0 votes

Hi,

is there a way through the Adaxes SDK to check all users against a specific group and determine wether or not they are part of it (must include direct and indirect membership)
Background: we have a big mail distribution list ($all company) which has smaller distribution lists as members, we need to know if every AD User is part of it.

As a remark, we have a Forrest root domain which holds the group, members of the group can be in every domain

by (960 points)
0

Hello,

Is there any specific reason that you don't want to use the built in If is a member of <Group> condition? It can be used in Business Rules, Custom Commands and Scheduled Tasks to check whether a user is/is not a member of the group, can handle indirect memberships and works well in situations where the user and the group are located in different domains.

0

I need to run some kind of script or something similar which checks all users and not only a single one, then gives me an output including all users that are not part of that specific group.
Would you let me know how to achieve that with If is a member of <Group>

0

Hello,

Would you let me know how to achieve that with If is a member of <Group>

You wont' be able to ahieve what you want with the help of the If is a member of <Group> condition, however it is possible to wirte a PowerShell script that generates a report containing all users who are not members of a certain group. We've already asked our script guys to write it for you and will update you as soon as they come up with something.

0

Great thank you! Will wait for your reply

1 Answer

0 votes
by (216k points)

Hello,

The script is ready. To get a list of users who are not members of a particular group, you can, for example, create a Custom Command that runs the script. When executed on a certain group, it will email a list of users who are not members of that group. To create such a Custom Command:

  1. Create a new Custom Command.

  2. On the 2nd step of the Create Custom Command wizard, select the Group object type.

  3. On the 3rd step, add the Run a program or PowerShell script action and paste the following script in the Script field:

     Import-Module Adaxes
    
     # Email message setings
     $to = "recipient@domain.com" # TODO: modify me
     $subject = "List of the users that are not members of group %name%" # TODO: modify me
     $htmlReportHeader = "<h3><b>List of the users that are not members of group %name%</b></h3><br/>" # TODO: modify me
     $htmlReportFooter = "<hr /><p><i>Please do not reply to this e-mail, it has been sent to you for notification purposes only.</i></p>" # TODO: modify me
    
     function SearchUsers($filter, $userGuids)
     {
         $searcher = New-Object "Softerra.Adaxes.Adsi.Search.DirectorySearcher" $NULL, $False
         $searcher.SearchParameters.PageSize = 500
         $searcher.SearchParameters.SearchScope = "ADS_SCOPE_SUBTREE"
         $searcher.SearchParameters.Filter = $filter
         $searcher.SearchParameters.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
         $searcher.SetPropertiesToLoad(@("ObjectGuid"))
         $searcher.VirtualRoot = $True
    
         $result = $searcher.ExecuteSearch()
         $users = $result.FetchAll()
         $result.Dispose()
    
         foreach ($userID in $users)
         {
             $userGuid = New-Object "System.Guid" (,($userID.Properties["ObjectGuid"]).Value)
             $userGuids.Add($userGuid)
         }
     }
    
     # Get all group members
     $domainName = $Context.GetObjectDomain("%distinguishedName%")
     $members = Get-AdmGroupMember -Identity "%distinguishedName%" -Recursive `
         -AdaxesService localhost -Server $domainName
    
     # Build a hash set of GUIDs of all users in the group
     $memberGuids = New-Object "System.Collections.Generic.HashSet[System.Guid]"
     foreach ($member in $members)
     {
         if ($member.ObjectClass -ine "user")
         {
             continue
         }
    
         $memberGuid = New-Object "System.Guid" (,$member.ObjectGuid)
         $memberGuids.Add($memberGuid) | Out-Null
     }
    
     # Build filter that finds all users except the members of the group
     $filter = New-Object "System.Text.StringBuilder"
     $filter.Append("(&(sAMAccountType=805306368)") | Out-Null
    
     # Add member guids to filter
     $filter.Append("(!(|") | Out-Null
     foreach ($memberGuid in $memberGuids)
     {
         $memberGuidFilter = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("ObjectGuid", $memberGuid)
    
         $filter.Append("$memberGuidFilter") | Out-Null
     }
    
     # Finish building filter
     $filter.Append(")))")
    
     # Search users that are not members of the group
     $userGuids = New-Object "System.Collections.Generic.HashSet[System.Guid]"
     SearchUsers $filter.ToString() $userGuids
    
