0 votes

Hi!

Can ADAxess be used to populate a AD group with computer objects who's name partly matches a AD username from another group?

I'e let say we have a group named 'Janitor' and user Kelly is member of that group, Kellys PC is named 'Win10 Kelly PC' - can ADAxess enumerate all users in the group Janitor and find that there is a computer object containing the username and make the computer object part of another group ?

What I want to achieve in the end is four different groups containing computer objects, each of the groups will be populated from users belonging to another set of four different groups containing their primary users. The different computer object groups will in the end control four different GPOs that decides which O365/Win update channel the users computer group belong to.

The user can be part of multiple groups, thats OK - I'll control that in the order of which GPO is applied last/take precedence. This way I can make sure that the user belongs to one group, the highest group they below to (fastest ring) will ensure that their primary PC will get corresponding update channel for Office or Windows. If there is a problem with Office release we can push them into a slower channel until problem is solved by just adjusting which group they belong to ....

/Kaj

by (650 points)
0

Hello Kaj,

Let us clarify your request a bit. As we understand there will be 4 groups for users and 4 groups for computers. Depending on the group in which a user is located the corresponding computer should be added to the corresponding group and removed from other computer groups. Is that correct?

What should happen if a user was a member of one of the 4 groups, got removed and was not added to either of the 4 groups? Should the computer also get removed from the group?

Also, what is a user is a member of multiple groups? How should the groups for the corresponding computer be selected?
If you have any other details, do not hesitate to provide them.

0

Hi!

Sorry for late response.

As we understand there will be 4 groups for users and 4 groups for computers. Depending on the group in which a user is located the corresponding computer should be added to the corresponding group and removed from other computer groups. Is that correct?

The user can be part of all four groups, the order of the GPO will decide which group gets last word in the end. But as a user is added to a group their computer account should be added to corresponding computer group. When they are removed from the user group (all) computer objects where the username is part of the computer name should be removed from the corresponding computer groups.

What should happen if a user was a member of one of the 4 groups, got removed and was not added to either of the 4 groups? Should the computer also get removed from the group?

Yes correct.

Also, what is a user is a member of multiple groups? How should the groups for the corresponding computer be selected?

Added to multiple groups.

1 Answer

0 votes
by (226k points)
selected by
Best answer

Hello Kaj,

Thank you for clarifying. You will need to create a Scheduled Task configured for User Object type that will run a PowerShell script. To create the task:

  1. Launch Adaxes Administration Console.

  2. Right-click your Adaxes service node, navigate to New and click Scheduled Task.

  3. On step 3 of Create Scheduled Task wizard select User Object type and click Next.

  4. Click Add Action.

  5. Select Run a program or Powershell script.

  6. Enter a short description and paste the below script into the Script field.

     $computerNameForSearch = "Computer%username%" # TODO: modify me
     $groupInfo = @{
         "CN=UserGroup1,OU=Groups,DC=domain,DC=com" = "CN=ComputerGroup1,OU=Groups,DC=domain,DC=com"
         "CN=UserGroup2,OU=Groups,DC=domain,DC=com" = "CN=ComputerGroup2,OU=Groups,DC=domain,DC=com"
         "CN=UserGroup3,OU=Groups,DC=domain,DC=com" = "CN=ComputerGroup3,OU=Groups,DC=domain,DC=com"
         "CN=UserGroup4,OU=Groups,DC=domain,DC=com" = "CN=ComputerGroup4,OU=Groups,DC=domain,DC=com"
     } # TODO: modify me
    
     function SearchObjects($filter)
     {
         $searcher = $Context.BindToObject("Adaxes://rootDSE")
         $searcher.SearchFilter = $filter
         $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
         $searcher.PageSize = 500
         $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
         $searcher.VirtualRoot = $True
    
         try
         {
             $searchResultIterator = $searcher.ExecuteSearch()
             $searchResults = $searchResultIterator.FetchAll()
    
             return ,$searchResults
         }
         finally
         {
             # Release resources
             if ($searchResultIterator){ $searchResultIterator.Dispose() }
         }
     }
    
     function UpdateGroupMembership ($searchResults, $groupPath, $addToGroup)
     {
         $group = $Context.BindToObjectByDN($groupPath)
         foreach ($searchResult in $searchResults)
         {
             if ($addToGroup -and -not($group.IsMember($searchResult.AdsPath)))
             {
                 $group.Add($searchResult.AdsPath)
             }
             elseif (-not($addToGroup) -and $group.IsMember($searchResult.AdsPath))
             {
                 $group.Remove($searchResult.AdsPath)
             }
         }
     }
    
