0 votes

Hi,

is there a way through the Adaxes SDK to check all users against a specific group and determine wether or not they are part of it (must include direct and indirect membership)
Background: we have a big mail distribution list ($all company) which has smaller distribution lists as members, we need to know if every AD User is part of it.

As a remark, we have a Forrest root domain which holds the group, members of the group can be in every domain

by (960 points)
0

Hello,

Is there any specific reason that you don't want to use the built in If is a member of <Group> condition? It can be used in Business Rules, Custom Commands and Scheduled Tasks to check whether a user is/is not a member of the group, can handle indirect memberships and works well in situations where the user and the group are located in different domains.

0

I need to run some kind of script or something similar which checks all users and not only a single one, then gives me an output including all users that are not part of that specific group.
Would you let me know how to achieve that with If is a member of <Group>

0

Hello,

Would you let me know how to achieve that with If is a member of <Group>

You wont' be able to ahieve what you want with the help of the If is a member of <Group> condition, however it is possible to wirte a PowerShell script that generates a report containing all users who are not members of a certain group. We've already asked our script guys to write it for you and will update you as soon as they come up with something.

0

Great thank you! Will wait for your reply

1 Answer

0 votes
by (215k points)

Hello,

The script is ready. To get a list of users who are not members of a particular group, you can, for example, create a Custom Command that runs the script. When executed on a certain group, it will email a list of users who are not members of that group. To create such a Custom Command:

  1. Create a new Custom Command.

  2. On the 2nd step of the Create Custom Command wizard, select the Group object type.

  3. On the 3rd step, add the Run a program or PowerShell script action and paste the following script in the Script field:

     Import-Module Adaxes
    
     # Email message setings
     $to = "recipient@domain.com" # TODO: modify me
     $subject = "List of the users that are not members of group %name%" # TODO: modify me
     $htmlReportHeader = "<h3><b>List of the users that are not members of group %name%</b></h3><br/>" # TODO: modify me
     $htmlReportFooter = "<hr /><p><i>Please do not reply to this e-mail, it has been sent to you for notification purposes only.</i></p>" # TODO: modify me
    
     function SearchUsers($filter, $userGuids)
     {
         $searcher = New-Object "Softerra.Adaxes.Adsi.Search.DirectorySearcher" $NULL, $False
         $searcher.SearchParameters.PageSize = 500
         $searcher.SearchParameters.SearchScope = "ADS_SCOPE_SUBTREE"
         $searcher.SearchParameters.Filter = $filter
         $searcher.SearchParameters.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
         $searcher.SetPropertiesToLoad(@("ObjectGuid"))
         $searcher.VirtualRoot = $True
    
         $result = $searcher.ExecuteSearch()
         $users = $result.FetchAll()
         $result.Dispose()
    
         foreach ($userID in $users)
         {
             $userGuid = New-Object "System.Guid" (,($userID.Properties["ObjectGuid"]).Value)
             $userGuids.Add($userGuid)
         }
     }
    
     # Get all group members
     $domainName = $Context.GetObjectDomain("%distinguishedName%")
     $members = Get-AdmGroupMember -Identity "%distinguishedName%" -Recursive `
         -AdaxesService localhost -Server $domainName
    
     # Build a hash set of GUIDs of all users in the group
     $memberGuids = New-Object "System.Collections.Generic.HashSet[System.Guid]"
     foreach ($member in $members)
     {
         if ($member.ObjectClass -ine "user")
         {
             continue
         }
    
         $memberGuid = New-Object "System.Guid" (,$member.ObjectGuid)
         $memberGuids.Add($memberGuid) | Out-Null
     }
    
     # Build filter that finds all users except the members of the group
     $filter = New-Object "System.Text.StringBuilder"
     $filter.Append("(&(sAMAccountType=805306368)") | Out-Null
    
     # Add member guids to filter
     $filter.Append("(!(|") | Out-Null
     foreach ($memberGuid in $memberGuids)
     {
         $memberGuidFilter = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("ObjectGuid", $memberGuid)
    
         $filter.Append("$memberGuidFilter") | Out-Null
     }
    
     # Finish building filter
     $filter.Append(")))")
    
     # Search users that are not members of the group
     $userGuids = New-Object "System.Collections.Generic.HashSet[System.Guid]"
     SearchUsers $filter.ToString() $userGuids
    
