Copy and Paste all user's groups by storing GUIDs in one of the user's binary attributes

Question

I'm trying to combine these two scripts to effectively store a user's group memberships in customattributebinary5 and then be able to copy and paste those memberships to a new user in the future. So far I think I have everything except for the pasting of the groups to a new user as I'm having trouble converting the logic from groups to users.

Remove groups from user and store in attribute:

# $groupNamesToSkip = @("MyGroup1", "MyGroup2", "Department*") # TODO: modify me
$groupNamesToSkip = $null

function SkipGroup($patterns, $sAMAccountName)
{
    foreach ($pattern in $patterns)
    {
        if ($sAMAccountName -like $pattern)
        {
            return $True
        }
    }

    return $False
}

# Get all groups user is a direct member of
$groupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Build a single-dimension array of member GUIDs
$totalBytes = $groupGuids.Count * 16
$result = New-Object 'System.Collections.Generic.List[System.Byte]' $totalBytes
foreach ($GuidBytes in $groupGuids)
{
    $result.AddRange($GuidBytes)
}
# Save the GUIDs to the adm-CustomAttributeBinary5 virtual property of target user
$Context.TargetObject.Put("adm-CustomAttributeBinary5", $result.ToArray())
$Context.TargetObject.SetInfo()

# Get the Primary Group ID
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

foreach ($groupGuidBytes in $groupGuids)
{
    # Bind to the group
    $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
    $groupGuid = $groupGuid.ToString("B")
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)

    # Skip Primary Group
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }

    # Skip special groups
    $sAMAccountName = $group.Get("sAMAccountName")
    if (($groupNamesToSkip -ne $NULL) -and 
        (SkipGroup $groupNamesToSkip $sAMAccountName))
    {
        continue
    }

    # Remove user from the group
    $group.Remove($Context.TargetObject.AdsPath)
}

Copy groups from user to initiator:

# Get an array of member GUIDs
try
{
    $sourceMemberGuids = $Context.TargetObject.Get("adm-CustomAttributeBinary5")
}
catch
{
    $Context.Cancel("Failed to get member GUIDs.")
    return
}

# Calculate the number of GUIDs
$totalBytes = $sourceMemberGuids.Length

# Make sure that the total number of bytes is a divisible of 16
$remainder = 0
[System.Math]::DivRem($totalBytes, 16, [ref] $remainder)
if ($remainder -ne 0)
{
    $Context.Cancel("Unexpected data length! Exiting.")
    return
}

# Save the GUIDs to the adm-CustomAttributeBinary1 virtual property user who invokes the script
$Context.Initiator.UserAdsObject.Put("adm-CustomAttributeBinary1", $sourceMemberGuids)
$Context.Initiator.UserAdsObject.SetInfo()

And finally, need help with pasting, as this doesn't work:

# Get the Primary Group ID
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")
#change this to skip certain groups
$groupNamesToSkip = $null

# Get an array of member GUIDs
try
{
    $sourceMemberGuids = $Context.Initiator.UserAdsObject.Get("adm-CustomAttributeBinary1")
}
catch
{
    $Context.Cancel("Failed to get member GUIDs.")
    return
}

# Calculate the number of GUIDs
$totalBytes = $sourceMemberGuids.Length

# Make sure that the total number of bytes is a divisible of 16
$remainder = 0
[System.Math]::DivRem($totalBytes, 16, [ref] $remainder)
if ($remainder -ne 0)
{
    $Context.Cancel("Unexpected data length! Exiting.")
    return
}

foreach ($groupGuidBytes in $sourceMemberGuids)
{
    # Bind to the group
    $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
    $groupGuid = $groupGuid.ToString("B")
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)
    $groupName = $group.Get("cn")

    # Skip the group if it is the user's Primary Group
    if (($group.Get("primaryGroupToken") -eq $primaryGroupId) -or ($groupNamesToSkip -contains $groupName))
    {
        continue
    }

    # Add user to the group
    $group.Add($Context.TargetObject.AdsPath)
    $Context.LogMessage("Added the user to group '$groupName'", "Information")
}

Comments

Hello,

For us to help you with a solution, please, specify what version of Adaxes you are currently using. For information on how to check that, have a look at the following help article: https://www.adaxes.com/help/?HowDoI.ManageService.CheckAdaxesServiceVersion.html.

---

2019.1 Version 3.11.16825.0

---

Hello,

Thank you for clarifying. We suggest that you only use two scripts. The first one will be used to remove all group memberships of a user and save group GUIDs to a custom binary attribute. For example, it can be executed in a Custom Command. The second script will be executed using a Custom Command with an AD object picker parameter. The parameter will be used to specify the user account that has groups the target account should be added to in a custom binary attribute. If this approach meets your needs, we will provide you with the scripts.

