The script updates the list of members of the target group with managers that currently have direct reports whose property is set to a specific value. To execute the script, create a custom command, scheduled task or business rule configured for the Group object type. The script always fully rewrites membership of the group.
Parameters:
- $propertyName - Specifies the LDAP name of the property that will be checked in accounts of direct reports.
- $propertyValueToSearch - Specifies the value the $propertyName property should be set to for the account manager to be added to the group.
PowerShell
$propertyName = "employeeType" # TODO: modify me
$propertyValueToSearch = "Type" # TODO: modify me
$searcher = $Context.TargetObject
$searcher.Criteria = New-AdmCriteria "user" -Expression {(manager -empty $False) -and ($propertyName -eq $propertyValueToSearch)}
$searcher.VirtualRoot = $True
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.PageSize = 500
$searcher.SetPropertiesToLoad(@("manager"))
try
{
# Execute search
$searchResultIterator = $searcher.ExecuteSearch()
$searchResults = $searchResultIterator.FetchAll()
$managerDNs = New-Object "System.Collections.Generic.HashSet[System.String]"
$searchResults | %%{ [void]$managerDNs.Add($_.Properties["manager"].Value)}
# Update group
$Context.TargetObject.Put("member", @($managerDNs))
$Context.TargetObject.SetInfo()
}
catch
{
# Release resources
if ($searchResultIterator) { $searchResultIterator.Dispose() }
}