     # Get the default Web Interface address
     $webInterfaceAddress = "%adm-WebInterfaceUrl%"
     if ([System.String]::IsNullOrEmpty($webInterfaceAddress))
     {
         $Context.LogMessage("Default web interface address not set for Adaxes service. For details, see http://www.adaxes.com/help/?HowDoI.ManageService.RegisterWebInterface.html", "Warning")
     }
    
     # Build report
     $disabledAccounts = "<b>Disabled Accounts</b><br/><ol>"
     $expiredAccounts = "<b>Expired Accounts</b><br/><ol>"
     $activeAccounts = "<b>Active Accounts</b><br/><ol>"
     foreach ($userGuid in $userGuids)
     {
         # Bind to user
         $userPath = "Adaxes://<GUID=$userGuid>"
         $user = $Context.BindToObject($userPath)
    
         $userName = [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName($user, 'IncludeParentPath')
         $currentDate = Get-Date
         $accountExpires = $user.Get("accountExpires")
         if ($user.AccountDisabled)
         {
             $disabledAccounts += "<li><a href='$webInterfaceAddress`ViewObject.aspx?guid=$userGuid'>$username</a></li>"
             continue
         }
         elseif (($user.AccountExpirationDate -lt $currentDate) -and ($accountExpires -ne 0) -and ($accountExpires -ne 9223372036854775807))
         {
             $expiredAccounts += "<li><a href='$webInterfaceAddress`ViewObject.aspx?guid=$userGuid'>$username</a></li>"
             continue
         }
         else
         {
             $activeAccounts += "<li><a href='$webInterfaceAddress`ViewObject.aspx?guid=$userGuid'>$username</a></li>"
             continue
         }
     }
    
     # Build HTML report
     $disabledAccounts += "</ol>"
     $expiredAccounts += "</ol>"
     $activeAccounts += "</ol>"
     $htmlBody = $htmlReportHeader + $activeAccounts + $expiredAccounts + $disabledAccounts + $htmlReportFooter
    
     # Send mail
     $Context.SendMail($to, $subject, $NULL, $htmlBody)
    
  4. In the script, modify the following to meet your requirements:

    • $to - specifies the recipient of the email notification,
    • $subject - specifies the subject of the email notification,
    • $htmlReportHeader - specifies the header of the notification that will be added before the user list,
    • $htmlReportFooter - specifies the footer of the notification that will be added after the user list.
  5. Enter a short description for the script and click OK.

  6. Finish creation of the Scheduled Task.

0

Thanks for that awesome piece of code, it's working perfectly so far!

Is there any chance to include the Objecttype into the report and maybe have it as .csv attachment so that I'm able to import the data into Excel?

0

Hello,

In your initial post you requested (our highlighting):

is there a way through the Adaxes SDK to check all users against a specific group and determine wether or not they are part of it (must include direct and indirect membership)

So, the script returns users only. There's no need to specify the Object Type in the output.

As to generating a CSV file, this can be done. We'll post an updated version of the script here.

Related questions

0 votes
1 answer

Is there a report which shows users who are not a member of a specific group?

asked May 3, 2023 by dgilmour (20 points)
0 votes
1 answer

We have four OUs in Active Directory (Pending Deletion, Disabled with Mail Delegates, Disabled with HR Extensions and Disabled_Temp_Leave) that users are moved to prior to their eventual ... past 7 days have been moved to one of 4 of these OUs. Thanks!

asked Jun 3, 2021 by RayBilyk (230 points)
0 votes
1 answer

If I have 2 Active Directory Security groups in my domain - Group A Group B Is it possible to create a report that shows only users who have membership in both groups? For ... Jane Doe is in Group A AND Group B she would be included in the resulting report.

asked May 11, 2020 by sirslimjim (480 points)
0 votes
1 answer

Is there a way to create a Business Unit that includes all Users in a OU that a Manager is in the ManagedBy field?

asked 6 days ago by dominik.stawny (160 points)
0 votes
1 answer

Hello, I am attempting to configure a business rule that adjusts an adaxes custom property of a user, upon that user being added/removed from a group. I cannot seem to ... (like username, office, description, email, etc.) but not so much on custom attributes.

asked Jul 14, 2023 by NKB#2772 (70 points)
3,326 questions
3,025 answers
7,723 comments
544,675 users