceUser.GetEx("adm-DirectMemberOfGuid") 
}
catch
{
    $sourceGroupGuidsBytes = @()
}
$sourceGroupGuidsBytes | %%{[void]$groupGuidsToAdd.Add([Guid]$_)}

# Get current groups
$currentGroupGuids = New-Object "System.Collections.Generic.HashSet[System.Guid]"
try
{
    $targetGroupGuidsBytes = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")
}
catch
{
    $targetGroupGuidsBytes = @()
}
$targetGroupGuidsBytes | %%{[void]$currentGroupGuids.Add([Guid]$_)}

# Update groups
foreach ($guidBytes in $groupGuidsToAdd)
{
    $guid = [Guid]$guidBytes
    if ($currentGroupGuids.Remove($guid))
    {
        continue
    }
    
    # Skip special groups
    $group = $Context.BindToObjectEx("Adaxes://<GUID=$guid>", $True)
    if ($group.DirectoryType -ne 2)
    {
        continue
    }
    
    $groupName = $group.Get("cn")
    if (($NULL -ne $groupNamesToSkip) -and 
    (SkipGroup $groupNamesToSkip $groupName))
    {
        continue
    }

    $group.Add($Context.TargetObject.AdsPath)
}

if ($replaceGroups)
{
    foreach ($guidBytes in $currentGroupGuids)
    {
        $guid = [Guid]$guidBytes
        $group = $Context.BindToObjectEx("Adaxes://<GUID=$guid>", $True)

        if ($group.DirectoryType -ne 2)
        {
            continue
        }
        
        $group.Remove($Context.TargetObject.AdsPath)
    }
}
Comments 2
avatar
Dave Jan 31, 2023
We've been using a version of this script for a while in a custom command to copy groups between users. When a group is configured with dynamic membership members cannot be manually added to the group. We've started having issues with errors that occur when a group that is in the list is configured with dynamic membership in Adaxes. I was wondering how we would modify the script to skip groups that user membership rules.
Reply
avatar
Support Jan 31, 2023
Hello Dave,

Please, specify which of the two scripts you need updated.
Reply
Leave a comment
Related Scripts

Got questions?

Support Questions & Answers