     # Get the default Web Interface address
     $webInterfaceAddress = "%adm-WebInterfaceUrl%"
     if ([System.String]::IsNullOrEmpty($webInterfaceAddress))
     {
         $Context.LogMessage("Default web interface address not set for Adaxes service. For details, see http://www.adaxes.com/help/?HowDoI.ManageService.RegisterWebInterface.html", "Warning")
     }
    
     # Build report
     $disabledAccounts = "<b>Disabled Accounts</b><br/><ol>"
     $expiredAccounts = "<b>Expired Accounts</b><br/><ol>"
     $activeAccounts = "<b>Active Accounts</b><br/><ol>"
     foreach ($userGuid in $userGuids)
     {
         # Bind to user
         $userPath = "Adaxes://<GUID=$userGuid>"
         $user = $Context.BindToObject($userPath)
    
         $userName = [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName($user, 'IncludeParentPath')
         $currentDate = Get-Date
         $accountExpires = $user.Get("accountExpires")
         if ($user.AccountDisabled)
         {
             $disabledAccounts += "<li><a href='$webInterfaceAddress`ViewObject.aspx?guid=$userGuid'>$username</a></li>"
             continue
         }
         elseif (($user.AccountExpirationDate -lt $currentDate) -and ($accountExpires -ne 0) -and ($accountExpires -ne 9223372036854775807))
         {
             $expiredAccounts += "<li><a href='$webInterfaceAddress`ViewObject.aspx?guid=$userGuid'>$username</a></li>"
             continue
         }
         else
         {
             $activeAccounts += "<li><a href='$webInterfaceAddress`ViewObject.aspx?guid=$userGuid'>$username</a></li>"
             continue
         }
     }
    
     # Build HTML report
     $disabledAccounts += "</ol>"
     $expiredAccounts += "</ol>"
     $activeAccounts += "</ol>"
     $htmlBody = $htmlReportHeader + $activeAccounts + $expiredAccounts + $disabledAccounts + $htmlReportFooter
    
     # Send mail
     $Context.SendMail($to, $subject, $NULL, $htmlBody)
    
  4. In the script, modify the following to meet your requirements:

    • $to - specifies the recipient of the email notification,
    • $subject - specifies the subject of the email notification,
    • $htmlReportHeader - specifies the header of the notification that will be added before the user list,
    • $htmlReportFooter - specifies the footer of the notification that will be added after the user list.
  5. Enter a short description for the script and click OK.

  6. Finish creation of the Scheduled Task.

0

Thanks for that awesome piece of code, it's working perfectly so far!

Is there any chance to include the Objecttype into the report and maybe have it as .csv attachment so that I'm able to import the data into Excel?

0

Hello,

In your initial post you requested (our highlighting):

is there a way through the Adaxes SDK to check all users against a specific group and determine wether or not they are part of it (must include direct and indirect membership)

So, the script returns users only. There's no need to specify the Object Type in the output.

As to generating a CSV file, this can be done. We'll post an updated version of the script here.

Related questions

0 votes
1 answer

We have four OUs in Active Directory (Pending Deletion, Disabled with Mail Delegates, Disabled with HR Extensions and Disabled_Temp_Leave) that users are moved to prior to their eventual ... past 7 days have been moved to one of 4 of these OUs. Thanks!

asked Jun 3 by RayBilyk (180 points)
0 votes
1 answer

If I have 2 Active Directory Security groups in my domain - Group A Group B Is it possible to create a report that shows only users who have membership in both groups? For ... Jane Doe is in Group A AND Group B she would be included in the resulting report.

asked May 11, 2020 by sirslimjim (330 points)
0 votes
1 answer

Is it possible for the approval email to display the picture? I've been unable to find the configuration panel for this process. Attached is the message we receive.

asked Mar 2, 2020 by kcd (20 points)
0 votes
1 answer

There is a script to indicated if a user is a member of any listed groups. Is it possible to have a version of the script that checks a group or member of any nested group? Current script page: https://www.adaxes.com/script-repositor ... s-s294.htm

asked Apr 30, 2018 by adaxes_user (420 points)
0 votes
1 answer

Hello! I've made a simple business rule: AFTER adding a member to a group IF Operation Succeeded THEN Send email notification In the activity scope, I have selected the group ... but the business rule isn't triggered. How do I make this work? Regards, Erlend

asked Oct 22, 2014 by Erlend (160 points)
2,599 questions
2,338 answers
6,212 comments
844,884 users