0 votes

Hi, I am making business rule which calls powershell script and inside the script I need to check whether account which is added to group is security group. I am using Get-AdmGroup cmdlet for this but it doesn't return this attribute at all. Strange is, that when I am calling exactly the same command from powershell session, it works without problem. Getting other attributes is without problem also.

Command

$group = Get-AdmObject -Properties * -Filter "distinguishedname -eq "%member%"" $Context.LogMessage(("3" + $group.GroupCategory), "Information")

returns nothing, but

$Context.LogMessage(("1" + $group.ObjectClass), "Information") $Context.LogMessage(("2" + $group.ObjectGUID), "Information") $Context.LogMessage(("4" + $group.ProtectedFromAccidentalDeletion), "Information")

is returning correct information without any problem, so it seems that just GroupCategory is missing/empty.

In standalone powershell console, the same command return, that group type is security image.png

So what am I doing wrong?

by (910 points)
reshown by

1 Answer

0 votes
by (270k points)
selected by
Best answer

Hello,

In your Business Rule you are using the Get-AdmObject cmdlet which only retrieves default property values that do not include the GroupCategory property. While in Windows PowerShell, you are using the Get-AdmGroup cmdlet, which fetches group specific properties. Also, it is recommended to specify the -AdaxesService and the -Server parameters when using Adaxes cmdlets. Finally, your command should look like the following:

$group = Get-AdmGroup -Properties "GroupCategory" -Filter {distinguishedname -eq "%member%"} -AdaxesService localhost -Server "myserver.domain.com"

Additionally, it is not recommended to use the %member% value reference in LDAP filters as it does not always resolve into the distinguished name (DN) of the member added or removed from a group. We recommend you to use the value reference to bind to the group that is added as member and then get its properties as in the below example.

# Bind to member
$group = $Context.BindToObject("Adaxes://%member%")

# Output group category
$groupType = $group.Get("groupType")
if ($groupType -band 0x80000000)
{
    $Context.LogMessage("3 + Security", "Information")
}
else
{
    $Context.LogMessage("3 + Distribution", "Information")
}

Related questions

0 votes
1 answer

I'm having trouble retrieving a value from an attribute but another attribute of similar type I have no trouble getting. The AD schema has been expanded to add these ... # 250 at char 41 while executing $termDate = $userRec.Get("terminationDate"). Help!

asked Mar 24, 2017 by sbanks (270 points)
0 votes
1 answer

Howdy! I'm new to Adaxes. I followed the tutorial - "Grant rights to modify AD group membership" . When I log in w/ an account that is the owner of a group, there aren't any members listed. I checked AD to make sure and there are members. What am I missing?

asked Oct 1, 2013 by MeliOnTheJob (1.7k points)
0 votes
1 answer

Is it possible to script having users added (or removed) from a Security Group based on another AD Attribute? I have found ways to do this in Powershell (something like): ... just utilize the PS script and just run it through Adaxes on a timed fashion? Thanks!

asked Oct 7, 2014 by PunkinDonuts (360 points)
0 votes
1 answer

When we create a shared mailbox, we create an associated mail-enabled security group. In the security group I want to populate the description field with the name of the shared mailbox ... How can I get just the "name" of the shared mailbox versus the full DN?

asked Feb 4, 2021 by atnorman (120 points)
0 votes
1 answer

Hi, during account creation we store a user/requester DN in field adm-CustomAttributeObject2 If now this requester is disabled, I want to find all users in AD ... field. I found some articles and scripts, but nothing working as expected.

asked Feb 27 by wintec01 (1.1k points)
3,326 questions
3,026 answers
7,727 comments
544,681 users