Adaxes

Amending needed for this script

0 votes

We are using the following script to track group membership changes and need the %username% field to amend if it already exists in the file location. Example: We make change to the same account three times in one week we want to see three separate entries at this file location with different names. %username%, %username%2 and %username%3 for example. Today it errors out and says it already exists.

$filePath = "\\OURSERVER\D$\Group Membership Files\%username%.txt" # TODO: modify me

# Get all groups user is a direct member of
$groupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")
# Get the Primary Group ID
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")
# Create a plain text report
$report = New-Object "System.Text.StringBuilder"
$report.Append("The user was removed from the following groups:")
foreach ($groupGuidBytes in $groupGuids)
{
    # Bind to the group
    $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
    $groupGuid = $groupGuid.ToString("B")
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)

    # Skip the group if it is the user's Primary Group
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }
# Remove user from the group
    $group.Remove($Context.TargetObject.AdsPath)

    # Add the group to the report
    $report.AppendLine()
    $report.Append($group.Get("name"))
}
# Create a new text
$file = New-Item -Path $filePath -ItemType File
# Save the report to the file
Add-Content $file $report.ToString()
by (3.2k points)

1 Answer

0 votes
by (272k points)
selected by
Best answer

Hello,

We've made the changes you requested. However, the script not only tracks group membership of a user, but also removes them from all groups except for the primary one. Is this the desired behavior?

Modified script:

$fileName = "%username%" # TODO: modify me
$filePathTemplate = "\\OURSERVER\D$\Group Membership Files\{0}.txt" # TODO: modify me

# Get all groups user is a direct member of
$groupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Get the Primary Group ID
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

# Create a plain text report
$report = New-Object "System.Text.StringBuilder"
$report.Append("The user was removed from the following groups:")
foreach ($groupGuidBytes in $groupGuids)
{
    # Bind to the group
    $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
    $groupGuid = $groupGuid.ToString("B")
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)

    # Skip the group if it is the user's Primary Group
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }

    # Remove user from the group
    $group.Remove($Context.TargetObject.AdsPath)

    # Add the group to the report
    $report.AppendLine()
    $report.Append($group.Get("name"))
}

# Create a new text
$filePath = [System.String]::Format($filePathTemplate, $fileName)
if (-not (Test-Path -Path $filePath))
{
    $file = New-Item -Path $filePath -ItemType File
}
else
{
    # Create new group name for file
    for ($i = 1; $True; $i++)
    {
        $uniquefileName = $fileName + $i
        $filePath = [System.String]::Format($filePathTemplate, $uniquefileName)

        if (Test-Path -Path $filePath)
        {
            continue
        }
        break
    }

    $file = New-Item -Path $filePath -ItemType File
}

# Save the report to the file
Add-Content $file $report.ToString()
0

yes that is the desired result for this script. We are deciding that when a user changes jobTypes all previous groups will be removed and the new ones added. We are hoping this will keep AD cleaner than before with people having access they no longer need.

by (3.2k points)
0

Hello,

OK, we just wanted to make sure that you understand the consequences :)

by (216k points)
0

Can i get this script modified so it sets the Primary Group ID to Domain Users? We are having trouble when we remove all groups that if the primary group is not Domain users it will delete it and thus;ly deny the user access to the domain.

by (3.2k points)
0

Hello,

Sure, find the updated script below:

$fileName = "%username%" # TODO: modify me
$filePathTemplate = "\\OURSERVER\D$\Group Membership Files\{0}.txt" # TODO: modify me