     # Search computers
     $searchResults = SearchObjects "(&(objectCategory=computer)(name=$computerNameForSearch))"
    
     if ($searchResults.Length -eq 0)
     {
         $Context.LogMessage("Computer '$computerName' not found.", "Warning")
         return
     }
    
     try
     {
         $groupGuidsBytes = $Context.TargetObject.GetEx("adm-MemberOfGuid")
     }
     catch
     {
         $groupGuidsBytes = @()
     }
     $groupGuids = New-Object "System.Collections.Generic.HashSet[System.Guid]"
     $groupGuidsBytes | %%{[void]$groupGuids.Add([Guid]$_)}
    
     foreach ($dn in $groupInfo.Keys)
     {
         $userGroup = $Context.BindToObjectByDN($dn)
         $userGroupGuid = [Guid]$userGroup.Get("objectGuid")
    
         if ($groupGuids.Contains($userGroupGuid))
         {
             UpdateGroupMembership $searchResults $groupInfo[$dn] $True
         }
         else
         {
             UpdateGroupMembership $searchResults $groupInfo[$dn] $False
         }
     }

  7. In the script:

    • $computerNameForSearch – specifies the template for computer name to search;
    • $groupInfo – maps groups of the user to groups the corresponding computer should be member of.
  8. Click OK.

  9. Click Next and finish creating the Scheduled Task.

0

Hi!

If one would like to modify the script to force only one of the groups to be populated with the computer name (the last one or the first one of the four in groupinfo) I'e the first group that matches username to computername, then the script removes the computername from the rest of the groups. How would a such change look like?

Also, if the computers operated on (added to or removed from groups) only should be under a specific branch of the AD, i'e a specific OU and its sub OU's so that we don't get lots of old machines or we can keep testmachines permanently in a specific machine group without them beeing removed - possible?

/Kaj

0

Hello Kaj,

If one would like to modify the script to force only one of the groups to be populated with the computer name (the last one or the first one of the four in groupinfo) I'e the first group that matches username to computername, then the script removes the computername from the rest of the groups. How would a such change look like?

How exactly should the group for the computer be selected? Currently, the script matches user groups to computer groups and adds/removes computers to groups according to the user group membership.

Also, if the computers operated on (added to or removed from groups) only should be under a specific branch of the AD, i'e a specific OU and its sub OU's so that we don't get lots of old machines or we can keep testmachines permanently in a specific machine group without them beeing removed - possible?

Yes, it is possible. You just need to limit the search scope for computers in the SearchObjects function of the script with the OU you need.

Related questions

0 votes
1 answer

For security purposes, we need to audit the objects that are capable of replicating the directory. As we have a number of individuals that need this report, I would like to ... four domains and would like to see any objects with this permission in any of them

asked May 20 by jiambor (1.2k points)
0 votes
1 answer

I would like to know if it is possible to create a field in the web UI under user management to "assign" a machine to a user. I would like to be able to put the ... be moved to "workstation OU. Is there s custome field that can be used to accomplish this?

asked Oct 22, 2020 by copatterson (70 points)
0 votes
1 answer

Hello all, I'm sure this is possible, but I'm confused on a few points. I'm trying to set up the security role and matching homepage action that will allow a user ... I'd like to use the least amount of permissions possible, just for security's sake. Thanks!

asked Jan 18, 2017 by ctdhelpdesk (190 points)
0 votes
0 answers

I am unable to move computer objects from any computer OU to another. I receive an access denied error when I try. I am able to delete computers that have ... listed in the topic Permissions Required to move Computers. Any assistance would be helpful. Mark

asked Oct 26, 2016 by mreny (40 points)
0 votes
1 answer

Hi, How would you most elegantly do the following? Every time a request is made to move a computer account into OU XYZ, workflow approval should be sent before the ... computer account is being moved from OU XYZ, it does not need workflow approval. Thanks!

asked Dec 9, 2014 by BradG (950 points)
2,779 questions
2,512 answers
6,574 comments
26,141 users