Report to see in which rule a group was used

Hello,

Is it possible to adapt the script so that all groups are output where another group is used as a rule? For example: All members of the group "ABCD" are added to the group "Test". Now we need a report that outputs all groups to which the members of "ABCD" are added. In Adaxes the rule looks like this: image.png Is this possible?

Thx a lot

related to an answer for: Report to audit rule-based group query attributes
by (340 points)

1 Answer

by (306k points)
0 votes

Hello,

Yes, it is possible. You can use the below script. in the script, the $groupDNString variable references a Directory object picker parameter used to select the group to check membership rules against.

$groupDNString = "%param-Group%"
$groupDN = New-Object "Softerra.Adaxes.LDAP.DN" $groupDNString

try
{
    $groupCriteria = New-AdmCriteria -Type "group" -Expression {membershipType -eq "rule-based"}
    $Context.DirectorySearcher.AddCriteria($groupCriteria)

    $searchResultIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchResultIterator))
    {
        $searchResult = $searchResultIterator.Current
        $group = $Context.BindToObjectBySearchResult($searchResult)

        foreach ($rule in $group.MembershipRules) 
        {
            if ($rule.Type -ne "ADM_BUSINESSUNITMEMBERSHIPTYPE_GROUP")
            {
                continue
            }

            $ruleGroupDNString = $rule.Group.Get("distinguishedName")
            $ruleGroupDN = New-Object "Softerra.Adaxes.LDAP.DN" $ruleGroupDNString

            if ($groupDN -eq $ruleGroupDN)
            {
                $Context.Items.Add($searchResult)
                break
            }
        }
    }
}
finally
{
    if ($searchResultIterator) 
    { 
        $searchResultIterator.Dispose()
    }
}
by (340 points)
0

Thank you for the script, it seems to work. Now the groups are displayed where the ‘Member of group’ function was used. However, I have another rule which is a query and in the rule the group is also used, but it is not displayed in the report. Is it possible to extend the script so that all groups are displayed in which the specific group was used in a rule, whether as a query or ‘Member of’ or ....?

by (306k points)
0

Hello,

Sorry for the confusion, but we are not sure what exactly you mean. How are you using a group as scope for a query membership rule? Please, post here or send us (support@adaxes.com) a screenshot.

Related questions

Is it possible to detect in a powershell script which web interface the action was initiated on?

I'm trying to run a powershell script that triggers before updating a user, but only run it if the action comes from the self-update web interface. Is that possible?

asked 1 day ago by jaymallery (40 points)
0 votes
1 answer
Export a list of groups in which a security group belongs to a CSV file

Hello, Similar to exporting the members of a group to a csv file: https://www.adaxes.com/script-repository/export-group-members-to-csv-file-s184.htm I am looking to ... would like to include the memberof csv report in the email as well. Thanks in advance!

asked Feb 7, 2023 by JonnyBGood (20 points)
0 votes
1 answer
Users don't see Actions in web interfaces which are based on Custom Command targeted to domaindns object

Hi, I had to create Custom Command for distribution group creation. Default group creation wizard cannot be used, because we need some of parameters to be mandatory etc. Anyway I ... which shouldn't be targeted to any particular AD object. How do I do it?

asked Jan 20, 2020 by KIT (940 points)
0 votes
1 answer
Best approach to see how long someone has been in a group?

I would like to possibly add a timestamp to a user custom attribute when added to a specific group. The reason for this is because I'd like to display the value of days spent ... must be done by script or if there is another way I am not thinking of. Thanks!

asked Jan 28 by msheppard (860 points)
+1 vote
1 answer
Can I create a rule to count members in a group and send an email if the number approaches a set point?

We have a 3rd party vendor that we are able to add users based on AD security groups. What I need to do is set a parameter for the number of available licenses and whenever ... the group is 495 I would like an email to trigger telling me to add more licenses.

asked Oct 12, 2022 by A_Pastor (70 points)
0 votes
1 answer