# Check Primary Group
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")
if ($primaryGroupId -ne 513)
{
    # Add user to Domain users group
    $domainName = $Context.GetObjectDomain("%distinguishedName%")
    $domain = $Context.BindToObject("Adaxes://$domainName")
    $domainSidBytes = $domain.Get("objectSid")
    $domainSid = New-Object "System.Security.Principal.SecurityIdentifier" `
        @($domainSidBytes, 0)
    $domainUsersGroupSid = New-Object "System.Security.Principal.SecurityIdentifier" `
        @([System.Security.Principal.WellKnownSidType]::AccountDomainUsersSid, $domainSid)
    $domainUsersGroup = $Context.BindToObject("Adaxes://<SID=$domainUsersGroupSid>")

    try
    {
        $domainUsersGroup.Add($Context.TargetObject.AdsPath)
    }
    catch [System.Runtime.InteropServices.COMException]
    {
        if ($_.Exception.ErrorCode -ne 0x80071392)
        {
            $Context.LogMessage("An error occured when adding user to 'Domain users' group. Error: " + $_.Exception.Message, "Warning")
            return
        }
    }

    # Set Domain users as primary group 
    $Context.TargetObject.Put("primaryGroupID", 513)
    $Context.TargetObject.SetInfo()
}

# Get all groups user is a direct member of
$groupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Create a plain text report
$report = New-Object "System.Text.StringBuilder"
$report.Append("The user was removed from the following groups:")
foreach ($groupGuidBytes in $groupGuids)
{
    # Bind to the group
    $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
    $groupGuid = $groupGuid.ToString("B")
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)

    # Skip the group if it is the user's Primary Group
    if ($group.Get("primaryGroupToken") -eq 513)
    {
        continue
    }

    # Remove user from the group
    $group.Remove($Context.TargetObject.AdsPath)

    # Add the group to the report
    $report.AppendLine()
    $report.Append($group.Get("name"))
}

# Create a new text
$filePath = [System.String]::Format($filePathTemplate, $fileName)
if (-not (Test-Path -Path $filePath))
{
    $file = New-Item -Path $filePath -ItemType File
}
else
{
    # Create unique name for file
    for ($i = 1; $True; $i++)
    {
        $uniquefileName = $fileName + $i
        $filePath = [System.String]::Format($filePathTemplate, $uniquefileName)

        if (Test-Path -Path $filePath)
        {
            continue
        }
        break
    }

    $file = New-Item -Path $filePath -ItemType File
}

# Save the report to the file
Add-Content $file $report.ToString()
by (272k points)

Related questions

0 votes
1 answer
Amending User Creation Script

Hi Support, We are looking to add a few things to one of the username creation scripts If the upn/username is not unique, add a character of the first name to the last name until ... ("The name has been changed to " + $objectName ` + ".", "Information") }

asked Apr 19, 2017 by vick04 (50 points)
0 votes
1 answer
How would you use this searcher function in this script?

I don't understand how you would use this searcher function. Can you show me in this example? Import-Module ImportExcel #set up variables $currentTime = Get-Date ... $Context.BindToObjectByDN($NewU) $U.Put("adm-CustomAttributeBoolean6", $False) $U.SetInfo() }

asked Dec 14, 2023 by mightycabal (1.0k points)
0 votes
1 answer
Tell me what I am doing wrong with this script?

I am trying to use a script to set a users AccountExpires attribute. However, I want there to be an approval sent and I am ... = $False $Context.SubmitForApproval($approvers, $managerOfRequestorIsApprover, $false, $false, $false) }

asked Dec 1, 2023 by mightycabal (1.0k points)
0 votes
1 answer
How would I write this with script line with Set-ADMUser: Set-ADUser -Identity $Username -Add @{proxyAddresses=$proxy}?

Trying to set the primary proxy when doing a name change on an email address.

asked Jul 13, 2023 by mightycabal (1.0k points)
0 votes
1 answer
Skype for Business On-Prem Permissions needed

Currently getting this error when enabling a user for Skype for Business: No cmdlets have been authorized for use by the RBAC role that the user belongs ... minimum required permissions that the Adaxes account needs to manage Skype for Business functionality?

asked Dec 16, 2021 by thedoo (60 points)
3,343 questions
3,044 answers
7,766 comments
544,960 users