---

Yes, that approach would be sufficent. In our case, the removal of all groups is a scheduled task that runs after a user has been disabled for more than 4 weeks and checks to see that customattributebinary5 is $null. Thanks.

Answer 1

Hello,

Thank you for the confirmation. We updated the script for removing and preserving groups, find it below. In the script, the $binaryAttributeName variable specifies the LDAP name of the custom binary attribute (e.g. adm-CustomAttributeBinary5) that will be used to store group GUIDs.

$binaryAttributeName = "adm-CustomAttributeBinary5" # TODO: modify me

# Get all groups user is a direct member of
$groupGuidsBytes = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Get the Primary Group ID
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

# Build a single-dimension array of group GUIDs
$totalBytes = $groupGuidsBytes.Count * 16
$result = New-Object 'System.Collections.Generic.List[System.Byte]' $totalBytes

foreach ($guidBytes in $groupGuidsBytes)
{
    # Bind to the group
    $guid = [Guid]$guidBytes
    $group = $Context.BindToObject("Adaxes://<GUID=$guid>")

    # Skip Primary Group
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }

    # Add guid bytes to the array
    $result.AddRange($guidBytes)

    # Remove user from the group
    $group.Remove($Context.TargetObject.AdsPath)
}

if ($result.Count -ne 0)
{
    # Save the GUIDs to the custom attribute of target user
    $Context.TargetObject.Put($binaryAttributeName, $result.ToArray())
    $Context.TargetObject.SetInfo()
}

To create the Custom Command for adding users to groups:

1. Launch Adaxes Administration Console.
2. In the Console Tree, right-click your service node.
3. In the context menu, navigate to New and click Custom Command.
4. On step 2 of the Create Custom Command wizard, select the User object type and click Next.
5. Click New.
6. Select AD object picker and click Next.

7. Specify a parameter name and display name (e.g. userTemplate and User to get groups from).
8. Click Next.
9. Click Configure.
10. In the Display only objects that match the following LDAP filter field, enter the following: (sAMAccountType=805306368)
11. Click OK and then click Finish.
12. Click Next.
13. Click Add an action.
14. Select Run a program or PowerShell script.
15. Paste the below script into the Script field. In the script:
    • $binaryAttributeName - Specifies the LDAP name of the custom binary attribute (e.g. adm-CustomAttributeBinary5) that will be used to get group GUIDs from the user selected in the parameter. The LDAP name Should the same as in the $binaryAttributeName variable of the first script.
    • $objectDN - Specifies the distinguished name (DN) of the user selected in the parameter. The DN is obtained using a value reference containing the name of the parameter with the param- prefix (e.g. param-userTemplate).

$binaryAttributeName = "adm-CustomAttributeBinary5" # TODO: modify me
$objectDN = "%param-userTemplate%" # TODO: modify me

# Get array of group GUIDs
$object = $Context.BindToObjectByDN($objectDN)
try
{
    $sourceGroupGuids = $object.Get($binaryAttributeName)
}
catch
{
    $Context.Cancel("Failed to get group GUIDs.")
    return
}

# Calculate the number of GUIDs
$totalBytes = $sourceGroupGuids.Length

# Make sure that the total number of bytes is divisible by 16
$remainder = 0
[System.Math]::DivRem($totalBytes, 16, [ref] $remainder)
if ($remainder -ne 0)
{
    $Context.Cancel("Unexpected data length!")
    return
}

$groupsToAdd = New-Object "System.Collections.Generic.HashSet[System.Guid]"
for ($i = 0; $i -lt ($totalBytes / 16); $i++)
{
    $bytes = [System.Guid]::Empty.ToByteArray()
    [System.Array]::Copy($sourceGroupGuids, $i * 16, $bytes, 0, 16)
    $guid = New-Object "System.Guid" (,$bytes)
    $groupsToAdd.Add($guid)
}

# Get GUIDs of groups the user is member of
$memberOfGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Adjust the list of groups to add the user to
foreach($memberOfGuidBytes in $memberOfGuids)
{
    $guid = New-Object "System.Guid" (,$memberOfGuidBytes)
    $groupsToAdd.Remove($guid) # Already a member of the group
}

# Add to groups
foreach($guid in $groupsToAdd)
{
    try
    {
        $group = $Context.BindToObject("Adaxes://<GUID=$guid>")
        $group.Add($Context.TargetObject.AdsPath)
    }
    catch
    {
        $Context.LogMessage("An error occurred when adding user %fullname% to the group. Error: " + $_.Exception.Message, "Warning")
    }
}

17. Enter a short description and click OK.
18. Click Next and finish creating the Custom Command.