Adaxes

Copy all groups of a user, create a new group add the groups copied in this group

0 votes

How can I create a script that does these things

For internal audit. objective

Even removing all groups of a disconnected user, we will still know which groups the user was in because the (audit)-sAMAccountName-access group that contains all other groups still exist identifying the user by sAMAccountName

  1. copy all groups in memberOf user (user)-sAMAccountName

  2. create new group (audit)-sAMAccountName-access add all groups copied in memberOf

  3. in the created group (audit)-sAMAccountName-access add the (user)-sAMAccountName in members

by (20 points)
0

Hello Alan,

For us to help you with the script, please, specify the following:

  • Do we understand correctly that the target user should be removed from all the current groups?
  • What should the type and scope of the new group created by the script be?
  • What should be done in case if a group with the name following your template already exists?
  • How should the location for the new group be determined? Will it be predefined in the script?

Any additional details will be much appreciated.

by (251k points)
0

Do we understand correctly that the target user should be removed from all the current groups?

  • The revocation script for all groups is already in production and working.

What should the type and scope of the new group created by the script be?

  • Security Group Type Scope

What should be done in case if a group with the name following your template already exists?

  • if there is the same name, just add the target user's groups.

How should the location for the new group be determined? Will it be predefined in the script?

  • Yes, all groups created by the script, or already existing, must be in one, OR predefined in the script.
by (20 points)
0

Hello Alan,

The revocation script for all groups is already in production and working.

Please, post the script here or send it to us (support@adaxes.com) in TXT format. The best way to achieve the desired behaviour is to update the existing script.

Yes, all groups created by the script, or already existing, must be in one, OR predefined in the script

Sorry for the confusion, but we need to know how the location for new group should be determined. In which OU should it be? Will the OU always be the same?

by (251k points)
0

Script

$groupGuidsBytes = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")
$primaryGroupId =    $Context.TargetObject.Get("primaryGroupID")
foreach ($guidBytes in $groupGuidsBytes)
{

$groupGuid = [Guid]$guidBytes
$groupPath = "Adaxes://<GUID=$groupGuid>"
$group = $Context.BindToObject($groupPath)
if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
{
    continue
}
$group.Remove($Context.TargetObject.AdsPath)
}

Or location of created groups

OU=ACCESS-AUDIT,OU=GROUP,OU=DEV,OU=CONTOSO,DC=company,DC=internal

DC TREE

  • DC
    • CONTOSO
      • DEV
        • GROUP
          • ACCESS-AUDIT
by (20 points)

1 Answer

0 votes
by (251k points)

Hello Alan,

Thank you for the provided details. Please, find the updated script below. In the script:

  • $groupNameTemplate – Specifies a template for the group all user groups will be added to. You can use value references (e.g. %sAMAccountName%) in the template.
  • $ouDN – Specifies the distinguished name (DN) of the OU where the group for user groups will be created. For information on how to get an object DN, see https://adaxes.com/sdk/HowDoI.GetDnOfObject.
$groupNameTemplate = "(audit)-%sAMAccountName%" # TODO: modify me
$ouDN = "OU=ACCESS-AUDIT,OU=GROUP,OU=DEV,OU=CONTOSO,DC=company,DC=internal" # TODO: modify me

# Bind to the group
$groupDN = "CN=" + $groupNameTemplate + "," + $ouDN
try
{
    $auditGroup = $Context.BindToObjectByDN($groupDN)
}
catch
{
    # Bind to the group OU
    $groupOU = $Context.BindToObjectByDN($ouDN)

    # Create group
    [Softerra.Adaxes.Interop.Adsi.ADS_GROUP_TYPE_ENUM]$groupType =
        "ADS_GROUP_TYPE_GLOBAL_GROUP, ADS_GROUP_TYPE_SECURITY_ENABLED"

    $auditGroup = $groupOU.Create("group","CN=$groupNameTemplate")
    $auditGroup.Put("groupType", [Int32]$groupType)
    $auditGroup.SetInfo()
}

$groupGuidsBytes = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")
$primaryGroupId =    $Context.TargetObject.Get("primaryGroupID")

foreach ($guidBytes in $groupGuidsBytes)
{
    $groupGuid = [Guid]$guidBytes
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)

    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }
    $group.Remove($Context.TargetObject.AdsPath)
    $auditGroup.Add($groupPath)
}

Related questions

0 votes
1 answer
Is there a way to copy group membership of selected user and make a new user a member of those same groups?

Our Help Desk currently 'mirrors' the group membership of a new user based on another existing user in our AD. I'd like to be able to automate this so that the initiator ... and 'paste' it on the new user being created. Any help on this would be appreciated!

asked Apr 21, 2020 by RayBilyk (220 points)
0 votes
1 answer
How can I create a scheduled task to remove all group memberships of a user after the account is disabled?

Currently, when I disable a user account in Adaxes, the group memberships of the user remain intact. I'd like to automate the removal of group memberships such as distribution ... a list of groups/DL that the user was previously in and removed from. Thanks!

asked Nov 3, 2021 by jayden.ang (20 points)
0 votes
1 answer
Copy and Paste all user's groups by storing GUIDs in one of the user's binary attributes

I'm trying to combine these two scripts to effectively store a user's group memberships in customattributebinary5 and then be able to copy and paste those memberships to a ... ) $Context.LogMessage("Added the user to group '$groupName'", "Information") }

asked Jan 24, 2020 by yourpp (540 points)
0 votes
1 answer
Exclude copied user accounts from being added to security groups in a certain OU.

When a new user account is created by copying an existing one, is it possible to prevent the new account from becoming a member of security groups in a specific OU (when the ... same way as the account being added to the group, which I need for audit purposes.

asked Sep 28, 2020 by markcox (70 points)
0 votes
1 answer
Will it be possible to create a cloud only user through the REST AI with the new Azure AD integration in version 2023?

Hi When reading the REST API documentation it does not mention working directly against Azure AD and Exchange Online. Will this be added? Thanks /Peter Sonander

asked Jan 26 by Sonander (40 points)
3,071 questions
2,784 answers
7,155 comments
436,703 users